Domoticz log and failed attempt (to use fail2ban)

On various Hardware and OS systems: pi / windows / routers / nas, etc
manuloup
Posts: 74
Joined: Sunday 23 November 2014 17:18
Target OS: Raspberry Pi
Domoticz version:
Location: France
Contact:

Domoticz log and failed attempt (to use fail2ban)

Post by manuloup » Friday 30 October 2015 18:50

Hi,

Currently, when someone tries to connect and fails, here is what we get in the logfile :

Code: Select all

2015-10-30 17:32:16.616  Error: Failed login attempt for 'toto' !
Would that be possible to add the IP for this kind of failed attempt, so that we can create a rule for domoticz with Fail2Ban and trap the IP in the domoticz logfile ?

Thanks

Regards

Manu
Rapberry PI B+ (RaspBian), RFXtrx433E USB 433.92MHz Transceiver, AEON LABS Controler Z-Wave, Aeon Labs Z-Stick S2, Everspring ST814 Temperature Sensor, Everspring SF812 Smoke Detector, 2x Fibaro Wallplug, Aeon Zwave Miniremote , Xbee Teleinfo USB

User avatar
gizmocuz
Posts: 8649
Joined: Thursday 11 July 2013 18:59
Target OS: Raspberry Pi
Domoticz version: beta
Location: Top of the world
Contact:

Re: Domoticz log and failed attempt

Post by gizmocuz » Saturday 31 October 2015 11:58

Added in beta #3507
Quality outlives Quantity!

manuloup
Posts: 74
Joined: Sunday 23 November 2014 17:18
Target OS: Raspberry Pi
Domoticz version:
Location: France
Contact:

Re: Domoticz log and failed attempt

Post by manuloup » Tuesday 03 November 2015 15:51

Thanks a lot ! I will create the rule for fail2ban and will make a tutorial here.
Rapberry PI B+ (RaspBian), RFXtrx433E USB 433.92MHz Transceiver, AEON LABS Controler Z-Wave, Aeon Labs Z-Stick S2, Everspring ST814 Temperature Sensor, Everspring SF812 Smoke Detector, 2x Fibaro Wallplug, Aeon Zwave Miniremote , Xbee Teleinfo USB

manuloup
Posts: 74
Joined: Sunday 23 November 2014 17:18
Target OS: Raspberry Pi
Domoticz version:
Location: France
Contact:

Re: Domoticz log and failed attempt

Post by manuloup » Tuesday 03 November 2015 20:21

Here we go :

1 - edit the file jail.conf in /etc/fail2ban/ and add the following section :

Code: Select all

 [domoticz]

enabled  = true
port     = 8080
filter   = domoticz
logpath  = /var/log/domoticz.log
maxretry = 3
findtime = 3600
Modify the port and logpath according to your settings.

2 - add the domoticz.conf filter in /etc/fail2ban/filter.d

Code: Select all

vi /etc/fail2ban/filter.d/domoticz.conf
 
 # Fail2Ban configuration file for domoticz
#
# Author: Emmanuel Chanteloup
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = .* Error: Failed login attempt from <HOST> for user '.*' !

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
3 - restart fail2ban

Code: Select all

 sudo /etc/init.d/fail2ban restart
All done !

To do a quick test :

Code: Select all

 vi toto.txt :
 2015-11-03 18:35:51.908  Error: Failed login attempt from 37.130.158.115 for user 'toto' !

then run the following command :

Code: Select all

fail2ban-regex  toto.txt /etc/fail2ban/filter.d/domoticz.conf
you should see :

Code: Select all

Success, the total number of match is 1
I also did a try from my cellphone. After 3 unsuccessful attemps, my ip is banned :

Code: Select all

 root@raspberrypi:/etc/fail2ban# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-domoticz  tcp  --  anywhere             anywhere             multiport dports 8080
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-domoticz (1 references)
target     prot opt source               destination
DROP       all  --  37.140.158.148       anywhere
RETURN     all  --  anywhere             anywhere
- to remove the ip :

Code: Select all

 root@raspberrypi:/etc/fail2ban/filter.d# iptables -D fail2ban-domoticz -s YOUR_IP_HERE(37.140.158.148 for me) -j DROP
I am not banned anymore :

Code: Select all

 root@raspberrypi:/etc/fail2ban# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-domoticz  tcp  --  anywhere             anywhere        multiport dports 8080
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-domoticz (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
I hope it is clear for you now and that I helped you a bit. Do not hesitate to tell if I forgot something.

