search

Kozea / Radicale

A simple CalDAV (calendar) and CardDAV (contact) server.
https://radicale.org
GNU General Public License v3.0
3.37k stars 440 forks source link

Fail2ban filter doesn't work #1571

Closed f1refa11 closed 1 month ago

f1refa11 commented 2 months ago

When using fail2ban configuration from the wiki, fail2ban just ignores all incorrect logins. OS: Debian 12 Version: latest from PyPI Radicale is running as a service.

I tried running sudo fail2ban-regex systemd-journal -m _SYSTEMD_UNIT=radicale /etc/fail2ban/filter.d/radicale.conf, but fail2ban still didn't recognize incorrect logins:

Running tests
=============

Use   failregex filter file : radicale, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG} : Default Detectors
Use         systemd journal
Use         encoding : UTF-8
Use    journal match : _SYSTEMD_UNIT=radicale

Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 0 lines, 0 ignored, 0 matched, 0 missed
pbiering commented 2 months ago

@f1refa11 are you able to trace down what's wrong with the provided examples? And which of the examples did you use from https://github.com/Kozea/Radicale/wiki/Fail2Ban-Setup?

f1refa11 commented 2 months ago

@f1refa11 are you able to trace down what's wrong with the provided examples? And which of the examples did you use from Wiki: Fail2Ban Setup?

I used "Radicale without reverse proxy" example. Unfortunately, i wasn't able to trace down the problem.

f1refa11 commented 2 months ago

What i noticed is that when running sudo fail2ban-regex systemd-journal -m _SYSTEMD_UNIT=radicale /etc/fail2ban/filter.d/radicale.conf, fail2ban analyzes 0 lines, which means that fail2ban sees empty logs, so i guess it's not Radicale that causes the issue.

pbiering commented 2 months ago

Did you select the proper unit name? What is the output of journalctl -f -u radicale?

f1refa11 commented 2 months ago

Did you select the proper unit name? What is the output of journalctl -f -u radicale?

Yes, i did. Here is the output of the command:

сен 19 11:56:54 firefall-server radicale[9326]: [9326/Thread-198 (process_request_thread)] [INFO] GET request for '/.web/css/icons/edit.svg' received from [REDACTED] using 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0'
сен 19 11:56:54 firefall-server radicale[9326]: [9326/Thread-198 (process_request_thread)] [INFO] GET response status for '/.web/css/icons/edit.svg' in 0.001 seconds: 200 OK
сен 19 11:56:54 firefall-server radicale[9326]: [9326/Thread-199 (process_request_thread)] [INFO] GET request for '/.web/css/icon.png' received from [REDACTED] using 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0'
сен 19 11:56:54 firefall-server radicale[9326]: [9326/Thread-199 (process_request_thread)] [INFO] GET response status for '/.web/css/icon.png' in 0.004 seconds: 200 OK
сен 19 11:56:56 firefall-server radicale[9326]: [9326/Thread-200 (process_request_thread)] [INFO] PROPFIND request for '/' received from [REDACTED] using 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0'
сен 19 11:56:56 firefall-server radicale[9326]: [9326/Thread-200 (process_request_thread)] [INFO] Access to '/' denied for anonymous user
сен 19 11:56:56 firefall-server radicale[9326]: [9326/Thread-200 (process_request_thread)] [INFO] PROPFIND response status for '/' in 0.001 seconds: 401 Unauthorized
сен 19 11:56:56 firefall-server radicale[9326]: [9326/Thread-201 (process_request_thread)] [INFO] PROPFIND request for '/' received from [REDACTED] using 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0'
сен 19 11:56:56 firefall-server radicale[9326]: [9326/Thread-201 (process_request_thread)] [WARNING] Failed login attempt from [REDACTED]: '123'
сен 19 11:56:57 firefall-server radicale[9326]: [9326/Thread-201 (process_request_thread)] [INFO] PROPFIND response status for '/' in 1.039 seconds: 401 Unauthorized

(i replaced my ip with [REDACTED] btw)

pbiering commented 1 month ago

What i noticed is that when running sudo fail2ban-regex systemd-journal -m _SYSTEMD_UNIT=radicale /etc/fail2ban/filter.d/radicale.conf, fail2ban analyzes 0 lines, which means that fail2ban sees empty logs, so i guess it's not Radicale that causes the issue.

