Fail2ban für Nextcloud
apt update && apt install fail2ban -y
Filter erstellen
vi /etc/fail2ban/filter.d/nextcloud.conf
[Definition]
failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":"core".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
^.*\"remoteAddr\":\"<HOST>\".*Trusted domain error.*$
Jail erstellen
Für jede Nextcloud-Instanz einen eigenen Jail erstellen und logpath anpassen.
vi /etc/fail2ban/jail.d/nextcloud.domain.xx.local
[nextcloud.domain.xx]
# gleichnamige Datei in /etc/fail2ban/filter.d
filter = nextcloud
# Zeit in Sekunden
# -1 für permanentes Sperren
bantime = 3600
findtime = 3600
maxretry = 3
backend = auto
enabled = true
port = 80,443
protocol = tcp
logpath = /var/nextcloud-data/nextcloud.domain.xx/nextcloud.log
# Fail2ban-Admin per E-Mail benachrichtigen
#action = %(action_mwl)s
# Enablen für ngix
#[nginx-http-auth]
#enabled = true
Fail2ban neu starten
service fail2ban restart
Test
fail2ban-regex /var/nextcloud-data/nextcloud.domain.xx/nextcloud.log /etc/fail2ban/filter.d/nextcloud.conf
Running tests
=============
Use failregex filter file : nextcloud, basedir: /etc/fail2ban
Use log file : fail2ban-regex /var/nextcloud-data/nextcloud.domain.xx/nextcloud.log
Use encoding : UTF-8
Results
=======
Failregex: 73 total
|- #) [# of hits] regular expression
| 2) [73] ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":"core".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [904] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 904 lines, 0 ignored, 73 matched, 831 missed
[processed in 0.34 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 831 lines
Status
fail2ban-client status nextcloud.domain.xx
Unban
fail2ban-client set nextcloud.domain.xx unbanip <IP>