Cheers :)
Rapberry PI B+ (RaspBian), RFXtrx433E USB 433.92MHz Transceiver, AEON LABS Controler Z-Wave, Aeon Labs Z-Stick S2, Everspring ST814 Temperature Sensor, Everspring SF812 Smoke Detector, 2x Fibaro Wallplug, Aeon Zwave Miniremote , Xbee Teleinfo USB

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Domoticz log and failed attempt

Post by ThinkPad » Tuesday 10 November 2015 10:07

manuloup wrote:Here we go :
[...]
Thank you very much, was looking for this, to configure on my Ubuntu VM running Domoticz. Will try it soon!

To make more people benefit from it, i have also created a wiki page for it: http://domoticz.com/wiki/Automated_bann ... iple_times
But what i don't understand, at the step 'Testing the new setup' you do vi toto.txt. But what is this 'toto.txt' file and why is it named like that?
Is a .txt file created for every username that tries to login or so :?:

And which file do you mean by the 'jail' file? Here: https://www.upcloud.com/support/install ... ntu-14-04/ they mention NOT to use jail.conf, but instead create a jail.local file and using that. Any advice about that?

By the way, is the regex still correct? The login attempts seem to be logged in a different way in my case (v2.3542):

Code: Select all

domoticz@domoticz-vm:/etc/fail2ban/filter.d$ cat /var/log/domoticz.log | grep 'Failed'
2015-11-10 18:35:08.105  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
2015-11-10 18:35:51.651  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
2015-11-10 18:35:51.811  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
2015-11-10 18:36:00.245  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
2015-11-10 18:36:00.365  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 188.xxx.64.xxx)
(i put the 'xxx'in myself)

Your failregex seems to search for

Code: Select all

.* Error: Failed login attempt from <HOST> for user '.*' !
, so it is a totally different message. Also the username isn't mentioned anymore, only the IP.
I think it should be more like this:

Code: Select all

failregex = Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: <HOST>)
I'm not sure if round brackets need escaping, if true then this would be better:

Code: Select all

failregex = Error: Webserver: Failed authentication attempt, ignoring client request \(remote addresses: <HOST>\)
I will try later, with 'fail2ban-regex' you can test the regex to see if it matches.
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

User avatar
Egregius
Posts: 2691
Joined: Thursday 09 April 2015 12:19
Target OS: Linux
Domoticz version: Beta
Location: Beitem, BE
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by Egregius » Wednesday 11 November 2015 13:53

I have this in jail.conf:

Code: Select all

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.1/24
bantime  = 3600
maxretry = 1
backend = auto
banaction = iptables-allports
mta = sendmail
protocol = all
port	= all
chain = INPUT
action = route

[domoticz]
enabled  = true
filter   = domoticz
logpath  = /var/log/domoticz.log
and in filter.d/domoticz.conf:

Code: Select all

# Fail2Ban configuration file FOR Domoticz Failed login
# Author: Egregius

[Definition]
failregex = Error: Failed login attempt from <HOST>
ignoreregex =
And in action.d/route.conf:

Code: Select all

[Definition]
actionban   = ip route add <blocktype> <ip>
actionunban = ip route del <blocktype> <ip>

[Init]
blocktype = blackhole
The advantage of 'ip route add blackhole' over the standard fail2ban action is that the packets are dropped at first level where they arrive, they don't even get to the firewall anymore.
From then on, your ip just doesn't exists anymore :twisted:

Tested and confirmed by typing wrong user/pass on mobile connection (easiest to get new ip).
Or set bantime to a short time for test and watch the fail2ban log.

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by ThinkPad » Wednesday 11 November 2015 14:19

Thanks for sharing!

But why is my error message/regex different than yours, and from 'manuloup' :? I'm running v2.3542 (i thought, not sure).
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

User avatar
Egregius
Posts: 2691
Joined: Thursday 09 April 2015 12:19
Target OS: Linux
Domoticz version: Beta
Location: Beitem, BE
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by Egregius » Wednesday 11 November 2015 14:19

I'm on Rpi v2.3558...
Last edited by Egregius on Wednesday 11 November 2015 14:21, edited 1 time in total.

