Fail2Ban for failed Xo-Web-Logins
-
Hi there
We installed XO from source on a Debian10-Node. As usual we're using fail2ban
for all kind of security. What I need is to prevent XO-Web from Bruteforce-Attempts.The issue: I cannot find any log for failed login-attempts in:
- /var/log/orchestra.log
- /var/log/daemon.log
- /var/log/syslog
- /var/log/auth.log
- /var/log/redis/redis-server.log
The HTTP-Status is 200/OK in both cases.
What solution/advise would you recommend me to follow?
Best regards
nullpunktnull -
Found the issue. I used the service from the repo like this:
But I had to replace
@BINDIR@
to/usr/bin
.[Unit] Description=Fail2Ban Service Documentation=man:fail2ban(1) After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service [Service] Type=simple Environment="PYTHONNOUSERSITE=1" ExecStartPre=/bin/mkdir -p /run/fail2ban ExecStart=/usr/bin/fail2ban-server -xf start # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local # ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start ExecStop=/usr/bin/fail2ban-client stop ExecReload=/usr/bin/fail2ban-client reload PIDFile=/run/fail2ban/fail2ban.pid Restart=on-failure RestartPreventExitStatus=0 255 [Install] WantedBy=multi-user.target
-
Hi,
There's already a mechanism to avoid brute force login bundled in
xo-server
. -
Hi olivierlambert
I would like to ask you to provide me more details about that,
because I can try a lot of wrong credentials and it still allows
further attempts.It would be great to have controll about banning IPs and
viewing logs about that.Best regards
nullpunktnull -
I don't remember exactly but it should be around there: https://github.com/vatesfr/xen-orchestra/tree/master/packages/xo-serve
@julien-f might have a more detailed answer when he got enough time to take a look
-
@nullpunktnull XO is trying to prevent bruteforce and at the same time avoid annoying users by blocking valid authentication attempts.
The current policy is to require a delay of at least 2 seconds between every tries for a given user.
It's very basic but more than enough to protect accounts with reasonable passwords
-
Thanks olivierlambert & julien-f for your responses
In a test we're not able to confirm the 2-second-rule against BF-Attacks.
Anyway, for us the goal would be to manage/control the failed attempts
with our familiar fail2ban-environment.Is there a way to fit wrong login-attempts with a different http-status?
Best regards
nullpunktnull -
Is it not possible to use something like fail2ban? I would rather not let an IP keep attacking my xo-server every 2 seconds forever. Yes, a long random password is basically uncrackable but that as the only mitigation seems dirty
-
You can always install and configure fail2ban if you like.
Feel free to share your how to
-
Hi @olivierlambert
I tried to install fail2ban on the current 8.3 alpha2 and I can't get the service to run. I'm pretty sure this is due to some hardening done to the original linux it runs on. I opened a super-user issue. Maybe you know what I'm doing wrong here?https://superuser.com/questions/1782617/fail2ban-on-xcp-ng-xen-server-on-an-centos-keeps-dying
Thx!
-
Is your host directly exposed on the internet? If yes, I would first try to avoid this, having at least a firewall between. Or having SSH/XAPI/all important services not listening on the public IP.
-
@olivierlambert The system is not in production yet. I will have a firewall inbetween. I need to manage the server from remote, because it's located quite far away from my home. The only port that is exposed is 22. Everything else is blocked. Any suggestions on how to fix my issue? And what would you recommend? How should I remotely manage the server? I'm quite new to that topic and this is my first server project.
my plan was to just harden the ssh like this:
-
XCP-ng isn't your average Linux, that's to me the first thing to learn. Ideally, isolate your dom0 as possible. Don't expose it remotely directly, use a VPN or a dedicated tunnel to access the mgmt network.
-
@olivierlambert thank you so much for your advice! I got it now. VPN is an extra layer of security. So I'll go with openVPN or do you have any other advice for what I should use? I would still like to have fail2ban as a an additional security tool? Do you know why the service constantly gets killed. Is the centos configured to not let other services run?
-
To answer your last question: I don't know the reason myself. I would check the usual suspects (logs, enough memory and such).
For the first one, the usual simple way is to get your mgmt network isolated (eg even in a dedicated VLAN) so you aren't exposing anything publicly. Any tunnel or VPN can do that, we mostly use pfSense here to put our hosts behind it.
-
@olivierlambert ok, if you don't know the issue, than the issue should be something quite regular to find. I thought it would be system specific. I'll try to find the issue and post the answer here for others.
I decided to order an OPNsense router. I guess that should do the work. Thanks for all the information!
-
Found the issue. I used the service from the repo like this:
But I had to replace
@BINDIR@
to/usr/bin
.[Unit] Description=Fail2Ban Service Documentation=man:fail2ban(1) After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service [Service] Type=simple Environment="PYTHONNOUSERSITE=1" ExecStartPre=/bin/mkdir -p /run/fail2ban ExecStart=/usr/bin/fail2ban-server -xf start # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local # ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start ExecStop=/usr/bin/fail2ban-client stop ExecReload=/usr/bin/fail2ban-client reload PIDFile=/run/fail2ban/fail2ban.pid Restart=on-failure RestartPreventExitStatus=0 255 [Install] WantedBy=multi-user.target
-
-