XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Fail2Ban for failed Xo-Web-Logins

    Scheduled Pinned Locked Moved Solved Xen Orchestra
    16 Posts 5 Posters 1.7k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      nullpunktnull
      last edited by

      Hi there

      We installed XO from source on a Debian10-Node. As usual we're using fail2ban
      for all kind of security. What I need is to prevent XO-Web from Bruteforce-Attempts.

      The issue: I cannot find any log for failed login-attempts in:

      • /var/log/orchestra.log
      • /var/log/daemon.log
      • /var/log/syslog
      • /var/log/auth.log
      • /var/log/redis/redis-server.log

      The HTTP-Status is 200/OK in both cases.

      What solution/advise would you recommend me to follow?

      Best regards
      nullpunktnull

      1 Reply Last reply Reply Quote 0
      • konsultanerK Offline
        konsultaner
        last edited by

        Found the issue. I used the service from the repo like this:

        But I had to replace @BINDIR@ to /usr/bin.

        [Unit]
        Description=Fail2Ban Service
        Documentation=man:fail2ban(1)
        After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
        PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
        
        [Service]
        Type=simple
        Environment="PYTHONNOUSERSITE=1"
        ExecStartPre=/bin/mkdir -p /run/fail2ban
        ExecStart=/usr/bin/fail2ban-server -xf start
        # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
        # ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
        ExecStop=/usr/bin/fail2ban-client stop
        ExecReload=/usr/bin/fail2ban-client reload
        PIDFile=/run/fail2ban/fail2ban.pid
        Restart=on-failure
        RestartPreventExitStatus=0 255
        
        [Install]
        WantedBy=multi-user.target
        
        1 Reply Last reply Reply Quote 1
        • olivierlambertO Offline
          olivierlambert Vates 🪐 Co-Founder CEO
          last edited by

          Hi,

          There's already a mechanism to avoid brute force login bundled in xo-server.

          1 Reply Last reply Reply Quote 0
          • N Offline
            nullpunktnull
            last edited by

            Hi olivierlambert

            I would like to ask you to provide me more details about that,
            because I can try a lot of wrong credentials and it still allows
            further attempts.

            It would be great to have controll about banning IPs and
            viewing logs about that.

            Best regards
            nullpunktnull

            1 Reply Last reply Reply Quote 0
            • olivierlambertO Offline
              olivierlambert Vates 🪐 Co-Founder CEO
              last edited by

              I don't remember exactly but it should be around there: https://github.com/vatesfr/xen-orchestra/tree/master/packages/xo-serve

              @julien-f might have a more detailed answer when he got enough time to take a look 🙂

              1 Reply Last reply Reply Quote 0
              • julien-fJ Offline
                julien-f Vates 🪐 Co-Founder XO Team
                last edited by julien-f

                @nullpunktnull XO is trying to prevent bruteforce and at the same time avoid annoying users by blocking valid authentication attempts.

                The current policy is to require a delay of at least 2 seconds between every tries for a given user.

                It's very basic but more than enough to protect accounts with reasonable passwords 🙂

                1 Reply Last reply Reply Quote 0
                • N Offline
                  nullpunktnull
                  last edited by

                  Thanks olivierlambert & julien-f for your responses 🙂

                  In a test we're not able to confirm the 2-second-rule against BF-Attacks.
                  Anyway, for us the goal would be to manage/control the failed attempts
                  with our familiar fail2ban-environment.

                  Is there a way to fit wrong login-attempts with a different http-status?

                  Best regards
                  nullpunktnull

                  1 Reply Last reply Reply Quote 0
                  • u2m4c6U Offline
                    u2m4c6
                    last edited by

                    Is it not possible to use something like fail2ban? I would rather not let an IP keep attacking my xo-server every 2 seconds forever. Yes, a long random password is basically uncrackable but that as the only mitigation seems dirty

                    1 Reply Last reply Reply Quote 0
                    • olivierlambertO Offline
                      olivierlambert Vates 🪐 Co-Founder CEO
                      last edited by

                      You can always install and configure fail2ban if you like.

                      Feel free to share your how to 🙂

                      1 Reply Last reply Reply Quote 0
                      • konsultanerK Offline
                        konsultaner
                        last edited by

                        Hi @olivierlambert
                        I tried to install fail2ban on the current 8.3 alpha2 and I can't get the service to run. I'm pretty sure this is due to some hardening done to the original linux it runs on. I opened a super-user issue. Maybe you know what I'm doing wrong here?