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by ThinkPad » Wednesday 11 November 2015 14:21

I will update tonight and see if the error message changes...
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

User avatar
Egregius
Posts: 2691
Joined: Thursday 09 April 2015 12:19
Target OS: Linux
Domoticz version: Beta
Location: Beitem, BE
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by Egregius » Wednesday 11 November 2015 14:38

Just updated to latest beta v2.3570

Code: Select all

2015-11-11 13:37:18.117  Error: Failed login attempt from 178.145.160.129 for user 'test' !
fail2ban with above filter:

Code: Select all

2015-11-11 13:37:20,439 fail2ban.actions: WARNING [domoticz] Ban 178.145.160.129

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by ThinkPad » Wednesday 11 November 2015 14:52

Thanks, makes it clear i just need to update :)

What about the 'user' part? The tutorial from manuloup does something with the username shown in the Domoticz error message, but you don't seem to do anything with that in your regex.
Banning on IP is fine by me, i don't understand why the username needs to be logged, do you?
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

User avatar
Egregius
Posts: 2691
Joined: Thursday 09 April 2015 12:19
Target OS: Linux
Domoticz version: Beta
Location: Beitem, BE
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by Egregius » Wednesday 11 November 2015 15:14

In the logfile you could see of you're victim of dictionary attack. User root, admin, administrator, etc. But that doesn't bother me, I block them instantly after one failed attempt.
After unban and second try within 2 weeks they're blocked for a year.

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by ThinkPad » Wednesday 11 November 2015 15:24

That's not needed for me either, just ban the @*#($@*(#$ :twisted:

I just updated to v2.3573 (i suddenly remembered i can also SSH with my phone to the VM over VPN and call my update script) but the message is still the same?
It still shows:

Code: Select all

Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: xxx.xx.xx.xx)
I tested by trying to login with admin/admin about 3-4 times, untill the Domoticz page displayed "Domoticz offline".

I don't understand why i get a different message. I run on a different platform (Ubuntu virtual machine x86, you on a Raspberry), but that shouln't matter i guess?
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

User avatar
Egregius
Posts: 2691
Joined: Thursday 09 April 2015 12:19
Target OS: Linux
Domoticz version: Beta
Location: Beitem, BE
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by Egregius » Wednesday 11 November 2015 15:43

3-4 times means you'll have maxretry set at 3.
Don't know about the message. Maybe Ubuntu/Rpi difference?
Doesn't mather much, just difficulter for the wiki.

Trying to have fail2ban sent telegram now :roll:

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by ThinkPad » Wednesday 11 November 2015 16:21

It seems my message is old, the webserver code contains the message in the way you see it. Look at: https://github.com/domoticz/domoticz/bl ... r.cpp#L837

What i thought of, maybe it has something to do with the login method. You can change that in the Domoticz settings, under 'Website Protection'.
I use Basic-Auth. Don't remember exactly why, i thought it had something to do with stability of the Android app.
Maybe with the 'Login Page' method (which is the default if i remember correctly) it will display the message in the way you see it (IP + user).

I will try switching to 'Login Page' methode and login with wrong credentials a few times.

Edit: Yup, that was the cause for a different message to be displayed. When i switched to 'Login Page', i saw a message like you posted.
Good to know, so we can put both regex'es in the fail2ban config in the wiki, so it applies for everyone' situation (if you use default login method or Basic-Auth). Luckily fail2ban supports multiple regex'es to search for :D

I think the final regex should look like this:

Code: Select all

failregex = .* Error: Failed login attempt from <HOST> for user '.*' !   
            Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: <HOST>)
I will try tonight with both authentication methods that Domoticz offers, and see if i can get fail2ban to trigger in both situations, with the above failregex. I will edit the wiki when i get it working :)
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by ThinkPad » Wednesday 11 November 2015 19:41

I got it working :) The round brackets needed escaping btw (putting a backward slash in front of them, see the wiki for final regex).
However, i got some questions:

Under: http://domoticz.com/wiki/Automated_bann ... live_setup the original tutorial mentions an IP. In my case (testing over 3G), a hostname is added to the firewall blocklist.... (static.kpn.net). This is something that is problematic for unbanning, because for the unbanning command it needs an IP.

