Fail2ban or 2FactorAuthentication

Anmol Sharma

Mon, 29 Oct 2018 01:55:38 -0700

!Hubzilla Support Forum {support@zotadel.net}
Somebody has working Fail2ban or 2FactorAuthentication settings for brute force attacks protection?!

Hubzilla Fail2ban

show all 14 comments

Alex

Mygeeto, Mon, 29 Oct 2018 02:42:06 -0700

?️

M. Dent

Mon, 29 Oct 2018 05:15:15 -0700

I frequently use NGINX rate limiting as a first line of defense. I've thought about 2FA, but if it is done over SMS, I find that it is technically less securen than most standard passwords (assuming isers choose good passwords)

Anmol Sharma

Mon, 29 Oct 2018 06:53:46 -0700

@M. Dent
It would nice to know about NGINX rate limiting. Can you tell me the configuration for it?

M. Dent

Mon, 29 Oct 2018 07:11:44 -0700

This is a pretty good primer: NGINX Rate Limiting

I haven't (yet) implemented it on Hubzilla, but expect I will have a need. From a quick glance, it appears it will require compiling nginx with the form input module - which is already included in the OpenResty package.

Protect your applications from excessive traffic, including DDoS attacks, by controlling the requests they receive with NGINX rate limiting.

Steffen K9 ðŸ™

Mon, 29 Oct 2018 13:38:52 -0700

I have set up fail2ban for Hubzilla's login. You need to enable debug logging at loglevel 'Normal'. Be careful. The size of the log file can grow to several 100 MBs per day.

/etc/fail2ban/jail.local

[hubzilla]
enabled = true
findtime = 300
bantime = 900
maxretry = 3
filter = hubzilla
port = http,https
logpath = /path/to/hubzilla.log
logencoding = utf-8

/etc/fail2ban/filter.d/hubzilla.conf

[Definition]
failregex= ^.*auth\.php.*failed login attempt.*from IP <HOST>.*$
ignoreregex =

h.ear.t | tobias

Mon, 29 Oct 2018 15:14:19 -0700

Anmol Sharma

Tue, 30 Oct 2018 00:53:32 -0700

@Steffen K9 ?

I tried the configuration but its not working for me. Is there an error message for fail2blog? How to debug?

Steffen K9 ðŸ™

Tue, 30 Oct 2018 02:02:46 -0700

Well, I don't know if there is an error message in your fail2ban log.

This configuration works on Ubuntu/Debian. Paths and file names may be different on other distributions.

Anmol Sharma

Wed, 31 Oct 2018 06:27:08 -0700

I use Yunohost which is Debian 9 based. I have enabled the Ldap plugin which lets all the Ldap user able to login and have there accounts despite of registration closed on my hub.
I will try to use the fail2ban configuration without the Ldap plugin to see if it works.

Anmol Sharma

Wed, 07 Nov 2018 16:19:59 -0800

@Steffen K9 ?
The fail2ban works for ip4 but do not work for ip6.
Can you confirm?

Waitman Gobble

Wed, 07 Nov 2018 20:39:07 -0800

I wrote a yubikey addin a few years ago. (Non nomadic) It would be good to have a FreeOTP plugin. I'm not sure these would work well with a nomadic identity though. It could be done i suppose. FreeOTP is kind of like a hash based on your secret that is only valid for a limited amount of time. Both endpoints need the secret, but they don't have to talk to each other. It would require running a FreeOTP cli on the server, which would complicate things. Yubikey is like a 12 digit serial number and a hash based on the serial, which also is only valid for a limited time. So the 12 digit serial would be like a username. Its hardcoded on the device. To validate the hash you have to run a validation server or use theirs.

Anmol Sharma

Thu, 15 Nov 2018 11:13:05 -0800

@Waitman Gobble
Yes I have FreeOTP would be great for the Hubzilla.
Meanwhile the Fail2ban works for IPv6 now. I was using old version for Fail2ban which is available on Debain 9. The latest version of Fail2ban deals with IPv6 well.

cb7f604332cf39

Thu, 15 Nov 2018 11:22:23 -0800

@Waitman Gobble As an owner of an Yubikey I would like to ask you nicely for the code.
From my perspective the OTP should be bound to the account for login and not to the channel.
So the account isn't part of the nomdic feature.

Waitman Gobble

Thu, 15 Nov 2018 17:54:04 -0800

Ok i will track it down