                        https://superuser.com/questions/1782617/fail2ban-on-xcp-ng-xen-server-on-an-centos-keeps-dying

                        Thx!

                        1 Reply Last reply Reply Quote 0
                        • olivierlambertO Offline
                          olivierlambert Vates 🪐 Co-Founder CEO
                          last edited by

                          Is your host directly exposed on the internet? If yes, I would first try to avoid this, having at least a firewall between. Or having SSH/XAPI/all important services not listening on the public IP.

                          konsultanerK 1 Reply Last reply Reply Quote 0
                          • konsultanerK Offline
                            konsultaner @olivierlambert
                            last edited by konsultaner

                            @olivierlambert The system is not in production yet. I will have a firewall inbetween. I need to manage the server from remote, because it's located quite far away from my home. The only port that is exposed is 22. Everything else is blocked. Any suggestions on how to fix my issue? And what would you recommend? How should I remotely manage the server? I'm quite new to that topic and this is my first server project.

                            my plan was to just harden the ssh like this:

                            https://rmauro.dev/8-actions-for-hardening-your-linux-server-for-internet/#using-ssh-config-file-on-ssh-client

                            1 Reply Last reply Reply Quote 0
                            • olivierlambertO Offline
                              olivierlambert Vates 🪐 Co-Founder CEO
                              last edited by

                              XCP-ng isn't your average Linux, that's to me the first thing to learn. Ideally, isolate your dom0 as possible. Don't expose it remotely directly, use a VPN or a dedicated tunnel to access the mgmt network.

                              konsultanerK 1 Reply Last reply Reply Quote 0
                              • konsultanerK Offline
                                konsultaner @olivierlambert
                                last edited by

                                @olivierlambert thank you so much for your advice! I got it now. VPN is an extra layer of security. So I'll go with openVPN or do you have any other advice for what I should use? I would still like to have fail2ban as a an additional security tool? Do you know why the service constantly gets killed. Is the centos configured to not let other services run?

                                1 Reply Last reply Reply Quote 0
                                • olivierlambertO Offline
                                  olivierlambert Vates 🪐 Co-Founder CEO
                                  last edited by

                                  To answer your last question: I don't know the reason myself. I would check the usual suspects (logs, enough memory and such).

                                  For the first one, the usual simple way is to get your mgmt network isolated (eg even in a dedicated VLAN) so you aren't exposing anything publicly. Any tunnel or VPN can do that, we mostly use pfSense here to put our hosts behind it.

                                  1 Reply Last reply Reply Quote 0
                                  • konsultanerK Offline
                                    konsultaner
                                    last edited by

                                    @olivierlambert ok, if you don't know the issue, than the issue should be something quite regular to find. I thought it would be system specific. I'll try to find the issue and post the answer here for others.

                                    I decided to order an OPNsense router. I guess that should do the work. Thanks for all the information!

                                    1 Reply Last reply Reply Quote 1
                                    • konsultanerK Offline
                                      konsultaner
                                      last edited by

                                      Found the issue. I used the service from the repo like this:

                                      But I had to replace @BINDIR@ to /usr/bin.

                                      [Unit]
                                      Description=Fail2Ban Service
                                      Documentation=man:fail2ban(1)
                                      After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
                                      PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
                                      
                                      [Service]
                                      Type=simple
                                      Environment="PYTHONNOUSERSITE=1"
                                      ExecStartPre=/bin/mkdir -p /run/fail2ban
                                      ExecStart=/usr/bin/fail2ban-server -xf start
                                      # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
                                      # ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
                                      ExecStop=/usr/bin/fail2ban-client stop
                                      ExecReload=/usr/bin/fail2ban-client reload
                                      PIDFile=/run/fail2ban/fail2ban.pid
                                      Restart=on-failure
                                      RestartPreventExitStatus=0 255
                                      
                                      [Install]
                                      WantedBy=multi-user.target
                                      
                                      1 Reply Last reply Reply Quote 1
                                      • olivierlambertO olivierlambert marked this topic as a question on
                                      • olivierlambertO olivierlambert has marked this topic as solved on
                                      • First post
                                        Last post