Page 1 of 2
Domoticz log and failed attempt (to use fail2ban)
Posted: Friday 30 October 2015 17:50
by manuloup
Hi,
Currently, when someone tries to connect and fails, here is what we get in the logfile :
Code: Select all
2015-10-30 17:32:16.616 Error: Failed login attempt for 'toto' !
Would that be possible to add the IP for this kind of failed attempt, so that we can create a rule for domoticz with Fail2Ban and trap the IP in the domoticz logfile ?
Thanks
Regards
Manu
Re: Domoticz log and failed attempt
Posted: Saturday 31 October 2015 10:58
by gizmocuz
Added in beta #3507
Re: Domoticz log and failed attempt
Posted: Tuesday 03 November 2015 14:51
by manuloup
Thanks a lot ! I will create the rule for fail2ban and will make a tutorial here.
Re: Domoticz log and failed attempt
Posted: Tuesday 03 November 2015 19:21
by manuloup
Here we go :
1 - edit the file jail.conf in /etc/fail2ban/ and add the following section :
Code: Select all
[domoticz]
enabled = true
port = 8080
filter = domoticz
logpath = /var/log/domoticz.log
maxretry = 3
findtime = 3600
Modify the port and logpath according to your settings.
2 - add the domoticz.conf filter in /etc/fail2ban/filter.d
Code: Select all
vi /etc/fail2ban/filter.d/domoticz.conf
# Fail2Ban configuration file for domoticz
#
# Author: Emmanuel Chanteloup
#
# $Revision$
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = .* Error: Failed login attempt from <HOST> for user '.*' !
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
3 - restart fail2ban
Code: Select all
sudo /etc/init.d/fail2ban restart
All done !
To do a quick test :
Code: Select all
vi toto.txt :
2015-11-03 18:35:51.908 Error: Failed login attempt from 37.130.158.115 for user 'toto' !
then run the following command :
Code: Select all
fail2ban-regex toto.txt /etc/fail2ban/filter.d/domoticz.conf
you should see :
Code: Select all
Success, the total number of match is 1
I also did a try from my cellphone. After 3 unsuccessful attemps, my ip is banned :
Code: Select all
root@raspberrypi:/etc/fail2ban# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-domoticz tcp -- anywhere anywhere multiport dports 8080
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-domoticz (1 references)
target prot opt source destination
DROP all -- 37.140.158.148 anywhere
RETURN all -- anywhere anywhere
- to remove the ip :
Code: Select all
root@raspberrypi:/etc/fail2ban/filter.d# iptables -D fail2ban-domoticz -s YOUR_IP_HERE(37.140.158.148 for me) -j DROP
I am not banned anymore :
Code: Select all
root@raspberrypi:/etc/fail2ban# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-domoticz tcp -- anywhere anywhere multiport dports 8080
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-domoticz (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
I hope it is clear for you now and that I helped you a bit. Do not hesitate to tell if I forgot something.
Cheers
Re: Domoticz log and failed attempt
Posted: Tuesday 10 November 2015 9:07
by ThinkPad
manuloup wrote:Here we go :
[...]
Thank you very much, was looking for this, to configure on my Ubuntu VM running Domoticz. Will try it soon!
To make more people benefit from it, i have also created a wiki page for it:
http://domoticz.com/wiki/Automated_bann ... iple_times
But what i don't understand, at the step 'Testing the new setup' you do
vi toto.txt. But what is this 'toto.txt' file and why is it named like that?
Is a .txt file created for every username that tries to login or so
And which file do you mean by the 'jail' file? Here:
https://www.upcloud.com/support/install ... ntu-14-04/ they mention NOT to use jail.conf, but instead create a jail.
local file and using that. Any advice about that?
By the way, is the regex still correct? The login attempts seem to be logged in a different way in my case (v2.3542):
Code: Select all
domoticz@domoticz-vm:/etc/fail2ban/filter.d$ cat /var/log/domoticz.log | grep 'Failed'
2015-11-10 18:35:08.105 Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
2015-11-10 18:35:51.651 Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
2015-11-10 18:35:51.811 Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
2015-11-10 18:36:00.245 Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
2015-11-10 18:36:00.365 Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
(i put the 'xxx'in myself)
Your failregex seems to search for
Code: Select all
.* Error: Failed login attempt from <HOST> for user '.*' !
, so it is a totally different message. Also the username isn't mentioned anymore, only the IP.
