Setup fail2ban

From Domoticz
Jump to: navigation, search

When you have enabled external access to your Domoticz system, you should setup 'fail2ban' to ban IP's with multiple failed authentications. This will increase the overall security of your system.

Fail2ban is an application that looks for failed login attempts in the logfile you specify. Since beta #3507 of Domoticz, the failed login attempts are logged including the IP address, so fail2ban is able to monitor the logfile and take action (banning the IP-address in this case).

Setup fail2ban

Install fail2ban

Ofcourse you first need to install fail2ban:

sudo apt-get install fail2ban

Adding Domoticz log to fail2ban

We need to tell fail2ban where the Domoticz logfile is located.

sudo nano /etc/fail2ban/jail.local

When the editor opens, add the following section:
[domoticz] enabled = true port = 8080 filter = domoticz logpath = /tmp/domoticz.txt maxretry = 3 findtime = 3600 Do not forget to edit your (exposed) port, maybe you are using SSL, so 443 would be the choice. Also the correct path to your logfile is necessary.

If you don't have a 'domoticz.txt' in /tmp/, you might need to enable logging to a file first. This can be done by editing the domoticz.sh file:
sudo nano /etc/init.d/domoticz.sh.

DAEMON_ARGS="$DAEMON_ARGS -www 8080"
DAEMON_ARGS="$DAEMON_ARGS -sslwww 443"
DAEMON_ARGS="$DAEMON_ARGS -log /tmp/domoticz.txt"

Remove the # in front of DAEMON_ARGS="$DAEMON_ARGS -log /tmp/domoticz.txt"
Save the file, and restart Domoticz: sudo service domoticz restart

Check your /tmp/ folder for the correct setup: ls /tmp/ You should see your domoticz.txt if all was done correct.

Be warned though, the log will get big quite quickly. It is advised to use something like logrotate. On a Raspberry Pi (with SD Card) activating the log would not be a good idea, it will wear out the SD Card quickly. See this topic for more information on how to write log to RAM, truncate it etc.

To see if the log contains the data we want, run cat /tmp/domoticz.txt | grep 'Incoming'.
This should show something like: 2015-11-10 17:51:55.765 Incoming connection from: 127.0.0.1 2015-11-10 17:52:02.220 Incoming connection from: 192.168.4.1 2015-11-10 17:52:03.932 Incoming connection from: 192.168.4.29 2015-11-10 17:56:49.103 Incoming connection from: 192.168.4.29

Add search definitions for Domoticz

To let fail2ban find the IP-addresses that it needs for banning, we need to provide fail2ban with some search definitions (regex).
We are going to create a new file with search-patterns for Domoticz in it.
Open a text editor: sudo nano /etc/fail2ban/filter.d/domoticz.conf and paste the contents below into it:

# Fail2Ban configuration file for domoticz
#
# Author: Domoticz user 'ThinkPad'
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = Error: Failed login attempt from <HOST> for user '.*' !	
            Error: Failed login attempt from <HOST> for '.*' !
            Error: \[Web:8080\] Failed authentication attempt, ignoring client request \(remote address: <HOST>\)
            Error: \[web:443\] Failed authentication attempt, ignoring client request \(remote address: <HOST>\)

#First line is for 'Login Page' authentication mode of Domoticz
#Second line is for 'Basic-Auth' authentication mode in Domoticz
#
#
#
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Save and quit the file.

(Optional) Adding a whitelist with IP's never to be blocked

I don't want fail2ban to block PC's in my LAN-network, this is quite annoying if i type in a password incorrectly myself, and get banned. And attacks coming from inside my network should be not happening anyway. So i will put my LAN-network on the fail2ban whitelist.

Open jail.conf in a text editor:sudo nano /etc/fail2ban/jail.conf Look for the 'ignoreip = 127.0.0.1/8' line. Change it to something like this:
ignoreip = 127.0.0.1/8 192.168.1.0/24 Change the 192.168.1.0 to your own LAN IP-range. If you have other IP's of trusted networks, just add them at the end (the IP's are separated by a space)
See also http://www.fail2ban.org/wiki/index.php/Whitelist

Restart fail2ban

To apply the new settings, restart fail2ban

sudo service fail2ban restart

Testing fail2ban

Testing the matching rule

To do a quick test you can create a file which we going to supply to the fail2ban regex tester. Create it by running: sudo nano wronglogin.txt
A blank file will open, paste in the two lines:

2015-11-03 18:35:51.908  Error: Failed login attempt from 37.130.158.115 for user 'testing123' !
2015-11-10 18:35:08.105  Error: Webserver: Failed authentication attempt, ignoring client request (remote addresses: 37.130.158.115)

Then run the following command: fail2ban-regex wronglogin.txt /etc/fail2ban/filter.d/domoticz.conf
This will not ban anything yet, it just looks for entries in the fake logfile we supply (wronglogin.txt) and see if they match our filter (regex).

If the regex is correct, we should see:

Results ======= Failregex: 2 total |- #) [# of hits] regular expression | 1) [1] Error: Failed login attempt from <HOST> for user '.*' ! | 2) [1] Error: Webserver: Failed authentication attempt, ignoring client request \(remote addresses: <HOST>\) `- As you can see there is 1 line that match the first regex ('Login Page' authentication method of Domoticz), and 1 line that matches the second regex ('Basic-Auth' authentication method of Domoticz).
These numbers should match to the amount of lines (with failed login attempts) you had put in the test logfile.

Testing the live setup

I also did a try from my cellphone. After 3 unsuccessful login attempts, my IP-address got banned.
We can see this by running sudo iptables -L. See the 'DROP' part at the end of the file, it will list the banned IP's there. Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-domoticz tcp -- anywhere anywhere multiport dports 8080 fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-domoticz (1 references) target prot opt source destination DROP all -- 37.140.158.148 anywhere RETURN all -- anywhere anywhere You see the 37.140.158.148 here, that is the IP-address my phone was using (check it before logging in with www.icanhazip.com).

Removing an IP-address from the blacklist

Run the following command to remove an IP-address from the blacklist that got blocked, but you don't want to be blocked:
sudo fail2ban-client set domoticz unbanip YOUR_IP_HERE
We use the jailname 'domoticz'. To find the correct jailname, run: sudo fail2ban-client status

After we have run the unbanning command, we should not be banned anymore. We can see this by running sudo iptables -L. As you see, the IP-address is now removed from the 'DROP' part at the end:
Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-domoticz tcp -- anywhere anywhere multiport dports 8080 fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-domoticz (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere