Domoticz log and failed attempt (to use fail2ban)

[manuloup]

Hi,

Currently, when someone tries to connect and fails, here is what we get in the logfile :

Code: Select all

2015-10-30 17:32:16.616  Error: Failed login attempt for 'toto' !

Would that be possible to add the IP for this kind of failed attempt, so that we can create a rule for domoticz with Fail2Ban and trap the IP in the domoticz logfile ?

Thanks

Regards

Manu

[gizmocuz]

Added in beta #3507

[manuloup]

Thanks a lot ! I will create the rule for fail2ban and will make a tutorial here.

[manuloup]

Here we go :

1 - edit the file jail.conf in /etc/fail2ban/ and add the following section :

Code: Select all

 [domoticz]

enabled  = true
port     = 8080
filter   = domoticz
logpath  = /var/log/domoticz.log
maxretry = 3
findtime = 3600

Modify the port and logpath according to your settings.

2 - add the domoticz.conf filter in /etc/fail2ban/filter.d

Code: Select all

vi /etc/fail2ban/filter.d/domoticz.conf
 
 # Fail2Ban configuration file for domoticz
#
# Author: Emmanuel Chanteloup
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = .* Error: Failed login attempt from <HOST> for user '.*' !

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

3 - restart fail2ban

Code: Select all

 sudo /etc/init.d/fail2ban restart

All done !

To do a quick test :

Code: Select all

 vi toto.txt :
 2015-11-03 18:35:51.908  Error: Failed login attempt from 37.130.158.115 for user 'toto' !

then run the following command :

Code: Select all

fail2ban-regex  toto.txt /etc/fail2ban/filter.d/domoticz.conf

you should see :

Code: Select all

Success, the total number of match is 1

I also did a try from my cellphone. After 3 unsuccessful attemps, my ip is banned :

Code: Select all

 root@raspberrypi:/etc/fail2ban# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-domoticz  tcp  --  anywhere             anywhere             multiport dports 8080
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-domoticz (1 references)
target     prot opt source               destination
DROP       all  --  37.140.158.148       anywhere
RETURN     all  --  anywhere             anywhere

- to remove the ip :

Code: Select all

 root@raspberrypi:/etc/fail2ban/filter.d# iptables -D fail2ban-domoticz -s YOUR_IP_HERE(37.140.158.148 for me) -j DROP

I am not banned anymore :

Code: Select all

 root@raspberrypi:/etc/fail2ban# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-domoticz  tcp  --  anywhere             anywhere        multiport dports 8080
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-domoticz (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

I hope it is clear for you now and that I helped you a bit. Do not hesitate to tell if I forgot something.

Cheers

[ThinkPad]

Here we go :
[...]

Thank you very much, was looking for this, to configure on my Ubuntu VM running Domoticz. Will try it soon!

To make more people benefit from it, i have also created a wiki page for it: http://domoticz.com/wiki/Automated_bann ... iple_times
But what i don't understand, at the step 'Testing the new setup' you do vi toto.txt. But what is this 'toto.txt' file and why is it named like that?
Is a .txt file created for every username that tries to login or so

And which file do you mean by the 'jail' file? Here: https://www.upcloud.com/support/install ... ntu-14-04/ they mention NOT to use jail.conf, but instead create a jail.local file and using that. Any advice about that?

By the way, is the regex still correct? The login attempts seem to be logged in a different way in my case (v2.3542):

Code: Select all

domoticz@domoticz-vm:/etc/fail2ban/filter.d$ cat /var/log/domoticz.log | grep 'Failed'
2015-11-10 18:35:08.105  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
2015-11-10 18:35:51.651  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
2015-11-10 18:35:51.811  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
2015-11-10 18:36:00.245  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
2015-11-10 18:36:00.365  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)

(i put the 'xxx'in myself)

Your failregex seems to search for

Code: Select all

.* Error: Failed login attempt from <HOST> for user '.*' !