I think it should be more like this:
Code: Select all
failregex = Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: <HOST>)
I'm not sure if round brackets need escaping, if true then this would be better:
Code: Select all
failregex = Error: Webserver: Failed authentication attempt, ignoring client request \(remote addresses: <HOST>\)
I will try later, with '
fail2ban-regex' you can test the regex to see if it matches.
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Wednesday 11 November 2015 12:53
by Egregius
I have this in jail.conf:
Code: Select all
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.1/24
bantime = 3600
maxretry = 1
backend = auto
banaction = iptables-allports
mta = sendmail
protocol = all
port = all
chain = INPUT
action = route
[domoticz]
enabled = true
filter = domoticz
logpath = /var/log/domoticz.log
and in filter.d/domoticz.conf:
Code: Select all
# Fail2Ban configuration file FOR Domoticz Failed login
# Author: Egregius
[Definition]
failregex = Error: Failed login attempt from <HOST>
ignoreregex =
And in action.d/route.conf:
Code: Select all
[Definition]
actionban = ip route add <blocktype> <ip>
actionunban = ip route del <blocktype> <ip>
[Init]
blocktype = blackhole
The advantage of 'ip route add blackhole' over the standard fail2ban action is that the packets are dropped at first level where they arrive, they don't even get to the firewall anymore.
From then on, your ip just doesn't exists anymore
Tested and confirmed by typing wrong user/pass on mobile connection (easiest to get new ip).
Or set bantime to a short time for test and watch the fail2ban log.
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Wednesday 11 November 2015 13:19
by ThinkPad
Thanks for sharing!
But why is my error message/regex different than yours, and from 'manuloup'
I'm running v2.3542 (i thought, not sure).
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Wednesday 11 November 2015 13:19
by Egregius
I'm on Rpi v2.3558...
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Wednesday 11 November 2015 13:21
by ThinkPad
I will update tonight and see if the error message changes...
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Wednesday 11 November 2015 13:38
by Egregius
Just updated to latest beta v2.3570
Code: Select all
2015-11-11 13:37:18.117 Error: Failed login attempt from 178.145.160.129 for user 'test' !
fail2ban with above filter:
Code: Select all
2015-11-11 13:37:20,439 fail2ban.actions: WARNING [domoticz] Ban 178.145.160.129
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Wednesday 11 November 2015 13:52
by ThinkPad
Thanks, makes it clear i just need to update
What about the 'user' part? The tutorial from manuloup does something with the username shown in the Domoticz error message, but you don't seem to do anything with that in your regex.
Banning on IP is fine by me, i don't understand why the username needs to be logged, do you?
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Wednesday 11 November 2015 14:14
by Egregius
In the logfile you could see of you're victim of dictionary attack. User root, admin, administrator, etc. But that doesn't bother me, I block them instantly after one failed attempt.
After unban and second try within 2 weeks they're blocked for a year.
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Wednesday 11 November 2015 14:24
by ThinkPad
That's not needed for me either, just ban the @*#($@*(#$
I just updated to v2.3573 (i suddenly remembered i can also SSH with my phone to the VM over VPN and call my update script) but the message is still the same?
It still shows:
Code: Select all
Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: xxx.xx.xx.xx)
I tested by trying to login with admin/admin about 3-4 times, untill the Domoticz page displayed "Domoticz offline".
I don't understand why i get a different message. I run on a different platform (Ubuntu virtual machine x86, you on a Raspberry), but that shouln't matter i guess?
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Wednesday 11 November 2015 14:43
by Egregius
3-4 times means you'll have maxretry set at 3.
Don't know about the message. Maybe Ubuntu/Rpi difference?
Doesn't mather much, just difficulter for the wiki.
Trying to have fail2ban sent telegram now
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Wednesday 11 November 2015 15:21
by ThinkPad
It seems my message is old, the webserver code contains the message in the way you see it. Look at:
https://github.com/domoticz/domoticz/bl ... r.cpp#L837
What i thought of, maybe it has something to do with the login method. You can change that in the Domoticz settings, under 'Website Protection'.
I use Basic-Auth. Don't remember exactly why, i thought it had something to do with stability of the Android app.
Maybe with the 'Login Page' method (which is the default if i remember correctly) it will display the message in the way you see it (IP + user).
I will try switching to 'Login Page' methode and login with wrong credentials a few times.
Edit: Yup, that was the cause for a different message to be displayed. When i switched to 'Login Page', i saw a message like you posted.
