Accéder au contenu principal

Banning IP that fails openHAB authentication

OpenHAB is an home automation software that enables you to control your home, to get the feedback of your sensors and do various scenarios and rules.
It's a very good software when you have some IT knowledge, mainly because with the rules you can develop with Domain Specific Language built on Xbase and enhance the base abilities of the software (that are already powerful with the base :-).

Nervertheless I'm not here to talk about openHAB but much to say how to add jail into fail2ban configured to fit to openHAB log.

Fail2ban enables to scan log files and Ban IP that fit on some rules. In our case the goal is to scan the logs of openhab to check if there is too much authentication failure and if it is the case ban the corresponding IP.

Tested with:

  • fail2ban 0.9.3 (doesn't work with 0.8.x)
  • openhab 1.7.x, 1.8.x
  • https


Prerequisites:
Enable authentication on openhab.cfg
security:option=ON
or
security:option=EXTERNAL
and set some users/pwd to users.cfg

Set your system locale to english (I had some troubles when I was on different locale, fail2ban was not able to detect the timestamp into the request log due to the fact that months were not written in english)

So as to enables ban IP we need to add a filter to fail2ban, define the corresponding jails and to change the log format of openhab.

Adding the filter to fail2ban, add a file openhab.conf with this content into the filter.d folder of the fail2ban install:

# Openhab brute force auth filter: /etc/fail2ban/filter.d/openhab.conf:
#
# Block IPs trying to auth openhab by web or rest api
#
# Matches e.g.
# 12.34.33.22 -  -  [26/sept./2015:18:04:43 +0200] "GET /openhab.app HTTP/1.1" 401 1382 
# 175.18.15.10 -  -  [02/sept./2015:00:11:31 +0200] "GET /rest/bindings HTTP/1.1" 401 1384
[Definition] 
failregex = ^<HOST>\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$
[Init]
datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z

failregex and datepattern made by Serg G. Brester

Define the corresponding jail into your jail.local file:

[openhab-auth]
enabled = true
filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log

Change openhab log format into the your openhab folder etc/ modify the jetty log configuration so as to have:

<Set name="filename"><SystemProperty name="jetty.logs" default="./logs"/>/request.log</Set>
<Set name="filenameDateFormat"></Set>
<Set name="retainDays">30</Set>

Restart openhab and fail2ban (sudo service fail2ban restart)

Please check that the request log follow the annual hour change (summer or winter hours)

Test your changes:

Before testing please set the bantime to 200 seconds or less so as to not ban yourself too much time, prepare a recovery solution in case you've made some wrong configuration (direct connecxion, or another IP connexion)
So as to test your change try to login either by web interface or mobile with a wrong login or password several times (in fact more than the number of times that you set into your jail.local, parameter maxretry).

After several attempt your ip adress should be banned and you lose the access to your server.

More info are available on this pullrequest:
https://github.com/fail2ban/fail2ban/pull/1223

Commentaires

Posts les plus consultés de ce blog

433toMQTTto433 - Bidirectional ESP8266 NodeMCU gateway between RF 433Mhz signal and MQTT

The goal  is to act as a gateway between 433Mhz sensors and a MQTT broker or between the MQTT broker and 433Mhz actuators, It enables to:
receive MQTT data from a topic and send RF 433Mhz signal corresponding to the received MQTT data publish MQTT data to a different topic related to received 433Mhz signal 
It can be an interesting part in an home automation system so as to interface sensors and actuators (wall sockets) with software like openhab.

List of compatible sensors here

The interest of putting this gateway to an ESP8266 and not on a raspberry pi is to be able to manage security actions at gateway level (power on a siren, cut power to certain devices) following RF data received by sensors without being dependent to the PI for security related actions.

[EDIT] all infos are now centralized into the github repository take a look at it you will find up to date info about OpenMQTTGateway

You need:

Software:

MosquittoArduino IDE latest version (tested ok with 1.6.10)esp8266 board added to t…

Infrared IR, 433mhz and MQTT on ESP8266 bidirectional gateway OpenMQTTGateway

Following discussions on the home assistant forum people gave me the idea to add Infrared communication to the 433mhz gateway. 

The goal is to act as a gateway between 433Mhz sensors, infrared remote controls and a MQTT broker or between the MQTT broker and 433Mhz actuators, infrared devices, It enables to:
receive MQTT data from a topic and send RF 433Mhz signal corresponding to the received MQTT data publish MQTT data to a different topic related to received 433Mhz signal receive MQTT data from a topic and send infrared signal corresponding to the received MQTT data publish MQTT data to a different topic related to received infrared signal 
It can be an interesting part in an home automation system so as to interface sensors and actuators (wall sockets), your tv, home cinema, hifi ... with software like openhab or home assistant.

List of compatible RF sensors here

[EDIT] all infos are now centralized into the github repository take a look at it you will find up to date info about OpenMQT…

433toMQTTto433 - Bidirectional Arduino gateway between RF 433Mhz signal and MQTT

The goal of the Arduino 433toMQTTto433 is to act as a gateway between 433Mhz sensors and a MQTT broker or between the MQTT broker and 433Mhz actuators, It enables to:
receive MQTT data from a topic and send RF 433Mhz signal corresponding to the received MQTT data publish MQTT data to a different topic related to received 433Mhz signal 
It can be an interesting part in an home automation system so as to interface sensors and actuators with software like openhab.

The interest of putting this gateway to an arduino and not on a raspberry pi is to be able to manage security actions at arduino level (power on a siren, cut power to certain devices) following RF data received by sensors without being dependent to the PI for security related actions.

[EDIT] all infos are now centralized into the github repository take a look at it you will find up to date info about OpenMQTTGateway

You need:
Arduino UNO W5100 Ethernet shield 433Mhz Receiver XD RF 5V and transmitter FS1000A 
Transmitter VCC must be p…