Fail2Ban for failed Xo-Web-Logins

nullpunktnull

Hi olivierlambert

I would like to ask you to provide me more details about that,
because I can try a lot of wrong credentials and it still allows
further attempts.

It would be great to have controll about banning IPs and
viewing logs about that.

Best regards
nullpunktnull

olivierlambert

I don't remember exactly but it should be around there: https://github.com/vatesfr/xen-orchestra/tree/master/packages/xo-serve

@julien-f might have a more detailed answer when he got enough time to take a look

julien-f

@nullpunktnull XO is trying to prevent bruteforce and at the same time avoid annoying users by blocking valid authentication attempts.

The current policy is to require a delay of at least 2 seconds between every tries for a given user.

It's very basic but more than enough to protect accounts with reasonable passwords

nullpunktnull

Thanks olivierlambert & julien-f for your responses

In a test we're not able to confirm the 2-second-rule against BF-Attacks.
Anyway, for us the goal would be to manage/control the failed attempts
with our familiar fail2ban-environment.

Is there a way to fit wrong login-attempts with a different http-status?

Best regards
nullpunktnull

u2m4c6

Is it not possible to use something like fail2ban? I would rather not let an IP keep attacking my xo-server every 2 seconds forever. Yes, a long random password is basically uncrackable but that as the only mitigation seems dirty

olivierlambert

You can always install and configure fail2ban if you like.

Feel free to share your how to

konsultaner

Hi @olivierlambert
I tried to install fail2ban on the current 8.3 alpha2 and I can't get the service to run. I'm pretty sure this is due to some hardening done to the original linux it runs on. I opened a super-user issue. Maybe you know what I'm doing wrong here?

https://superuser.com/questions/1782617/fail2ban-on-xcp-ng-xen-server-on-an-centos-keeps-dying

Thx!

olivierlambert

Is your host directly exposed on the internet? If yes, I would first try to avoid this, having at least a firewall between. Or having SSH/XAPI/all important services not listening on the public IP.

konsultaner

@olivierlambert The system is not in production yet. I will have a firewall inbetween. I need to manage the server from remote, because it's located quite far away from my home. The only port that is exposed is 22. Everything else is blocked. Any suggestions on how to fix my issue? And what would you recommend? How should I remotely manage the server? I'm quite new to that topic and this is my first server project.

my plan was to just harden the ssh like this:

https://rmauro.dev/8-actions-for-hardening-your-linux-server-for-internet/#using-ssh-config-file-on-ssh-client

olivierlambert

XCP-ng isn't your average Linux, that's to me the first thing to learn. Ideally, isolate your dom0 as possible. Don't expose it remotely directly, use a VPN or a dedicated tunnel to access the mgmt network.

konsultaner

@olivierlambert thank you so much for your advice! I got it now. VPN is an extra layer of security. So I'll go with openVPN or do you have any other advice for what I should use? I would still like to have fail2ban as a an additional security tool? Do you know why the service constantly gets killed. Is the centos configured to not let other services run?

olivierlambert

To answer your last question: I don't know the reason myself. I would check the usual suspects (logs, enough memory and such).

For the first one, the usual simple way is to get your mgmt network isolated (eg even in a dedicated VLAN) so you aren't exposing anything publicly. Any tunnel or VPN can do that, we mostly use pfSense here to put our hosts behind it.

konsultaner

@olivierlambert ok, if you don't know the issue, than the issue should be something quite regular to find. I thought it would be system specific. I'll try to find the issue and post the answer here for others.

I decided to order an OPNsense router. I guess that should do the work. Thanks for all the information!

konsultaner

Found the issue. I used the service from the repo like this:

But I had to replace @BINDIR@ to /usr/bin.

[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service

[Service]
Type=simple
Environment="PYTHONNOUSERSITE=1"
ExecStartPre=/bin/mkdir -p /run/fail2ban
ExecStart=/usr/bin/fail2ban-server -xf start
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255

[Install]
WantedBy=multi-user.target