福斯 , 联网, nextcloudpi, 安全

下一个 CloudPi 失败2禁安装程序

这只是一个安装和配置的小脚本 失败2禁 与NextCloud一起使用。

失败2禁将监视您的个人云,以进行暴力攻击,并在尝试多次错误登录后阻止IP。

产品特点

  • SSH监狱
  • 下一个 cloud登录监狱
  • 默认情况下,6次错误的登录尝试将阻止IP 10分钟。

安装

得到它已经做

我已将此包含在最新版本的 下一个 CloudPi,即刻可用的Raspbian 8映像,具有NextCloud 11,HTTP2,PHP7等。

自己做

首先,克隆仓库

 吉特  clone //github.com/nachoparker/nextcloud-raspbian-generator.git

然后,有两个选择。

在线安装

SSH到您的Raspberry Pi中,复制 fail2ban.sh 进入并运行

./fail2ban.sh

,或者您可以在一个命令中完成所有操作

cat fail2ban.sh |  ssh  pi@192.168.0.145  # adjust the IP to your Raspberry Pi
脱机安装(使用QEMU)

这是基于 QEMU上的Raspbian具有网络访问权限.

提取SD卡并将图像复制到计算机(调整 sdx )。

sudo dd if=/dev/sdx of=my_rpi.img bs=4M

然后,

./install-fail2ban.sh my_rpi.img  192.168.0.145

完成后,您可以将其复制回来(调整 sdx )。

sudo dd if=my_rpi.img if=/dev/sdx bs=4M

组态

在安装之前,您可以在以下页面顶部配置以下变量 fail2ban.sh

NCLOG=/var/www/nextcloud/data/nextcloud.log # location of  下一个 cloud logs
BANTIME=600                                 # time to ban an IP that exceeded attempts
FINDTIME=600                                # cooldown time for incorrect passwords
MAXRETRY=6                                  # bad attempts before banning an IP

安装后,您可以在 /etc/fail2ban/jail.conf,然后发出

sudo fail2ban-client reload

用法

您可以检查每个监狱的状态。的工作方式相同 ssh 监狱。

$ sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- filter
|  |- File list:        /var/www/nextcloud/data/nextcloud.log
|  |- Currently failed: 1
|  `- Total failed:     8
`- action
   |- Currently banned: 1
   |  `- IP list:       192.168.0.100
   `- Total banned:     1

如果要取消阻止和IP,则可以键入(调整IP)

sudo fail2ban-client set nextcloud unbanip 192.168.0.100

从NC 11开始,对登录进行了基本的暴力保护,但仍然很难执行白名单或取消IP禁止的操作(请参阅 链接 )。

我们可以使用此配置行将其激活或停用

'auth.bruteforce.protection.enabled' => false,

#!/bin/bash

# Fail2ban installation script for Raspbian 
# Tested with 2017-01-11-raspbian-jessie.img (and lite)
#
# Copyleft 2017  通过  Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
# GPL licensed (see end of file) * Use at your own risk!
#
#  用法 :
#   cat install-fail2ban.sh |  ssh pass -praspberry  ssh  pi@$IP
#
#   , or scp this file to a Raspberry Pi and run it from Raspbian
#
#   ./fail2ban.sh
#
# See the variables on the top of the script for tweaking

sudo su

NCLOG=/var/www/nextcloud/data/nextcloud.log     # location of  下一个 cloud logs
BANTIME=600                                     # time to ban an IP that exceeded attempts
FINDTIME=600                                    # cooldown time for incorrect passwords
MAXRETRY=6                                      # bad attempts before banning an IP

set -x
set -e


# INSTALLATION
##########################################

apt-get update
apt-get install fail2ban -y

touch /var/www/nextcloud/data/nextcloud.log
chown -R www-data /var/www/nextcloud/data

cd /var/www/nextcloud
sudo -u www-data php occ config:system:set loglevel --value=2
sudo -u www-data php occ config:system:set log_type --value=file
sudo -u www-data php occ config:system:set logfile  --value=$NCLOG

