Name: Tremplin Numérique
Price range: $$$

I only realize today that Owncloud doesn't natively prevent brute-force attacks. However, it seems that the developers are aware of this and will propose a captcha system in the next release. In the meantime, I suggest that you set up a home patch to make our Owncloud instance work with Fail2Ban.

Creation of a specific log file

<br />
touch /var/log/owncloud-fail.log<br />
 chown www-data:www-data /var/log/owncloud-fail.log

1 2	touch /var/log/owncloud–fail.log chown www–data:www–data /var/log/owncloud–fail.log

Modified source code to log connection errors. We edit /owncloud/lib/user/database.php.
In line 202, in the checkPassword function, just before the “return false” we add the following code

<br />
$today = new DateTime();<br />
date_timezone_set($today, timezone_open(‘Europe/Paris’));<br />
$IPClient= $_SERVER[‘REMOTE_ADDR’];<br />
$logAuth = fopen(‘/var/log/owncloud-fail.log’, ‘a+’);<br />
fputs($logAuth, date_format($today, ‘Y/m/d H:i:s’) .  » Password check failed for: t » . $IPClient . « n »);<br />
fclose($logAuth);

$today = new DateTime();

date_timezone_set($today, timezone_open(‘Europe/Paris’));

$IPClient= $_SERVER[‘REMOTE_ADDR’];

$logAuth = fopen(‘/var/log/owncloud-fail.log’, ‘a+’);

fputs($logAuth, date_format($today, ‘Y/m/d H:i:s’) . » Password check failed for: t » . $IPClient . « n »);

fclose($logAuth);

This modification concerns password errors for existing database logins. If you also want to log errors for all logins, you must add the same code before the last “return false” in the “else” part of the function. We just modify the comment.

<br />
$today = new DateTime();<br />
date_timezone_set($today, timezone_open(‘Europe/Paris’));<br />
$IPClient= $_SERVER[‘REMOTE_ADDR’];<br />
$logAuth = fopen(‘/var/log/owncloud-fail.log’, ‘a+’);<br />
fputs($logAuth, date_format($today, ‘Y/m/d H:i:s’) .  » Invalid username: t » . $IPClient . « n »);<br />
fclose($logAuth);

$today = new DateTime();

date_timezone_set($today, timezone_open(‘Europe/Paris’));

$IPClient= $_SERVER[‘REMOTE_ADDR’];

$logAuth = fopen(‘/var/log/owncloud-fail.log’, ‘a+’);

fputs($logAuth, date_format($today, ‘Y/m/d H:i:s’) . » Invalid username: t » . $IPClient . « n »);

fclose($logAuth);

Edit: Since version 6 of Owncloud the file is located in /var/www/owncloud/lib/private/user/database.php. In the if ($ row) is 2 return false instead of one. Complete both in the same way.

We now move on to the creation of the Fail2ban prison in /etc/fail2ban/filter.d/owncloud.conf

<br />
# Owncloud jail<br />
[Definition]<br />
failregex = <HOST>$

# Owncloud jail

[Definition]

failregex = <HOST>$

We test that the regex matches well. (Make a login error on the front interface)

<br />
fail2ban-regex /var/log/owncloud-fail.log /etc/fail2ban/filter.d/owncloud.conf

1	fail2ban–regex /var/log/owncloud–fail.log /etc/fail2ban/filter.d/owncloud.conf

We add this prison to the conf in /etc/fail2ban/jail.conf

<br />
 [owncloud]<br />
 enabled = true<br />
 port = http,https<br />
 filter = owncloud<br />
 logpath = /var/log/owncloud-fail.log<br />
 maxretry = 3