Fail2Ban for ownCloud

Protecting your ownCloud instance from bots pawning on its login form is certainly a good idea and fail2ban can help you with that. This post will guide you through how to install fail2ban on CentOS 7 box, configure ownCloud filter and start using it.

To install fail2ban on your CentOS box just type:

yum install fail2ban

After it installs you can create new filter by editing this file:

/etc/fail2ban/filter.d/owncloud.conf

and put following content in it:

[INCLUDES]
before = common.conf

[Definition]
daemon = owncloud

failregex = {"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<host>'\)","level":2,"time":".*"}
ignoreregex =</host>

As you see our regex is depending on your owncloud instance having loglevel set up to level 2 so go ahead and change it to:

'loglevel' => 2,

in your config/config.php or just navigate to “Settings” > “Admin” in your ownCloud and change “Log level” to “Warnings, errors and fatal issues”.

To set up a fail2ban jail or whatever you want to call it you’ll need to create file:

/etc/fail2ban/jail.d/owncloud.local

and place this in it:

[owncloud]
enabled = true
filter = owncloud
bantime = 86400
port = http,https
backend = polling
journalmatch =
maxretry = 3
logpath = /path/to/your/owncloud.log

this code will basically specify that ban should last for 24 hours (86400 seconds), that http and https ports should be blocked if rule is matched (80 and 443) and that IP should be blocked after 3 wrong login attempts.

Of course you’ll also need to specify path to your log location, by default it’s located in your ownCloud’s data folder and it’s called owncloud.log.

Also, since CentOS 7 uses systemd, you get fail2ban-systemd installed as dependency when you install fail2ban, and that basically means that it will use journal as log source and since owncloud is saving logs to regular file we need to specify different backend.

With everything set up we can start fail2ban with:

systemctl start fail2ban.service

and also enable it with:

systemctl enable fail2ban.service

Now, you just need to test this setup if it’s working and the best way to do that is to try to log in few times with wrong credentials which should get you blocked for 24 hours ;-)

To remove ban you can use:

fail2ban-client set owncloud unbanip YOUR-IP-ADDRESS