seafile-authentication-fail2ban

What is fail2ban ?

Fail2ban is an intrusion prevention software framework which protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, for example, iptables or TCP Wrapper.

(Definition from wikipedia - https://en.wikipedia.org/wiki/Fail2ban)

Why do I need to install this fail2ban’s filter ?

To protect your seafile website against brute force attemps. Each time a user/computer tries to connect and fails 3 times, a new line will be write in your seafile logs (seahub.log).

Fail2ban will check this log file and will ban all failed authentications with a new rule in your firewall.

Installation

Change to right Time Zone in seahub_settings.py

WARNING: Without this your Fail2Ban filter will not work.

You need to add the following settings to seahub_settings.py but change it to your own time zone.

  1. # TimeZone
  2. TIME_ZONE = 'Europe/Stockholm'

Copy and edit jail.local file

WARNING: this file may override some parameters from your jail.conf file

Edit jail.local with :

  • ports used by your seafile website (e.g. http,https) ;
  • logpath (e.g. /home/yourusername/logs/seahub.log) ;
  • maxretry (default to 3 is equivalent to 9 real attemps in seafile, because one line is written every 3 failed authentications into seafile logs).

Create the file jail.local in /etc/fail2ban with the following content:

  1. # All standard jails are in the file configuration located
  2. # /etc/fail2ban/jail.conf
  3. # Warning you may override any other parameter (e.g. banaction,
  4. # action, port, logpath, etc) in that section within jail.local
  5. # Change logpath with your file log used by seafile (e.g. seahub.log)
  6. # Also you can change the max retry var (3 attemps = 1 line written in the
  7. # seafile log)
  8. # So with this maxrety to 1, the user can try 3 times before his IP is banned
  9. [seafile]
  10. enabled = true
  11. port = http,https
  12. filter = seafile-auth
  13. logpath = /home/yourusername/logs/seahub.log
  14. maxretry = 3

Create the fail2ban filter file seafile-auth.conf in /etc/fail2ban/filter.d with the following content:

  1. # Fail2Ban filter for seafile
  2. #
  3. [INCLUDES]
  4. # Read common prefixes. If any customizations available -- read them from
  5. # common.local
  6. before = common.conf
  7. [Definition]
  8. _daemon = seaf-server
  9. failregex = Login attempt limit reached.*, ip: <HOST>
  10. ignoreregex =
  11. # DEV Notes:
  12. #
  13. # pattern : 2015-10-20 15:20:32,402 [WARNING] seahub.auth.views:155 login Login attempt limit reached, username: <user>, ip: 1.2.3.4, attemps: 3
  14. # 2015-10-20 17:04:32,235 [WARNING] seahub.auth.views:163 login Login attempt limit reached, ip: 1.2.3.4, attempts: 3

Restart fail2ban

Finally, just restart fail2ban and check your firewall (iptables for me) :

  1. sudo fail2ban-client reload
  2. sudo iptables -S

Fail2ban will create a new chain for this jail.
So you should see these new lines :

  1. ...
  2. -N fail2ban-seafile
  3. ...
  4. -A fail2ban-seafile -j RETURN

Tests

To do a simple test (but you have to be an administrator on your seafile server) go to your seafile webserver URL and try 3 authentications with a wrong password.

Actually, when you have done that, you are banned from http and https ports in iptables, thanks to fail2ban.

To check that :

on fail2ban

  1. denis@myserver:~$ sudo fail2ban-client status seafile
  2. Status for the jail: seafile
  3. |- filter
  4. | |- File list: /home/<youruser>/logs/seahub.log
  5. | |- Currently failed: 0
  6. | `- Total failed: 1
  7. `- action
  8. |- Currently banned: 1
  9. | `- IP list: 1.2.3.4
  10. `- Total banned: 1

on iptables :

  1. sudo iptables -S
  2. ...
  3. -A fail2ban-seafile -s 1.2.3.4/32 -j REJECT --reject-with icmp-port-unreachable
  4. ...

To unban your IP address, just execute this command :

  1. sudo fail2ban-client set seafile unbanip 1.2.3.4

Note

As three (3) failed attempts to login will result in one line added in seahub.log a Fail2Ban jail with the settings maxretry = 3 is the same as nine (9) failed attempts to login.