nativeInstallerowncloud

Integrate fail2ban with ownCloud

Before running the commands shown on this page, you should load the Bitnami stack environment by executing the installdir/use_APPNAME script (Linux and MacOS) or by clicking the shortcut in the Start Menu under “Start -> Bitnami APPNAME Stack -> Application console” (Windows). On OS X VMs, the installation directory is /opt/bitnami and OS X VM users can click the “Open Terminal” button to run commands. Learn more about the Bitnami stack environment and about OS X VMs.

NOTE: The Approach A sections referred to below do not apply to Bitnami native installers. Users of Bitnami native installers should refer only to the Approach B sections.

If you want to limit the number of login attempts (and avoid brute-force attacks), install fail2ban and configure it to work with the Bitnami ownCloud Stack.

  • Install fail2ban:

    • Debian:

        $ sudo apt-get update
        $ sudo apt-get install fail2ban
      
    • CentOS:

        $ sudo yum install epel-release
        $ sudo yum install fail2ban
        $ sudo systemctl enable fail2ban
        $ sudo systemctl start fail2ban
      
  • Log in to ownCloud, click your username in the top right corner, navigate to the “Admin -> Log” section and choose “warnings, errors and fatal issues”.

    ownCloud logger

Next, configure fail2ban following the steps below:

  • Create the /etc/fail2ban/filter.d/owncloud.conf file with the following code:

      [Definition]
      failregex={.*,"message":"Login failed: '.*' \(Remote IP: '<HOST>'\)"}
      ignoreregex =
    
  • Copy the /etc/fail2ban/jail.conf file to the /etc/fail2ban/jail.local file and add the code below, depending on your installation type:

    • Approach A (Bitnami installations using system packages):

        # ownCloud
        [owncloud]
        enabled  = true
        filter   = owncloud
        action = iptables-multiport[name=owncloud, port="http,https"]
        logpath  = /bitnami/owncloud/data/owncloud.log
        maxretry = 5
        findtime = 600
        bantime = 600
      
    • Approach B (Self-contained Bitnami installations):

        # ownCloud
        [owncloud]
        enabled  = true
        filter   = owncloud
        action = iptables-multiport[name=owncloud, port="http,https"]
        logpath  = installdir/apps/owncloud/data/owncloud.log
        maxretry = 5
        findtime = 600
        bantime = 600
      

    This fail2ban configuration will ban the IP of any user that tried to access five (maxretry) different times in 10 minutes (findtime) without success. Note that the ban only will affect the ports 80 and 443, and the user with the banned IP will not be able to contact the web server for 10 minutes (bantime).

  • Before applying the configuration,test if the regex configuration is correct. To test this, browse to your Bitnami ownCloud login page and use a non-existent user/password to get a login error. Then, run the below commands depending on your installation type:

    • Approach A (Bitnami installations using system packages):

        $ sudo fail2ban-regex /bitnami/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud.conf
      
    • Approach B (Self-contained Bitnami installations):

        $ sudo fail2ban-regex installdir/apps/owncloud/data/owncloud.log /etc/fail2ban/filter.d/owncloud.conf
      

    If the last two lines of the output show you at least “1 matched”, the regex is properly configured:

      Lines: 412 lines, 0 ignored, 1 matched, 397 missed
      Missed line(s):: too many to print.  Use --print-all-missed to print all 397 lines
    
  • Apply the configuration with this command

    • Debian:

        $ sudo /etc/init.d/fail2ban restart
      
    • CentOS:

        $ sudo systemctl restart fail2ban
      

To check if all is working, try logging in five different times with bad credentials. On the fifth unsuccessful attempt, you will be banned for 10 minutes.

Last modification June 16, 2021