All posts by ENDLESSL00P

Giuseppe Casutt, Dipl.-HTL-Ing. bei A-Enterprise GmbH. Blog Author zu den Themen, Windows, VMware, Synology, Fortinet und Open Source. Tutorials und HowTos zu Problemlösungen und System Integration.
Howto Tutorials (EN)

Protect Kopano by Fail2ban

Home
Leave a comment

Hardening Kopano against attacks with Fail2ban

This howto describes how to install and configure Fail2ban for Kopano Groupware on Ubuntu. Fail2ban provides effective protection against brute-force attacks by filtering out failed attempts of authentication from Syslog and Apache protocol in order to block the host for a certain period of time using a kernel firewall.

Install Fail2ban on Kopano Server

The Fail2ban package will be installed on Ubuntu as root as follows. Fail2ban is developed on Python, which is why the required libraries are reloaded.

$ apt-get update
$ apt-get install fail2ban -y

After installation, Fail2ban runs and is enabled in systemd for autostart.

$ systemctl start fail2ban
$ systemctl enable fail2ban

Create Fail2ban Filter for Kopano

Build Fail2ban filter for Kopano, we create the file kopano-webapp-auth.conf

$ vi /etc/fail2ban/filter.d/kopano-webapp-auth.conf

Insert the content into the filter file with the following lines:

# Fail2Ban kopano-webbapp-auth filter
# /etc/fail2ban/filter.d/kopano-webapp-auth.conf

[INCLUDES]
before = apache-common.conf

[Definition]
failregex = ^%(_apache_error_client)s Kopano WebApp user:.* authentication failure at MAPI

ignoreregex =

Enable the Kopano Filter

Activate the Fail2ban filter for Kopano by creating the configuration file jail.local.

$ vi /etc/fail2ban/jail.local

And insert the following content:

[sshd]
port = ssh
logpath = %(sshd_log)s

[kopano-webapp]
enabled = true
port = https
filter = kopano-webapp-auth
logpath = %(apache_error_log)s

[apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)s

Here error.log is read out with the variable %(apache_error_log), /var/log/apache2/error.log

Start Fail2ban with Kopano Filter

Restart Fail2ban to enable the changes.

$ systemctl restart fail2ban

Check Fail2ban Client Status

The status of Fail2ban can be checked as follows.

$ fail2ban-client status
Status
|- Number of jail: 3
'- Jail list: apache-auth, kopano-webapp, sshd
 
root@kopano:~# fail2ban-client status kopano-webapp
Status for the jail: kopano-webapp
| Filters
|  |- Currently failed: 0
|  |- Total failed: 7
|  '- File list: /var/log/apache2/mattermost-error.log /var/log/apache2/error.log
'- Actions
   |- Currently banned: 4
   |- Total banned: 52
   '- Banned IP list: 10.10.10.101 172.17.88.91 172.31.16.3 10.32.57.98

The firewall provides information about the status of the hosts currently blocked by Fail2ban, with an iptables query:

$ iptables -vnL | egrep "f2b-kopano-webapp|apache-auth|sshd"

Fail2ban intrusion prevention software framework

Fail2ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper.

Fail2ban operates by monitoring log files (e.g. /var/log/auth.log, /var/log/apache/access.log, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.

It includes support for both IPv4 and IPv6. Optionally longer bans can be custom-configured for “recidivist” abusers that keep coming back. Fail2ban is typically set up to unban a blocked host within a certain period, so as to not “lock out” any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being flooded by malicious connections, as well as reducing the likelihood of a successful dictionary attack.

Howto Tutorials (EN)

Find text string in files and subdirectories

Home
Leave a comment

Search and find for text and strings in files and subdirectories with result in variable

Usually when searching for strings in files, we use Windows explorer or Windows search. In Linux Gnome uses nautilus or nemo, on macOS we use the finder.

Command-Line commands help with automated processing by scripts and batch processes. This post shows how to search and find for text strings in files in Windows Command Prompt and in the Linux shell.

findstr text strings in the command prompt

The Windows Command Prompt (cmd) a good use provide the findstr command with Windows+R run cmd as the following example shows.

findstr /s /i "dolor" *.*
doc.txt:Lorem ipsum dolor sit amet

If you want to assign the result of a variable for further processing in scripts. This can be made possible in a for loop, the following lines are stored and executed in a batch file.

@echo off
for /f "delims=" %%A in ('dir ^| findstr /s /i "dolor" *.*') do set "var=%%A"
echo %var%

With echo the entire line is output with the searched word dolor, if you want to narrow the output only to the characters of a word, this can be achieved with variable parameters.

doc.txt:Lorem ipsum dolor sit amet 
1234567890123456789012345678901234

From the sign 20 our word is dolor, it is 5 characters long.
The CLI input findstr dolor now brings dolor to the output found in the doc.txt file.

@echo off 
for /f "delims=" %%A in ('dir ^| findstr /s /i %1 *.*') do set "var=%%A" 
echo %var:~20,5%

The variable var is assigned the output of findstr.

Find text strings in files using Linux shell

$ grep -r "dolor" *
Dokumente/doc.txt:Lorem ipsum dolor sit amet

In the Linux bash Console does grep and find are used.

$ find . -type f -print0 | xargs -0 grep "dolor"
./Dokumente/doc.txt:Lorem ipsum dolor sit amet

The text search with grep is as follows, the result is assigned to the variable var, and output with echo.

$ var=`grep -r "dolor" *`
$ echo $var
Dokumente/doc.txt:Lorem ipsum dolor sit amet

When searching with grep, you do not want to output the entire line, but only the third word.

$ var=`grep -r "dolor" * | awk '{ print $3 }'`
$ echo $var
dolor

There are many other possibilities especially in the Linux bash, the command find is very extensive and offers with xargs also regular expressions and other commands for handing over, with find –help you get all possible applications. The only point here is to show an introduction to the application and procedure.

Remarks

This post shows how to find for text string in files in the command line. Typically, when searching for strings in files, we use Windows Explorer or Windows Search. On Linux we use Gnome Nautilus or Nemo, and on macOS we use the Finder.

Command line commands help with automated processing through scripts and batch processes. This shows how to search for text strings in files in the Windows command prompt and Linux shell and assign the results to variables.