Accéder au contenu principal

Banning IP that fails openHAB authentication

OpenHAB is an home automation software that enables you to control your home, to get the feedback of your sensors and do various scenarios and rules.
It's a very good software when you have some IT knowledge, mainly because with the rules you can develop with Domain Specific Language built on Xbase and enhance the base abilities of the software (that are already powerful with the base :-).

Nervertheless I'm not here to talk about openHAB but much to say how to add jail into fail2ban configured to fit to openHAB log.

Fail2ban enables to scan log files and Ban IP that fit on some rules. In our case the goal is to scan the logs of openhab to check if there is too much authentication failure and if it is the case ban the corresponding IP.

Tested with:

  • fail2ban 0.9.3 (doesn't work with 0.8.x)
  • openhab 1.7.x, 1.8.x
  • https

Enable authentication on openhab.cfg
and set some users/pwd to users.cfg

Set your system locale to english (I had some troubles when I was on different locale, fail2ban was not able to detect the timestamp into the request log due to the fact that months were not written in english)

So as to enables ban IP we need to add a filter to fail2ban, define the corresponding jails and to change the log format of openhab.

Adding the filter to fail2ban, add a file openhab.conf with this content into the filter.d folder of the fail2ban install:

# Openhab brute force auth filter: /etc/fail2ban/filter.d/openhab.conf:
# Block IPs trying to auth openhab by web or rest api
# Matches e.g.
# -  -  [26/sept./2015:18:04:43 +0200] "GET / HTTP/1.1" 401 1382 
# -  -  [02/sept./2015:00:11:31 +0200] "GET /rest/bindings HTTP/1.1" 401 1384
failregex = ^<HOST>\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$
datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z

failregex and datepattern made by Serg G. Brester

Define the corresponding jail into your jail.local file:

enabled = true
filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log

Change openhab log format into the your openhab folder etc/ modify the jetty log configuration so as to have:

<Set name="filename"><SystemProperty name="jetty.logs" default="./logs"/>/request.log</Set>
<Set name="filenameDateFormat"></Set>
<Set name="retainDays">30</Set>

Restart openhab and fail2ban (sudo service fail2ban restart)

Please check that the request log follow the annual hour change (summer or winter hours)

Test your changes:

Before testing please set the bantime to 200 seconds or less so as to not ban yourself too much time, prepare a recovery solution in case you've made some wrong configuration (direct connecxion, or another IP connexion)
So as to test your change try to login either by web interface or mobile with a wrong login or password several times (in fact more than the number of times that you set into your jail.local, parameter maxretry).

After several attempt your ip adress should be banned and you lose the access to your server.

More info are available on this pullrequest:


Posts les plus consultés de ce blog

433toMQTTto433 - Bidirectional ESP8266 NodeMCU gateway between RF 433Mhz signal and MQTT

The goal  is to act as a gateway between 433Mhz sensors and a MQTT broker or between the MQTT broker and 433Mhz actuators, It enables to: receive MQTT data from a topic and send RF 433Mhz signal corresponding to the received MQTT data  publish MQTT data to a different topic related to received 433Mhz signal  It can be an interesting part in an home automation system so as to interface sensors and actuators (wall sockets) with software like openhab . List of compatible sensors here The interest of putting this gateway to an ESP8266 and not on a raspberry pi is to be able to manage security actions at gateway level (power on a siren, cut power to certain devices) following RF data received by sensors without being dependent to the PI for security related actions. [EDIT] all infos are now centralized into  the github repository  take a look at it you will find up to date info about OpenMQTTGateway You need: Software: Mosquitto Arduino IDE latest version (tested ok with 1.6.10

Get your BLE sensors data into Home Assistant in 5 minutes

You can now upload your board directly from the web browser!  So let's imagine you want to read data from a sensor like a Mi Flora, an LYWSD03MMC, a weight scale, or any other BLE sensor from this list  Plug an ESP32 dev board to your computer USB port Go to this website: Select esp32dev-ble Click the install button Depending on your board you may have to press the BOOT button Choose the port that the ESP is connected to. Wait until the process is complete. Release the BOOT button That's it, OMG is now loaded into your ESP32 board without Arduino IDE, platformIO or a binary flasher. Here are the steps in images: Now comes the Home Assistant part: Add the MQTT integration and activate auto discovery Create a user and a password (Configuration->Users) without administrator right for the gateway Well, this is enough for Home Assistant. So let's now connect both: Check the Wifi Access points available with your smartph

SONOFF RF BRIDGE + Pilight or How to extend the supported protocols by our little bridge

With version V0.9 of OpenMQTTGateway  @steadramon  &  @puuu  (the ESP library creator) enabled by their work to integrate Pilight library on OMG. Permiting to increase significantly the list of RF protocols of OMG . But now that we have this interesting possibility and with the goal of OMG of beiing multi boards compatible, why not trying to put Pilight on a Sonoff RF Bridge . So as to do this test I ordered a new one so as to be on the same hardware as most of the users (my other RF Bridge is a demonstration old one) So as to decode RF signals the Sonoff RF Bridge has a special dedicated chip (EFM8BB1)  that communicate with the esp8285 with a serial connection. If we want to increase the number of RF protocols compatibles on the device without modifying the hardware, the only software based solution is to hack the  EFM8BB1. This hack is available and made by @ Portisch . The list of protocol is interesting but at the moment not as big as Pilight one. Maybe I will t