Good to know, so we can put both regex'es in the fail2ban config in the wiki, so it applies for everyone' situation (if you use default login method or Basic-Auth). Luckily fail2ban supports multiple regex'es to search for
I think the final regex should look like this:
Code: Select all
failregex = .* Error: Failed login attempt from <HOST> for user '.*' !
Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: <HOST>)
I will try tonight with both authentication methods that Domoticz offers, and see if i can get fail2ban to trigger in both situations, with the above failregex. I will edit the wiki when i get it working
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Wednesday 11 November 2015 18:41
by ThinkPad
I got it working
The round brackets needed escaping btw (putting a backward slash in front of them, see the wiki for final regex).
However, i got some questions:
Under:
http://domoticz.com/wiki/Automated_bann ... live_setup the original tutorial mentions an IP. In my case (testing over 3G), a hostname is added to the firewall blocklist.... (static.kpn.net). This is something that is problematic for unbanning, because for the unbanning command it needs an IP.
Some parameter that i haven't configured correctly?
For now i just used
sudo iptables --flush fail2ban-domoticz, but that flushes the whole fail2ban-domoticz part of iptables i guess...
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Thursday 12 November 2015 20:43
by djoeney
This is a really nice security enhancement!
At the moment i'm using nginx as a reverse proxy for the use of SSL certificates. I want to implement fail2ban only I'm having some issues if i would use the domoticz log i always see "Login successful from 127.0.0.1 for user '######"'
Will try to find out if the source IP could be given from nginx to domoticz.
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Tuesday 15 December 2015 11:37
by ThinkPad
ThinkPad wrote:I got it working
The round brackets needed escaping btw (putting a backward slash in front of them, see the wiki for final regex).
However, i got some questions:
Under:
http://domoticz.com/wiki/Automated_bann ... live_setup the original tutorial mentions an IP. In my case (testing over 3G), a hostname is added to the firewall blocklist.... (static.kpn.net). This is something that is problematic for unbanning, because for the unbanning command it needs an IP.
Some parameter that i haven't configured correctly?
For now i just used
sudo iptables --flush fail2ban-domoticz, but that flushes the whole fail2ban-domoticz part of iptables i guess...
I'm still having problems with this. When i try to lock myself, the hostname is still being added. I also tried it on a Ziggo business internet connection, the hostname (same as i see on
http://ipinfo.io) is added to iptables. I just want the IP-address to be added, instead of the hostname. When i try to unban the hostname, it says it hasn't found anything. When i run the unban command with the IP-address, it works....!?
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Tuesday 15 December 2015 17:52
by tlpeter
I followed the wiki but fail2ban does not want to start.
This is the error when i do sudo fail2ban-client start
Code: Select all
WARNING 'findtime' not defined in 'ssh'. Using default value
WARNING 'findtime' not defined in 'dropbear'. Using default value
WARNING 'findtime' not defined in 'pam-generic'. Using default value
WARNING 'findtime' not defined in 'xinetd-fail'. Using default value
WARNING 'findtime' not defined in 'ssh-ddos'. Using default value
WARNING 'findtime' not defined in 'apache'. Using default value
WARNING 'findtime' not defined in 'apache-multiport'. Using default value
WARNING 'findtime' not defined in 'apache-noscript'. Using default value
WARNING 'findtime' not defined in 'apache-overflows'. Using default value
WARNING 'findtime' not defined in 'vsftpd'. Using default value
WARNING 'findtime' not defined in 'proftpd'. Using default value
WARNING 'findtime' not defined in 'pure-ftpd'. Using default value
WARNING 'findtime' not defined in 'wuftpd'. Using default value
WARNING 'findtime' not defined in 'postfix'. Using default value
WARNING 'findtime' not defined in 'couriersmtp'. Using default value
WARNING 'findtime' not defined in 'courierauth'. Using default value
WARNING 'findtime' not defined in 'sasl'. Using default value
WARNING 'findtime' not defined in 'dovecot'. Using default value
WARNING 'findtime' not defined in 'named-refused-tcp'. Using default value
WARNING 'filter' not defined in 'domoticz'. Using default value
ERROR /etc/fail2ban/filter.d/.conf and /etc/fail2ban/filter.d/.local do not exist
ERROR Unable to read the filter
ERROR Errors in jail 'domoticz'. Skipping...
Re: Domoticz log and failed attempt (to use fail2ban)
Posted: Tuesday 15 December 2015 19:27
by ThinkPad
Did you Google that error already:
https://www.google.nl/search?q=WARNING+ ... ot+defined ?
Seems quite easy to fix.