, so it is a totally different message. Also the username isn't mentioned anymore, only the IP.
I think it should be more like this:

Code: Select all

failregex = Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: <HOST>)

I'm not sure if round brackets need escaping, if true then this would be better:

Code: Select all

failregex = Error: Webserver: Failed authentication attempt, ignoring client request \(remote addresses: <HOST>\)

I will try later, with 'fail2ban-regex' you can test the regex to see if it matches.

[Egregius]

I have this in jail.conf:

Code: Select all

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.1/24
bantime  = 3600
maxretry = 1
backend = auto
banaction = iptables-allports
mta = sendmail
protocol = all
port	= all
chain = INPUT
action = route

[domoticz]
enabled  = true
filter   = domoticz
logpath  = /var/log/domoticz.log

and in filter.d/domoticz.conf:

Code: Select all

# Fail2Ban configuration file FOR Domoticz Failed login
# Author: Egregius

[Definition]
failregex = Error: Failed login attempt from <HOST>
ignoreregex =

And in action.d/route.conf:

Code: Select all

[Definition]
actionban   = ip route add <blocktype> <ip>
actionunban = ip route del <blocktype> <ip>

[Init]
blocktype = blackhole

The advantage of 'ip route add blackhole' over the standard fail2ban action is that the packets are dropped at first level where they arrive, they don't even get to the firewall anymore.
From then on, your ip just doesn't exists anymore

Tested and confirmed by typing wrong user/pass on mobile connection (easiest to get new ip).
Or set bantime to a short time for test and watch the fail2ban log.

[ThinkPad]

Thanks for sharing!

But why is my error message/regex different than yours, and from 'manuloup' I'm running v2.3542 (i thought, not sure).

[Egregius]

I'm on Rpi v2.3558...

[ThinkPad]

I will update tonight and see if the error message changes...

[Egregius]

Just updated to latest beta v2.3570

Code: Select all

2015-11-11 13:37:18.117  Error: Failed login attempt from 178.145.160.129 for user 'test' !

fail2ban with above filter:

Code: Select all

2015-11-11 13:37:20,439 fail2ban.actions: WARNING [domoticz] Ban 178.145.160.129

[ThinkPad]

Thanks, makes it clear i just need to update

What about the 'user' part? The tutorial from manuloup does something with the username shown in the Domoticz error message, but you don't seem to do anything with that in your regex.
Banning on IP is fine by me, i don't understand why the username needs to be logged, do you?

[Egregius]

In the logfile you could see of you're victim of dictionary attack. User root, admin, administrator, etc. But that doesn't bother me, I block them instantly after one failed attempt.
After unban and second try within 2 weeks they're blocked for a year.

[ThinkPad]

That's not needed for me either, just ban the @*#($@*(#$

I just updated to v2.3573 (i suddenly remembered i can also SSH with my phone to the VM over VPN and call my update script) but the message is still the same?
It still shows:

Code: Select all

Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: xxx.xx.xx.xx)

I tested by trying to login with admin/admin about 3-4 times, untill the Domoticz page displayed "Domoticz offline".

I don't understand why i get a different message. I run on a different platform (Ubuntu virtual machine x86, you on a Raspberry), but that shouln't matter i guess?

[Egregius]

3-4 times means you'll have maxretry set at 3.
Don't know about the message. Maybe Ubuntu/Rpi difference?
Doesn't mather much, just difficulter for the wiki.

Trying to have fail2ban sent telegram now

[ThinkPad]

It seems my message is old, the webserver code contains the message in the way you see it. Look at: https://github.com/domoticz/domoticz/bl ... r.cpp#L837

What i thought of, maybe it has something to do with the login method. You can change that in the Domoticz settings, under 'Website Protection'.
I use Basic-Auth. Don't remember exactly why, i thought it had something to do with stability of the Android app.
Maybe with the 'Login Page' method (which is the default if i remember correctly) it will display the message in the way you see it (IP + user).

I will try switching to 'Login Page' methode and login with wrong credentials a few times.

