Automated banning of IP that fails to login multiple times

From Domoticz
Jump to: navigation, search

Introduction

When you have enabled external access to your Domoticz system, it is a good idea to setup 'fail2ban' to make your system more secure.
Fail2ban is an application that looks for failed login attempts in the logfile you specify. Since beta #3507 of Domoticz, the failed login attempts into Domoticz are now logged and include the source IP-address, so we can monitor this logfile with fail2ban and take action (banning the IP-address in this case).

User 'manuloup' has created a nice tutorial for this. These steps have been written down below.

Steps for setting up fail2ban

Follow the steps below to set up fail2ban.

Installing fail2ban

Ofcourse you first need to install fail2ban:
sudo apt-get install fail2ban

Adding the Domoticz log to fail2ban

First we are going to tell fail2ban where it should look and for what.

sudo nano /etc/fail2ban/jail.local
when the editor opens, add the following section:

[domoticz]

enabled  = true
port     = 8080
filter   = domoticz
logpath  = /tmp/domoticz.txt
maxretry = 3
findtime = 3600

Modify the port and logpath according to your settings.

If you don't have a 'domoticz.txt' in /tmp/, you might need to enable logging to a file first. This can be done by editing the domoticz.sh file:
sudo nano /etc/init.d/domoticz.sh.

DAEMON_ARGS="$DAEMON_ARGS -www 8080"
DAEMON_ARGS="$DAEMON_ARGS -sslwww 443"
DAEMON_ARGS="$DAEMON_ARGS -log /tmp/domoticz.txt"

Remove the # in front of DAEMON_ARGS="$DAEMON_ARGS -log /tmp/domoticz.txt"
Save the file, and restart Domoticz: sudo /etc/init.d/domoticz.sh restart

Be warned though, the log will get big quite quickly. It is advised to use something like logrotate. On a Raspberry Pi (with SD-card) i'm not sure if activating the log is a good idea, it will wear out the SD-card quickly. See this topic for more information on how to write log to RAM, truncate it etc.

To see if the log contains the data we want, run cat /tmp/domoticz.txt | grep 'Incoming'.
This should show something like:

2015-11-10 17:51:55.765  Incoming connection from: 127.0.0.1
2015-11-10 17:52:02.220  Incoming connection from: 192.168.4.1
2015-11-10 17:52:03.932  Incoming connection from: 192.168.4.29
2015-11-10 17:56:49.103  Incoming connection from: 192.168.4.29

Add search definitions for Domoticz in fail2ban

To let fail2ban find the IP-addresses that it needs for banning, we need to provide fail2ban with some search definitions (regex).
We are going to create a new file with search-patterns for Domoticz in it.
Open a text editor: sudo nano /etc/fail2ban/filter.d/domoticz.conf and paste the contents below into it:

# Fail2Ban configuration file for domoticz
#
# Author: Domoticz user 'ThinkPad'
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = Error: Failed login attempt from <HOST> for user '.*' !   							
            Error: Failed login attempt from <HOST> for '.*' !
            Error: Webserver: Failed authentication attempt, ignoring client request \(remote addresses: <HOST>\) !
            Error: \[web:443\] Failed authentication attempt, ignoring client request \(remote address: <HOST>\)

#First line is for 'Login Page' authentication mode of Domoticz
#Second line is for 'Basic-Auth' authentication mode in Domoticz
#
#
#
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Save and quit the file.

(Optional) Adding a whitelist with IP's never to be blocked

I don't want fail2ban to block PC's in my LAN-network, this is quite annoying if i type in a password incorrectly myself, and get banned. And attacks coming from inside my network should be not happening anyway. So i will put my LAN-network on the fail2ban whitelist.

Open jail.conf in a text editor:sudo nano /etc/fail2ban/jail.conf Look for the 'ignoreip = 127.0.0.1/8' line. Change it to something like this:
ignoreip = 127.0.0.1/8 192.168.1.0/24 Change the 192.168.1.0 to your own LAN IP-range. If you have other IP's of trusted networks, just add them at the end (the IP's are separated by a space)
See also http://www.fail2ban.org/wiki/index.php/Whitelist

Restart fail2ban

To apply the new settings, restart fail2ban

sudo /etc/init.d/fail2ban restart

Testing fail2ban

Testing the matching rule

To do a quick test you can create a file which we going to supply to the fail2ban regex tester. Create it by running: sudo nano wronglogin.txt
A blank file will open, paste in the two lines:

2015-11-03 18:35:51.908  Error: Failed login attempt from 37.130.158.115 for user 'testing123' !
2015-11-10 18:35:08.105  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 37.130.158.115)

Then run the following command: fail2ban-regex wronglogin.txt /etc/fail2ban/filter.d/domoticz.conf
This will not ban anything yet, it just looks for entries in the fake logfile we supply (wronglogin.txt) and see if they match our filter (regex).

If the regex is correct, we should see:

Results
=======

Failregex: 2 total
|-  #) [# of hits] regular expression
|   1) [1] Error: Failed login attempt from <HOST> for user '.*' !
|   2) [1] Error: Webserver: Failed authentication attempt, ignoring client request \(remote addresses: <HOST>\)
`-

As you can see there is 1 line that match the first regex ('Login Page' authentication method of Domoticz), and 1 line that matches the second regex ('Basic-Auth' authentication method of Domoticz).
These numbers should match to the amount of lines (with failed login attempts) you had put in the test logfile.

Testing the live setup

I also did a try from my cellphone. After 3 unsuccessful login attempts, my IP-address got banned.
We can see this by running sudo iptables -L. See the 'DROP' part at the end of the file, it will list the banned IP's there.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-domoticz  tcp  --  anywhere             anywhere             multiport dports 8080
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-domoticz (1 references)
target     prot opt source               destination
DROP       all  --  37.140.158.148       anywhere
RETURN     all  --  anywhere             anywhere

You see the 37.140.158.148 here, that is the IP-address my phone was using (check it before logging in with www.icanhazip.com).

Removing an IP-address from the blocklist

Run the following command to remove an IP-address from the blocklist that got blocked, but you don't want to be blocked:
sudo fail2ban-client set domoticz unbanip YOUR_IP_HERE
We use the jailname 'domoticz'. To find the correct jailname, run: sudo fail2ban-client status

After we have run the unbanning command, we should not be banned anymore. We can see this by running sudo iptables -L. As you see, the IP-address is now removed from the 'DROP' part at the end:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-domoticz  tcp  --  anywhere             anywhere        multiport dports 8080
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-domoticz (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere