Accéder au contenu principal

Banning IP that fails openHAB authentication

OpenHAB is an home automation software that enables you to control your home, to get the feedback of your sensors and do various scenarios and rules.
It's a very good software when you have some IT knowledge, mainly because with the rules you can develop with Domain Specific Language built on Xbase and enhance the base abilities of the software (that are already powerful with the base :-).

Nervertheless I'm not here to talk about openHAB but much to say how to add jail into fail2ban configured to fit to openHAB log.

Fail2ban enables to scan log files and Ban IP that fit on some rules. In our case the goal is to scan the logs of openhab to check if there is too much authentication failure and if it is the case ban the corresponding IP.

Tested with:

  • fail2ban 0.9.3 (doesn't work with 0.8.x)
  • openhab 1.7.x, 1.8.x
  • https


Prerequisites:
Enable authentication on openhab.cfg
security:option=ON
or
security:option=EXTERNAL
and set some users/pwd to users.cfg

Set your system locale to english (I had some troubles when I was on different locale, fail2ban was not able to detect the timestamp into the request log due to the fact that months were not written in english)

So as to enables ban IP we need to add a filter to fail2ban, define the corresponding jails and to change the log format of openhab.

Adding the filter to fail2ban, add a file openhab.conf with this content into the filter.d folder of the fail2ban install:

# Openhab brute force auth filter: /etc/fail2ban/filter.d/openhab.conf:
#
# Block IPs trying to auth openhab by web or rest api
#
# Matches e.g.
# 12.34.33.22 -  -  [26/sept./2015:18:04:43 +0200] "GET /openhab.app HTTP/1.1" 401 1382 
# 175.18.15.10 -  -  [02/sept./2015:00:11:31 +0200] "GET /rest/bindings HTTP/1.1" 401 1384
[Definition] 
failregex = ^<HOST>\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$
[Init]
datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z

failregex and datepattern made by Serg G. Brester

Define the corresponding jail into your jail.local file:

[openhab-auth]
enabled = true
filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log

Change openhab log format into the your openhab folder etc/ modify the jetty log configuration so as to have:

<Set name="filename"><SystemProperty name="jetty.logs" default="./logs"/>/request.log</Set>
<Set name="filenameDateFormat"></Set>
<Set name="retainDays">30</Set>

Restart openhab and fail2ban (sudo service fail2ban restart)

Please check that the request log follow the annual hour change (summer or winter hours)

Test your changes:

Before testing please set the bantime to 200 seconds or less so as to not ban yourself too much time, prepare a recovery solution in case you've made some wrong configuration (direct connecxion, or another IP connexion)
So as to test your change try to login either by web interface or mobile with a wrong login or password several times (in fact more than the number of times that you set into your jail.local, parameter maxretry).

After several attempt your ip adress should be banned and you lose the access to your server.

More info are available on this pullrequest:
https://github.com/fail2ban/fail2ban/pull/1223

Commentaires

Posts les plus consultés de ce blog

433toMQTTto433 - Bidirectional ESP8266 NodeMCU gateway between RF 433Mhz signal and MQTT

The goal  is to act as a gateway between 433Mhz sensors and a MQTT broker or between the MQTT broker and 433Mhz actuators, It enables to: receive MQTT data from a topic and send RF 433Mhz signal corresponding to the received MQTT data  publish MQTT data to a different topic related to received 433Mhz signal  It can be an interesting part in an home automation system so as to interface sensors and actuators (wall sockets) with software like openhab . List of compatible sensors here The interest of putting this gateway to an ESP8266 and not on a raspberry pi is to be able to manage security actions at gateway level (power on a siren, cut power to certain devices) following RF data received by sensors without being dependent to the PI for security related actions. [EDIT] all infos are now centralized into  the github repository  take a look at it you will find up to date info about OpenMQTTGateway You need: Software: Mosquitto Arduino IDE latest versio...

Get your BLE sensors data into Home Assistant in 5 minutes

You can now upload your board directly from the web browser!  So let's imagine you want to read data from a sensor like a Mi Flora, an LYWSD03MMC, a weight scale, or any other BLE sensor from this list  Plug an ESP32 dev board to your computer USB port Go to this website: https://docs.openmqttgateway.com/upload/web-install.html Select esp32dev-ble Click the install button Depending on your board you may have to press the BOOT button Choose the port that the ESP is connected to. Wait until the process is complete. Release the BOOT button That's it, OMG is now loaded into your ESP32 board without Arduino IDE, platformIO or a binary flasher. Here are the steps in images: Now comes the Home Assistant part: Add the MQTT integration and activate auto discovery Create a user and a password (Configuration->Users) without administrator right for the gateway Well, this is enough for Home Assistant. So let's now connect both: Check the Wifi Access points available with your smartph...

Infrared IR, 433mhz and MQTT on ESP8266 bidirectional gateway OpenMQTTGateway

Following discussions on the home assistant forum people gave me the idea to add Infrared communication to the 433mhz gateway.  The goal is to act as a gateway between 433Mhz sensors, infrared remote controls and a MQTT broker or between the MQTT broker and 433Mhz actuators, infrared devices, It enables to: receive MQTT data from a topic and send RF 433Mhz signal corresponding to the received MQTT data  publish MQTT data to a different topic related to received 433Mhz signal  receive MQTT data from a topic and send infrared signal corresponding to the received MQTT data  publish MQTT data to a different topic related to received infrared signal  It can be an interesting part in an home automation system so as to interface sensors and actuators (wall sockets), your tv, home cinema, hifi ... with software like  openhab  or home assistant . List of compatible RF sensors here [EDIT] all infos are now centralized into the github repository  ...