Fail2Ban not working with Fedora-Server Edition

scottalanmiller

Fail2ban works for us by default. But NextCloud needs custom configuration. Are you having issues with Fail2ban on Fedora?

black3dynamite

I've also have nextcloud based on riegers how to guide and it works. I'm using this guide from him that is using Nginx instead of Apache.
https://riegers.in/nextcloud-installation-guide-ubuntu-20-04/

Woti

My problem is that nothing is banned. Maybe no one is attacking my server?
@black3dynamite Yes I have the same setup from Riegers.

It doesn't matter if I try with Nextcloud, ssh and so on. No banning.

Backend uses systemd. That should be right for Fedora / Centos, shouldn't be?

black3dynamite

@Woti said in Fail2Ban not working with Fedora-Server Edition:

My problem is that nothing is banned. Maybe no one is attacking my server?
@black3dynamite Yes I have the same setup from Riegers.

It doesn't matter if I try with Nextcloud, ssh and so on. No banning.

Backend uses systemd. That should be right for Fedora / Centos, shouldn't be?

On Fedora, CentOS, and Red Hat SELinux can sometime cause issue.

Woti

Do you guys have some recommended setup guides based on latest Fedora/Centos or how to check if fail2ban works probably?

JaredBusch

@Woti said in Fail2Ban not working with Fedora-Server Edition:

Do you guys have some recommended setup guides based on latest Fedora/Centos or how to check if fail2ban works probably?

You install it and turn it on

sudo dnf install -y fail2ban
sudo systemctl enable --now fail2ban

You can see things with fail2ban-client

sudo fail2ban-client status

And specifics about a jail

sudo fail2ban-client status sshd

Beyond that, there is not any one "guide"

You have to create jails that understand the application you are protecting.

Woti

I have now activated sshd and it works perfectly. But Nextcloud doesn't.
What other jails do you use? What is recommended?

sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     13
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   77.16.71.32

Nextcloud is missing matching Journal it looks like?

sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

black3dynamite

@Woti said in Fail2Ban not working with Fedora-Server Edition:

I have now activated sshd and it works perfectly. But Nextcloud doesn't.
What other jails do you use? What is recommended?

sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     13
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   77.16.71.32

Nextcloud is missing matching Journal it looks like?

sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Here's mine

black3dynamite

/etc/fail2ban/filter.d/nextcloud.conf

[Definition]
failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
          ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
          ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$

/etc/fail2ban/jail.d/nextcloud.local

[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
bantime = 36000
findtime = 36000
logpath = /var/nc_data/nextcloud.log

[nginx-http-auth]
enabled = true

Woti

nextcloud.conf is the same as yours. As well as the path.
but I have no nextcloud.local. The same content as yours is in jail.local
I'll try your solution.

Woti

Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
My nextcloud.log file is in /var/log/nextcloud/nextcloud.log

black3dynamite

@Woti said in Fail2Ban not working with Fedora-Server Edition:

Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
My nextcloud.log file is in /var/log/nextcloud/nextcloud.log

Temporary set SELinux to permissive and try again. You might have configure SELinux to allow access.

sudo setenforce permissive

Woti

I used this command to give apache og php-fpm read and write access to the logfile

semanage fcontext -a -t httpd_sys_rw_content_t '/var/log/nextcloud(/.*)?'
restorecon -Rv '/var/log/nextcloud/'

But how to give fail2ban access through SElinux?
Using fail2ban_log_t as descriped here https://linux.die.net/man/8/fail2ban_selinux is not working.
Of course I can remove the above SElinux file context and issuer:

semanage fcontext -a -t fail2ban_log_t '/var/log/nextcloud(/.*)?'
restorecon -Rv '/var/log/nextcloud/'

This way I get read write access to the nextcloud logfile for fail2ban but not til apache php-fpm anymore.
It is confusing.

Woti

Finally I got it to work
I need to use httpd_log_t to get access through SELinux to the logfile for both httpd, php-fpm and fail2ban.
I tried and my test-IPs was banned