Some parameter that i haven't configured correctly?

For now i just used sudo iptables --flush fail2ban-domoticz, but that flushes the whole fail2ban-domoticz part of iptables i guess...
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

djoeney
Posts: 21
Joined: Sunday 17 May 2015 21:54
Target OS: Raspberry Pi
Domoticz version: Beta
Location: NL
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by djoeney » Thursday 12 November 2015 21:43

This is a really nice security enhancement!
At the moment i'm using nginx as a reverse proxy for the use of SSL certificates. I want to implement fail2ban only I'm having some issues if i would use the domoticz log i always see "Login successful from 127.0.0.1 for user '######"'
Will try to find out if the source IP could be given from nginx to domoticz.
Compute RPi 2 : Domoticz latest beta, Synology : Domoticz tested beta on failover system.
Peripherals RFXCOM - RFXtrx433, Z-Wave.Me ZME_UZB1 USB Stick,P1 cable on smartmeter, Logitech Harmony Hub, 3 IP camera's

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by ThinkPad » Tuesday 15 December 2015 12:37

ThinkPad wrote:I got it working :) The round brackets needed escaping btw (putting a backward slash in front of them, see the wiki for final regex).
However, i got some questions:

Under: http://domoticz.com/wiki/Automated_bann ... live_setup the original tutorial mentions an IP. In my case (testing over 3G), a hostname is added to the firewall blocklist.... (static.kpn.net). This is something that is problematic for unbanning, because for the unbanning command it needs an IP.

Some parameter that i haven't configured correctly?

For now i just used sudo iptables --flush fail2ban-domoticz, but that flushes the whole fail2ban-domoticz part of iptables i guess...
I'm still having problems with this. When i try to lock myself, the hostname is still being added. I also tried it on a Ziggo business internet connection, the hostname (same as i see on http://ipinfo.io) is added to iptables. I just want the IP-address to be added, instead of the hostname. When i try to unban the hostname, it says it hasn't found anything. When i run the unban command with the IP-address, it works....!?
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

tlpeter
Posts: 409
Joined: Wednesday 26 November 2014 19:43
Target OS: Raspberry Pi
Domoticz version: Beta
Location: Netherlands
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by tlpeter » Tuesday 15 December 2015 18:52

I followed the wiki but fail2ban does not want to start.
This is the error when i do sudo fail2ban-client start

Code: Select all

WARNING 'findtime' not defined in 'ssh'. Using default value
WARNING 'findtime' not defined in 'dropbear'. Using default value
WARNING 'findtime' not defined in 'pam-generic'. Using default value
WARNING 'findtime' not defined in 'xinetd-fail'. Using default value
WARNING 'findtime' not defined in 'ssh-ddos'. Using default value
WARNING 'findtime' not defined in 'apache'. Using default value
WARNING 'findtime' not defined in 'apache-multiport'. Using default value
WARNING 'findtime' not defined in 'apache-noscript'. Using default value
WARNING 'findtime' not defined in 'apache-overflows'. Using default value
WARNING 'findtime' not defined in 'vsftpd'. Using default value
WARNING 'findtime' not defined in 'proftpd'. Using default value
WARNING 'findtime' not defined in 'pure-ftpd'. Using default value
WARNING 'findtime' not defined in 'wuftpd'. Using default value
WARNING 'findtime' not defined in 'postfix'. Using default value
WARNING 'findtime' not defined in 'couriersmtp'. Using default value
WARNING 'findtime' not defined in 'courierauth'. Using default value
WARNING 'findtime' not defined in 'sasl'. Using default value
WARNING 'findtime' not defined in 'dovecot'. Using default value
WARNING 'findtime' not defined in 'named-refused-tcp'. Using default value
WARNING 'filter' not defined in 'domoticz'. Using default value
ERROR  /etc/fail2ban/filter.d/.conf and /etc/fail2ban/filter.d/.local do not exist
ERROR  Unable to read the filter
ERROR  Errors in jail 'domoticz'. Skipping...

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Domoticz log and failed attempt (to use fail2ban)

Post by ThinkPad » Tuesday 15 December 2015 20:27

Did you Google that error already: https://www.google.nl/search?q=WARNING+ ... ot+defined ?

Seems quite easy to fix.
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests