added fail2ban into nextcloud_server.md

This commit is contained in:
piccihud 2023-10-22 19:55:46 +02:00
parent c9893ba430
commit c636329828
2 changed files with 73 additions and 2 deletions

View File

@ -100,6 +100,64 @@ Così facendo, di default il traffico in ingresso è bloccato, a eccezione delle
Per altre configurazioni di sicurezza: [Mettere in sicurezza un VPS](https://help.ovhcloud.com/csm/it-vps-security-tips?id=kb_article_view&sysparm_article=KB0047709) e anche [Setup fail2ban](https://docs.nextcloud.com/server/21/admin_manual/installation/harden_server.html?highlight=fail2ban#setup-fail2ban)
## fail2ban
Disabilitare l'opzione `'auth.bruteforce.protection.enabled' => 'false',` nel file `/var/www/html/nextcloud/config/config.php`
Quindi
```bash
apt install fail2ban
```
Dopo aver installato il pacchetto, creare i file seguenti:
```bash
> cat /etc/fail2ban/filter.d/nextcloud.local
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
> cat /etc/fail2ban/jail.d/nextcloud.local
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
#Number of retrys before to ban
maxretry = 3
#time in seconds
bantime = 36000
findtime = 36000
#Log path, on Ubuntu usually is following
logpath = /var/www/nextcloud/data/nextcloud.log
```
Quindi abilitare e riavviare il servizio:
```bash
> systemctl enable --now fail2ban
> systemctl restart fail2ban
> systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: active (running) since Sun 2023-10-22 17:44:02 UTC; 5min ago
Docs: man:fail2ban(1)
Main PID: 58185 (fail2ban-server)
Tasks: 7 (limit: 2295)
Memory: 14.2M
CPU: 339ms
CGroup: /system.slice/fail2ban.service
└─58185 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
ott 22 17:44:02 vps-971850be systemd[1]: Started fail2ban.service - Fail2Ban Service.
ott 22 17:44:02 vps-971850be fail2ban-server[58185]: 2023-10-22 17:44:02,748 fail2ban.configreader [58185]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
ott 22 17:44:02 vps-971850be fail2ban-server[58185]: Server ready
```
## Installazione
### nginx
@ -174,10 +232,20 @@ $CONFIG = array (
'version' => '27.1.2.1',
'overwrite.cli.url' => 'https://my.domain.com/',
'default_phone_region' => 'IT',
'memcache.local' => '\\OC\\Memcache\\APCu',
# https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html
'trashbin_retention_obligation' => 'autoi, 2',
# Il cestino viene svuotato in automatico ogni due giorni
# https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html
'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.locking' => '\\OC\\Memcache\\APCu',
'filelocking.enabled' => true,
'auth.bruteforce.protection.enabled' => false,
'logtimezone' => 'Europe/Rome',
[...]
'log_type' => 'file',
'logfile' => '/var/log/nextcloud-error.log',
'loglevel' => 2,
[...]
```
@ -454,3 +522,5 @@ Per la configurazione di Nextcloud sul cellulare Android, seguire [questa guida]
- [https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html](https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html)
- [https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html](https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html)
- [https://serverok.in/nextcloud-apcu-not-available-for-local-cache](https://serverok.in/nextcloud-apcu-not-available-for-local-cache)
- [https://marsown.com/wordpress/fail2ban-protection-nextcloud/](https://marsown.com/wordpress/fail2ban-protection-nextcloud/)
- [https://gist.github.com/GAS85/957e0b1a4f30120225a7be09b173eb24](https://gist.github.com/GAS85/957e0b1a4f30120225a7be09b173eb24)

View File

@ -8,3 +8,4 @@
#* * * * * user comando
0 9,15,20,22 * * * ~/scripts/rsync.sh
0 9,15,20,22 * * * ~/scripts/swaync.sh