XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Fail2Ban for failed Xo-Web-Logins

    Scheduled Pinned Locked Moved Solved Xen Orchestra
    16 Posts 5 Posters 1.7k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • olivierlambertO Offline
      olivierlambert Vates 🪐 Co-Founder CEO
      last edited by

      I don't remember exactly but it should be around there: https://github.com/vatesfr/xen-orchestra/tree/master/packages/xo-serve

      @julien-f might have a more detailed answer when he got enough time to take a look 🙂

      1 Reply Last reply Reply Quote 0
      • julien-fJ Offline
        julien-f Vates 🪐 Co-Founder XO Team
        last edited by julien-f

        @nullpunktnull XO is trying to prevent bruteforce and at the same time avoid annoying users by blocking valid authentication attempts.

        The current policy is to require a delay of at least 2 seconds between every tries for a given user.

        It's very basic but more than enough to protect accounts with reasonable passwords 🙂

        1 Reply Last reply Reply Quote 0
        • N Offline
          nullpunktnull
          last edited by

          Thanks olivierlambert & julien-f for your responses 🙂

          In a test we're not able to confirm the 2-second-rule against BF-Attacks.
          Anyway, for us the goal would be to manage/control the failed attempts
          with our familiar fail2ban-environment.

          Is there a way to fit wrong login-attempts with a different http-status?

          Best regards
          nullpunktnull

          1 Reply Last reply Reply Quote 0
          • u2m4c6U Offline
            u2m4c6
            last edited by

            Is it not possible to use something like fail2ban? I would rather not let an IP keep attacking my xo-server every 2 seconds forever. Yes, a long random password is basically uncrackable but that as the only mitigation seems dirty

            1 Reply Last reply Reply Quote 0
            • olivierlambertO Offline
              olivierlambert Vates 🪐 Co-Founder CEO
              last edited by

              You can always install and configure fail2ban if you like.

              Feel free to share your how to 🙂

              1 Reply Last reply Reply Quote 0
              • konsultanerK Offline
                konsultaner
                last edited by

                Hi @olivierlambert
                I tried to install fail2ban on the current 8.3 alpha2 and I can't get the service to run. I'm pretty sure this is due to some hardening done to the original linux it runs on. I opened a super-user issue. Maybe you know what I'm doing wrong here?

                https://superuser.com/questions/1782617/fail2ban-on-xcp-ng-xen-server-on-an-centos-keeps-dying

                Thx!

                1 Reply Last reply Reply Quote 0
                • olivierlambertO Offline
                  olivierlambert Vates 🪐 Co-Founder CEO
                  last edited by

                  Is your host directly exposed on the internet? If yes, I would first try to avoid this, having at least a firewall between. Or having SSH/XAPI/all important services not listening on the public IP.

                  konsultanerK 1 Reply Last reply Reply Quote 0
                  • konsultanerK Offline
                    konsultaner @olivierlambert
                    last edited by konsultaner

                    @olivierlambert The system is not in production yet. I will have a firewall inbetween. I need to manage the server from remote, because it's located quite far away from my home. The only port that is exposed is 22. Everything else is blocked. Any suggestions on how to fix my issue? And what would you recommend? How should I remotely manage the server? I'm quite new to that topic and this is my first server project.

                    my plan was to just harden the ssh like this:

                    https://rmauro.dev/8-actions-for-hardening-your-linux-server-for-internet/#using-ssh-config-file-on-ssh-client

                    1 Reply Last reply Reply Quote 0
                    • olivierlambertO Offline
                      olivierlambert Vates 🪐 Co-Founder CEO
                      last edited by

                      XCP-ng isn't your average Linux, that's to me the first thing to learn. Ideally, isolate your dom0 as possible. Don't expose it remotely directly, use a VPN or a dedicated tunnel to access the mgmt network.

                      konsultanerK 1 Reply Last reply Reply Quote 0
                      • konsultanerK Offline
                        konsultaner @olivierlambert
                        last edited by

                        @olivierlambert thank you so much for your advice! I got it now. VPN is an extra layer of security. So I'll go with openVPN or do you have any other advice for what I should use? I would still like to have fail2ban as a an additional security tool? Do you know why the service constantly gets killed. Is the centos configured to not let other services run?

                        1 Reply Last reply Reply Quote 0
                        • olivierlambertO Offline
                          olivierlambert Vates 🪐 Co-Founder CEO
                          last edited by

                          To answer your last question: I don't know the reason myself. I would check the usual suspects (logs, enough memory and such).

                          For the first one, the usual simple way is to get your mgmt network isolated (eg even in a dedicated VLAN) so you aren't exposing anything publicly. Any tunnel or VPN can do that, we mostly use pfSense here to put our hosts behind it.

                          1 Reply Last reply Reply Quote 0
                          • konsultanerK Offline
                            konsultaner
                            last edited by

                            @olivierlambert ok, if you don't know the issue, than the issue should be something quite regular to find. I thought it would be system specific. I'll try to find the issue and post the answer here for others.

                            I decided to order an OPNsense router. I guess that should do the work. Thanks for all the information!

                            1 Reply Last reply Reply Quote 1
                            • konsultanerK Offline
                              konsultaner
                              last edited by

                              Found the issue. I used the service from the repo like this:

                              But I had to replace @BINDIR@ to /usr/bin.

                              [Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service

[Service]
Type=simple
Environment="PYTHONNOUSERSITE=1"
ExecStartPre=/bin/mkdir -p /run/fail2ban
ExecStart=/usr/bin/fail2ban-server -xf start
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255

[Install]
WantedBy=multi-user.target
                              1 Reply Last reply Reply Quote 1
                              • olivierlambertO olivierlambert marked this topic as a question on
                              • olivierlambertO olivierlambert has marked this topic as solved on
                              • First post
                                Last post