The systemd unit match is missing a piece (.service), which is btw. proper documented in Wiki, try this:

sudo fail2ban-regex systemd-journal -m _SYSTEMD_UNIT=radicale.service /etc/fail2ban/filter.d/radicale.conf

pbiering commented 1 month ago

added testing section to Wiki https://github.com/Kozea/Radicale/wiki/Fail2Ban-Setup

f1refa11 commented 1 month ago

Here's the output of sudo fail2ban-regex systemd-journal -m _SYSTEMD_UNIT=radicale.service /etc/fail2ban/filter.d/radicale.conf:

Running tests
=============

Use   failregex filter file : radicale, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG} : Default Detectors
Use         systemd journal
Use         encoding : UTF-8
Use    journal match : _SYSTEMD_UNIT=radicale.service

Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 20 lines, 0 ignored, 0 matched, 20 missed
[processed in 0.00 sec]

|- Missed line(s):
|  2024-09-18T11:12:18.835995+03:00 firefall-server (python3)[7904]: radicale.service: Failed to locate executable /home/radicale/env/bin/python3: No such file or directory
|  2024-09-18T11:12:18.836038+03:00 firefall-server (python3)[7904]: radicale.service: Failed at step EXEC spawning /home/radicale/env/bin/python3: No such file or directory
|  2024-09-18T11:12:19.104308+03:00 firefall-server (python3)[7908]: radicale.service: Failed to locate executable /home/radicale/env/bin/python3: No such file or directory
|  2024-09-18T11:12:19.104362+03:00 firefall-server (python3)[7908]: radicale.service: Failed at step EXEC spawning /home/radicale/env/bin/python3: No such file or directory
|  2024-09-18T11:12:19.336700+03:00 firefall-server (python3)[7912]: radicale.service: Failed to locate executable /home/radicale/env/bin/python3: No such file or directory
|  2024-09-18T11:12:19.336743+03:00 firefall-server (python3)[7912]: radicale.service: Failed at step EXEC spawning /home/radicale/env/bin/python3: No such file or directory
|  2024-09-18T11:12:19.586081+03:00 firefall-server (python3)[7917]: radicale.service: Failed to locate executable /home/radicale/env/bin/python3: No such file or directory
|  2024-09-18T11:12:19.586124+03:00 firefall-server (python3)[7917]: radicale.service: Failed at step EXEC spawning /home/radicale/env/bin/python3: No such file or directory
|  2024-09-18T11:12:19.835768+03:00 firefall-server (python3)[7922]: radicale.service: Failed to locate executable /home/radicale/env/bin/python3: No such file or directory
|  2024-09-18T11:12:19.835811+03:00 firefall-server (python3)[7922]: radicale.service: Failed at step EXEC spawning /home/radicale/env/bin/python3: No such file or directory
|  2024-09-23T13:41:53.545931+03:00 firefall-server (python3)[1144588]: radicale.service: Failed to set up standard output: No such file or directory
|  2024-09-23T13:41:53.545993+03:00 firefall-server (python3)[1144588]: radicale.service: Failed at step STDOUT spawning /home/radicale/env/bin/python3: No such file or directory
|  2024-09-23T13:41:53.783204+03:00 firefall-server (python3)[1144615]: radicale.service: Failed to set up standard output: No such file or directory
|  2024-09-23T13:41:53.783257+03:00 firefall-server (python3)[1144615]: radicale.service: Failed at step STDOUT spawning /home/radicale/env/bin/python3: No such file or directory
|  2024-09-23T13:41:54.043906+03:00 firefall-server (python3)[1144616]: radicale.service: Failed to set up standard output: No such file or directory
|  2024-09-23T13:41:54.043996+03:00 firefall-server (python3)[1144616]: radicale.service: Failed at step STDOUT spawning /home/radicale/env/bin/python3: No such file or directory
|  2024-09-23T13:41:54.292290+03:00 firefall-server (python3)[1144617]: radicale.service: Failed to set up standard output: No such file or directory
|  2024-09-23T13:41:54.292377+03:00 firefall-server (python3)[1144617]: radicale.service: Failed at step STDOUT spawning /home/radicale/env/bin/python3: No such file or directory
|  2024-09-23T13:41:54.564733+03:00 firefall-server (python3)[1144618]: radicale.service: Failed to set up standard output: No such file or directory
|  2024-09-23T13:41:54.564794+03:00 firefall-server (python3)[1144618]: radicale.service: Failed at step STDOUT spawning /home/radicale/env/bin/python3: No such file or directory
`-

("no such file or directory" errors are expected as i was configuring radicale systemd service)

What i think is happening is that fail2ban reads only error messages, not info/warning ones.

I was, eventually, able to fix this issue by adding StandardOutput=append:/var/log/radicale/log.log and StandardError=append:/var/log/radicale/log-error.log to the radicale systemd service file so all the service logs would also appear in the separate log file, and setting logpath to the error log file path(not the info/warning one).

I don't know why this is happening, but this type of issue also happened with my Forgejo instance(which i also was able to fix the same way). :shrug:

Sorry for blaming your app for causing this issue, i guess something's just messed up on my system! 😅

Closing the issue.

mozlima commented 1 month ago

This issue is the same as this comment:

When removing AF_UNIX from RestrictAddressFamilies, the error message goes away.

The Arch Linux unit sets RestrictAddressFamilies=~AF_PACKET AF_NETLINK AF_UNIX, which blocks access to the journal.