cat > /etc/fail2ban/filter.d/nextcloud.conf <<'EOF'
[INCLUDES]
before = common.conf
[Definition]
failregex = Login failed.*Remote IP.*'<HOST>'
ignoreregex =
EOF


cat > /etc/fail2ban/jail.conf <<EOF
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime  = $BANTIME
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = $FINDTIME
maxretry = $MAXRETRY
#
# ACTIONS
#
banaction = iptables-multiport
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_)s
#
# SSH
#
[ssh]
enabled  = true
port     =  ssh 
filter   =  ssh d
logpath  = /var/log/auth.log
maxretry = $MAXRETRY
#
# HTTP servers
#
[nextcloud]
enabled  = true
port     = http,https
filter   = nextcloud
logpath  = $NCLOG
maxretry = $MAXRETRY
EOF

# CLEANUP
##########################################

apt-get autoremove -y
apt-get clean
rm /var/lib/apt/lists/* -r
rm -f /home/pi/.bash_history
systemctl disable  ssh 
halt

# License
#
# This script is free 软件 ; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published  通过 
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This script is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this script; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
# Boston, MA  02111-1307  USA

在Raspbian 8中运行的Nextcloud 11中进行了测试。

参考文献

//www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
//github.com/hailthemelody/nextcloud-fail2ban
//docs.nextcloud.com/server/11/admin_manual/configuration_server/config_sample_php_parameters.html
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8

作者: 纳乔帕克

谦虚地分享我认为有用的东西 [ 的github 码头工人 hub ]

3 评论 s

  1. 嗨,首先:出色的工作。 下一个 CloudPi确实有助于构建一个小型但不错的Nextcloud-RasPi。所以在这里’s my problem: I’m在RPi3上测试NextCloudPi_03-21-17_FULL.tar.bz2。当我通过nextcloudpi-config激活Fail2ban(我使用默认设置)时,该服务有效,但仅适用于ssh。当我检查状态时,Fail2ban拿起我的“hacks”登录错误并阻止了我的IP。

    $ sudo fail2ban-client status  ssh       
    Status for the jail:  ssh 
    |- filter
    |  |- File list:	/var/log/auth.log 
    |  |- Currently failed:	0
    |  `- Total failed:	6
    `- action
       |- Currently banned:	0
       |  `- IP list:	
       `- Total banned:	1
    

    但这不’与Nextcloud一起使用。无论我从Webfrontend内部使用错误登录的频率如何(/var/www/nextcloud/data/nextcloud.log都会记录失败的尝试),Fail2ban都不会看到这些并阻止ip。柜台“currently failed” stays at 0.

    $ sudo fail2ban-client status nextcloud
    Status for the jail: nextcloud
    |- filter
    |  |- File list:	/var/www/nextcloud/data/nextcloud.log 
    |  |- Currently failed:	0
    |  `- Total failed:	0
    `- action
       |- Currently banned:	0
       |  `- IP list:	
       `- Total banned:	0
    

    $ sudo tail -f /var/www/nextcloud/data/nextcloud.log
    [...]
    {"reqId":"hsmeVAIMR6xy0W1trce\/","remoteAddr":"192.168.111.199","app":"core","message":"Login failed: 'admin' (Remote IP: '192.168.111.199')","level":2,"time":"2017-03-22T13:35:00+00:00","method":"POST","url":"\/index.php\/login?user=admin","user":"--","version":"11.0.2.7"}
    {"reqId":"dR1ESJGgpn6nkn53CVTK","remoteAddr":"192.168.111.141","app":"core","message":"Login failed: 'admin' (Remote IP: '192.168.111.141')","level":2,"time":"2017-03-22T13:42:17+00:00","method":"HEAD","url":"\/remote.php\/webdav\/","user":"--","version":"11.0.2.7"}
    

发表评论

您的电子邮件地址不会被公开。 必需的地方已做标记 *