Edit: Yup, that was the cause for a different message to be displayed. When i switched to 'Login Page', i saw a message like you posted.
Good to know, so we can put both regex'es in the fail2ban config in the wiki, so it applies for everyone' situation (if you use default login method or Basic-Auth). Luckily fail2ban supports multiple regex'es to search for

I think the final regex should look like this:

Code: Select all

failregex = .* Error: Failed login attempt from <HOST> for user '.*' !   
            Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: <HOST>)

I will try tonight with both authentication methods that Domoticz offers, and see if i can get fail2ban to trigger in both situations, with the above failregex. I will edit the wiki when i get it working

[ThinkPad]

I got it working The round brackets needed escaping btw (putting a backward slash in front of them, see the wiki for final regex).
However, i got some questions:

Under: http://domoticz.com/wiki/Automated_bann ... live_setup the original tutorial mentions an IP. In my case (testing over 3G), a hostname is added to the firewall blocklist.... (static.kpn.net). This is something that is problematic for unbanning, because for the unbanning command it needs an IP.

Some parameter that i haven't configured correctly?

For now i just used sudo iptables --flush fail2ban-domoticz, but that flushes the whole fail2ban-domoticz part of iptables i guess...

[djoeney]

This is a really nice security enhancement!
At the moment i'm using nginx as a reverse proxy for the use of SSL certificates. I want to implement fail2ban only I'm having some issues if i would use the domoticz log i always see "Login successful from 127.0.0.1 for user '######"'
Will try to find out if the source IP could be given from nginx to domoticz.

[ThinkPad]

I got it working The round brackets needed escaping btw (putting a backward slash in front of them, see the wiki for final regex).
However, i got some questions:

Under: http://domoticz.com/wiki/Automated_bann ... live_setup the original tutorial mentions an IP. In my case (testing over 3G), a hostname is added to the firewall blocklist.... (static.kpn.net). This is something that is problematic for unbanning, because for the unbanning command it needs an IP.

Some parameter that i haven't configured correctly?

For now i just used sudo iptables --flush fail2ban-domoticz, but that flushes the whole fail2ban-domoticz part of iptables i guess...

I'm still having problems with this. When i try to lock myself, the hostname is still being added. I also tried it on a Ziggo business internet connection, the hostname (same as i see on http://ipinfo.io) is added to iptables. I just want the IP-address to be added, instead of the hostname. When i try to unban the hostname, it says it hasn't found anything. When i run the unban command with the IP-address, it works....!?

[tlpeter]

I followed the wiki but fail2ban does not want to start.
This is the error when i do sudo fail2ban-client start

Code: Select all

WARNING 'findtime' not defined in 'ssh'. Using default value
WARNING 'findtime' not defined in 'dropbear'. Using default value
WARNING 'findtime' not defined in 'pam-generic'. Using default value
WARNING 'findtime' not defined in 'xinetd-fail'. Using default value
WARNING 'findtime' not defined in 'ssh-ddos'. Using default value
WARNING 'findtime' not defined in 'apache'. Using default value
WARNING 'findtime' not defined in 'apache-multiport'. Using default value
WARNING 'findtime' not defined in 'apache-noscript'. Using default value
WARNING 'findtime' not defined in 'apache-overflows'. Using default value
WARNING 'findtime' not defined in 'vsftpd'. Using default value
WARNING 'findtime' not defined in 'proftpd'. Using default value
WARNING 'findtime' not defined in 'pure-ftpd'. Using default value
WARNING 'findtime' not defined in 'wuftpd'. Using default value
WARNING 'findtime' not defined in 'postfix'. Using default value
WARNING 'findtime' not defined in 'couriersmtp'. Using default value
WARNING 'findtime' not defined in 'courierauth'. Using default value
WARNING 'findtime' not defined in 'sasl'. Using default value
WARNING 'findtime' not defined in 'dovecot'. Using default value
WARNING 'findtime' not defined in 'named-refused-tcp'. Using default value
WARNING 'filter' not defined in 'domoticz'. Using default value
ERROR  /etc/fail2ban/filter.d/.conf and /etc/fail2ban/filter.d/.local do not exist
ERROR  Unable to read the filter
ERROR  Errors in jail 'domoticz'. Skipping...

[ThinkPad]

Did you Google that error already: https://www.google.nl/search?q=WARNING+ ... ot+defined ?

Seems quite easy to fix.