Hallo zusammen,
da ich nach einigen Stunden festgestellt habe, dass für die owncloud.log Rechte für www-data benötigt
jedoch werden die falschen Zugriffe auf die Owncloud von fail2ban noch nicht gesperrt.
OwnCloud 9.0.1 (stable)
lighttpd Webserver
vielen Dank im Voraus
$ sudo fail2ban-regex /var/log/owncloud.log /etc/fail2ban/filter.d/owncloud.conf
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/owncloud.conf
Use log file : /var/log/owncloud.log
Results
=======
Failregex: 15 total
|- #) [# of hits] regular expression
| 1) [15] {"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [21] ISO 8601
`-
Lines: 21 lines, 0 ignored, 15 matched, 6 missed
|- Missed line(s):
| {"reqId":"925Y2VDQnbjd0ExX6vqC","remoteAddr":"192.168.178.21","app":"PHP","message":"Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php:\/\/input stream instead. at Unknown#0","level":3,"time":"2016-04-17T09:16:22+02:00","method":"POST","url":"\/index.php\/heartbeat","user":"--"}
| {"reqId":"vvAXR55v3vCgPG2tQ\/g\/","remoteAddr":"192.168.178.21","app":"PHP","message":"Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php:\/\/input stream instead. at Unknown#0","level":3,"time":"2016-04-17T09:23:57+02:00","method":"POST","url":"\/index.php\/heartbeat","user":"test"}
| {"reqId":"qCGY2bgaGCwx8bEEl7Xl","remoteAddr":"192.168.178.21","app":"PHP","message":"Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php:\/\/input stream instead. at Unknown#0","level":3,"time":"2016-04-17T09:28:22+02:00","method":"POST","url":"\/index.php\/heartbeat","user":"--"}
| {"reqId":"uX7BhiUPV7czNAUuqM9M","remoteAddr":"192.168.178.36","app":"PHP","message":"Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php:\/\/input stream instead. at Unknown#0","level":3,"time":"2016-04-17T09:29:54+02:00","method":"POST","url":"\/index.php\/heartbeat","user":"--"}
| {"reqId":"vg+sF0vziRCz9awl0VN4","remoteAddr":"192.168.178.21","app":"PHP","message":"Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php:\/\/input stream instead. at Unknown#0","level":3,"time":"2016-04-17T09:40:07+02:00","method":"POST","url":"\/index.php\/heartbeat","user":"test"}
| {"reqId":"V\/WJLCCTIsvGw8dvTeii","remoteAddr":"192.168.178.21","app":"PHP","message":"Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php:\/\/input stream instead. at Unknown#0","level":3,"time":"2016-04-17T09:40:22+02:00","method":"POST","url":"\/index.php\/heartbeat","user":"--"}
`-
Alles anzeigen
edit: 17.04 11:10 Uhr >> damit hat es funktioniert
ich habe mir jetzt die owncloud.config mit der sshd.conf verglichen. Dabei ist mir aufgefallen das ich _daemon = owncloud vergessen hatte
sudo fail2ban-client status owncloud
Status for the jail: owncloud
|- filter
| |- File list: /var/log/owncloud.log
| |- Currently failed: 1
| `- Total failed: 16
`- action
|- Currently banned: 1
| `- IP list: 192.168.178.21
`- Total banned: 2
sudo nano /etc/fail2ban/filter.d/owncloud.conf
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = owncloud
failregex = {"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}
Ignoreregex=
Alles anzeigen
sudo nano /etc/fail2ban/jail.conf
[owncloud]
enabled = yes
port = http,https
filter = owncloud
logpath = /var/log/owncloud.log
bantime = 120
maxretry = 3
Alles anzeigen