Owncloud + Fail2Ban
I only realize today that Owncloud doesn't natively prevent brute-force attacks. However, it seems that the developers are aware of this and will propose a captcha system in the next release. In the meantime, I suggest that you set up a home patch to make our Owncloud instance work with Fail2Ban.
Creation of a specific log file
1
2
|
touch /var/log/owncloud–fail.log
chown www–data:www–data /var/log/owncloud–fail.log
|
Modified source code to log connection errors. We edit /owncloud/lib/user/database.php.
In line 202, in the checkPassword function, just before the “return false” we add the following code
1
2
3
4
5
6
|
$today = new DateTime();
date_timezone_set($today, timezone_open(‘Europe/Paris’));
$IPClient= $_SERVER[‘REMOTE_ADDR’];
$logAuth = fopen(‘/var/log/owncloud-fail.log’, ‘a+’);
fputs($logAuth, date_format($today, ‘Y/m/d H:i:s’) . » Password check failed for: t » . $IPClient . « n »);
fclose($logAuth);
|
This modification concerns password errors for existing database logins. If you also want to log errors for all logins, you must add the same code before the last “return false” in the “else” part of the function. We just modify the comment.
1
2
3
4
5
6
|
$today = new DateTime();
date_timezone_set($today, timezone_open(‘Europe/Paris’));
$IPClient= $_SERVER[‘REMOTE_ADDR’];
$logAuth = fopen(‘/var/log/owncloud-fail.log’, ‘a+’);
fputs($logAuth, date_format($today, ‘Y/m/d H:i:s’) . » Invalid username: t » . $IPClient . « n »);
fclose($logAuth);
|
Edit: Since version 6 of Owncloud the file is located in /var/www/owncloud/lib/private/user/database.php. In the if ($ row) is 2 return false instead of one. Complete both in the same way.
We now move on to the creation of the Fail2ban prison in /etc/fail2ban/filter.d/owncloud.conf
1
2
3
|
# Owncloud jail
[Definition]
failregex = <HOST>$
|
We test that the regex matches well. (Make a login error on the front interface)
1
|
fail2ban–regex /var/log/owncloud–fail.log /etc/fail2ban/filter.d/owncloud.conf
|
We add this prison to the conf in /etc/fail2ban/jail.conf
1
2
3
4
5
6
|
[owncloud]
enabled = true
port = http,https
filter = owncloud
logpath = /var/log/owncloud–fail.log
maxretry = 3
|
Restart of fail2ban to take into account
1
|
/etc/init.d/fail2ban restart
|
You have to keep in mind that the lines in the php will have to be rewritten each time Owncloud is updated.