Cozy login fail2ban regex filter (new security feature)?

[ghost]

I have tried to search for a fail2ban filter for cozy login page. but i only found something here in french which i dont really fully understand: https://forum.cozy.io/t/cozy-cloud-sous-yunohost/616/7 Did this user 'Zehiro' manage to create and test this filter on fail2ban?

Does anyone know if we can apply this fail2ban filter or any reliable filter on cozy home?

[ghost]

there is actually 2 filters id like to create for cozy, since i dont think anyone else has initiated this security request.

1. is the authentication filter: which is similar to what 'Zehiro' wrote in the forum. This is an example of a line in the cozy.log which is equivalent to access.log: 10.106.0.1 - - [12/Mar/2016:16:00:07] "POST /login HTTP/1.1" 401 "https://server/login/" "Mozilla/5.0 (X11; Linux x86_64; rv:X) Gecko/20140301"

And im trying to parse it with this: failregex = < HOST >-._"(GET|POST)._HTTP/1.[01]" 401. But i tested it and it is not working. I want to filter all the 401 unauthenticated errors and ban the ip.

1. is the ddos nginx filter, i downloaded this: https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/nginx-limit-req.conf NOTE: this filter is not included under ubuntu 14.04.4 fail2ban default repo installation. I had to add it manually in the filter.d folder.

with this, it is required to include a line such as this: limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; in the http { block of nginx.conf Which is the exact line i have put. Enabling the filter [nginx-limit-req] I have tried testing this with ab (apache bench) with this command from another pc: ab -n 500 -c 10 https://server/login/

But all i see is connection requests to cozy.log and it doesnt seem to block anything with fail2ban by using: tail -f /var/log/fail2ban.log. Maybe i am doing something wrong or missing something. Can someone please help with these 2 fail2ban filters? and give some step by step instructions how to create these filters successfully working?

I believe it is of high importance to keep our cozy cloud secure :)

[ghost]

Okay, so far i have figured out how to use fail2ban for authentication failure on Cozy Home login Screen and i have tested that this works!! it bans the ip after however many attempts you declare under the JAIL config of [cozy] in jail.local

You make the filter called cozy.conf in /etc/fail2ban/filter.d/ with the following in the file:

[Definition]

failregex = < HOST > - ._"(GET|POST)._HTTP/1.[01]" 401.

ignoreregex =

Please note that < HOST > should NOT have spaces between < > . I put them there because for some reason it wouldnt show on here(github) as i am posting.

Now i am only left with ddos filter for nginx on Cozy, anyone can help out?

[ZeHiro]

@Beast141 ,

To be clear, I didn't test the fail2ban filter I quoted on the forum. It was just to help to for integrating Cozy in the YunoHOst, which needs fail2ban rules to ensure the safety of the platform

[clochix]

Hi @Beast141,

I like this idea! Maybe should you post to our forum rather than here, you'll probably get more responses. Securing the server for self hosted users is a little bit out of scope and I don't think we'll add this to the Cozy images we publish. But this is definitively something we could add to the documentation.

Also, please note that matching every 401 status code may not be a good idea, the logs may contains legitimate 401 errors (for example when using *DAV for syncing calendars or addressbooks, we may have a lot of 401 with some clients that try to connect without auth before sending the auth).