added fail2ban into nextcloud_server.md
This commit is contained in:
parent
c9893ba430
commit
c636329828
|
@ -100,6 +100,64 @@ Così facendo, di default il traffico in ingresso è bloccato, a eccezione delle
|
||||||
|
|
||||||
Per altre configurazioni di sicurezza: [Mettere in sicurezza un VPS](https://help.ovhcloud.com/csm/it-vps-security-tips?id=kb_article_view&sysparm_article=KB0047709) e anche [Setup fail2ban](https://docs.nextcloud.com/server/21/admin_manual/installation/harden_server.html?highlight=fail2ban#setup-fail2ban)
|
Per altre configurazioni di sicurezza: [Mettere in sicurezza un VPS](https://help.ovhcloud.com/csm/it-vps-security-tips?id=kb_article_view&sysparm_article=KB0047709) e anche [Setup fail2ban](https://docs.nextcloud.com/server/21/admin_manual/installation/harden_server.html?highlight=fail2ban#setup-fail2ban)
|
||||||
|
|
||||||
|
## fail2ban
|
||||||
|
|
||||||
|
Disabilitare l'opzione `'auth.bruteforce.protection.enabled' => 'false',` nel file `/var/www/html/nextcloud/config/config.php`
|
||||||
|
|
||||||
|
Quindi
|
||||||
|
|
||||||
|
```bash
|
||||||
|
apt install fail2ban
|
||||||
|
```
|
||||||
|
|
||||||
|
Dopo aver installato il pacchetto, creare i file seguenti:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
> cat /etc/fail2ban/filter.d/nextcloud.local
|
||||||
|
[Definition]
|
||||||
|
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
|
||||||
|
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
|
||||||
|
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
|
||||||
|
|
||||||
|
> cat /etc/fail2ban/jail.d/nextcloud.local
|
||||||
|
[nextcloud]
|
||||||
|
backend = auto
|
||||||
|
enabled = true
|
||||||
|
port = 80,443
|
||||||
|
protocol = tcp
|
||||||
|
filter = nextcloud
|
||||||
|
#Number of retrys before to ban
|
||||||
|
maxretry = 3
|
||||||
|
#time in seconds
|
||||||
|
bantime = 36000
|
||||||
|
findtime = 36000
|
||||||
|
#Log path, on Ubuntu usually is following
|
||||||
|
logpath = /var/www/nextcloud/data/nextcloud.log
|
||||||
|
```
|
||||||
|
|
||||||
|
Quindi abilitare e riavviare il servizio:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
> systemctl enable --now fail2ban
|
||||||
|
> systemctl restart fail2ban
|
||||||
|
|
||||||
|
> systemctl status fail2ban.service
|
||||||
|
● fail2ban.service - Fail2Ban Service
|
||||||
|
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
|
||||||
|
Active: active (running) since Sun 2023-10-22 17:44:02 UTC; 5min ago
|
||||||
|
Docs: man:fail2ban(1)
|
||||||
|
Main PID: 58185 (fail2ban-server)
|
||||||
|
Tasks: 7 (limit: 2295)
|
||||||
|
Memory: 14.2M
|
||||||
|
CPU: 339ms
|
||||||
|
CGroup: /system.slice/fail2ban.service
|
||||||
|
└─58185 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
|
||||||
|
|
||||||
|
ott 22 17:44:02 vps-971850be systemd[1]: Started fail2ban.service - Fail2Ban Service.
|
||||||
|
ott 22 17:44:02 vps-971850be fail2ban-server[58185]: 2023-10-22 17:44:02,748 fail2ban.configreader [58185]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
|
||||||
|
ott 22 17:44:02 vps-971850be fail2ban-server[58185]: Server ready
|
||||||
|
```
|
||||||
|
|
||||||
## Installazione
|
## Installazione
|
||||||
|
|
||||||
### nginx
|
### nginx
|
||||||
|
@ -174,10 +232,20 @@ $CONFIG = array (
|
||||||
'version' => '27.1.2.1',
|
'version' => '27.1.2.1',
|
||||||
'overwrite.cli.url' => 'https://my.domain.com/',
|
'overwrite.cli.url' => 'https://my.domain.com/',
|
||||||
'default_phone_region' => 'IT',
|
'default_phone_region' => 'IT',
|
||||||
'memcache.local' => '\\OC\\Memcache\\APCu',
|
|
||||||
# https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html
|
|
||||||
'trashbin_retention_obligation' => 'autoi, 2',
|
'trashbin_retention_obligation' => 'autoi, 2',
|
||||||
# Il cestino viene svuotato in automatico ogni due giorni
|
# Il cestino viene svuotato in automatico ogni due giorni
|
||||||
|
# https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html
|
||||||
|
'memcache.local' => '\\OC\\Memcache\\APCu',
|
||||||
|
'memcache.locking' => '\\OC\\Memcache\\APCu',
|
||||||
|
'filelocking.enabled' => true,
|
||||||
|
'auth.bruteforce.protection.enabled' => false,
|
||||||
|
'logtimezone' => 'Europe/Rome',
|
||||||
|
|
||||||
|
[...]
|
||||||
|
|
||||||
|
'log_type' => 'file',
|
||||||
|
'logfile' => '/var/log/nextcloud-error.log',
|
||||||
|
'loglevel' => 2,
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
```
|
```
|
||||||
|
@ -454,3 +522,5 @@ Per la configurazione di Nextcloud sul cellulare Android, seguire [questa guida]
|
||||||
- [https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html](https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html)
|
- [https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html](https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html)
|
||||||
- [https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html](https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html)
|
- [https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html](https://docs.nextcloud.com/server/27/admin_manual/configuration_server/caching_configuration.html)
|
||||||
- [https://serverok.in/nextcloud-apcu-not-available-for-local-cache](https://serverok.in/nextcloud-apcu-not-available-for-local-cache)
|
- [https://serverok.in/nextcloud-apcu-not-available-for-local-cache](https://serverok.in/nextcloud-apcu-not-available-for-local-cache)
|
||||||
|
- [https://marsown.com/wordpress/fail2ban-protection-nextcloud/](https://marsown.com/wordpress/fail2ban-protection-nextcloud/)
|
||||||
|
- [https://gist.github.com/GAS85/957e0b1a4f30120225a7be09b173eb24](https://gist.github.com/GAS85/957e0b1a4f30120225a7be09b173eb24)
|
||||||
|
|
|
@ -8,3 +8,4 @@
|
||||||
#* * * * * user comando
|
#* * * * * user comando
|
||||||
|
|
||||||
0 9,15,20,22 * * * ~/scripts/rsync.sh
|
0 9,15,20,22 * * * ~/scripts/rsync.sh
|
||||||
|
0 9,15,20,22 * * * ~/scripts/swaync.sh
|
||||||
|
|
Loading…
Reference in New Issue