playSMS Forum

[howto] Fail2ban for playSMS

This is how to use fail2ban to protect playSMS from invalid logins. Correctly configured fail2ban will ban/block/reject IP of users/attackers when playSMS got too many invalid logins in short period of time.

Please note that the actual ban is done by iptables or whatever action command configured on fail2ban.

Step 1:

Configure fail2ban correctly. There are many manuals how to do it, usually the example is to protect SSH service from fail logins.

Step 2:

Add playsms.conf to /etc/fail2ban/filter.d

playsms.conf:

# Fail2Ban filter for playSMS
# Detecting failed login attempts
[Definition]
failregex = auth_validate_login # invalid login .* ip:<HOST>$
ignoreregex =

Step 3:

Enable the filter to get fail2ban watch over playSMS log files. Add playsms.local to /etc/fail2ban/jail.d

playsms.local:

[playsms]
enabled = true
port    = http,https
filer   = playsms
logpath = /home/komodo/log/playsms/playsms.log
          /home/komodo/log/playsms.log
          /var/log/playsms/playsms.log
          /var/log/playsms.log

Step 4:

Reload fail2ban.


fail2ban log showing an IP banned:

2020-03-07 05:26:44,121 fail2ban.filter         [7878]: INFO    [playsms] Found 192.168.0.86 - 2020-03-07 05:26:43
2020-03-07 05:27:02,151 fail2ban.filter         [7878]: INFO    [playsms] Found 192.168.0.86 - 2020-03-07 05:27:02
2020-03-07 05:27:04,757 fail2ban.filter         [7878]: INFO    [playsms] Found 192.168.0.86 - 2020-03-07 05:27:04
2020-03-07 05:27:07,964 fail2ban.filter         [7878]: INFO    [playsms] Found 192.168.0.86 - 2020-03-07 05:27:07
2020-03-07 05:27:09,969 fail2ban.filter         [7878]: INFO    [playsms] Found 192.168.0.86 - 2020-03-07 05:27:09
2020-03-07 05:27:10,666 fail2ban.actions        [7878]: NOTICE  [playsms] Ban 192.168.0.86

anton

Thank you for protecting against brute force.
It is good that protection against selection of login is added.
One question, is there a solution using fail2ban to protect the API in the same way?
In such cases, the price was not fail2ban

Respectfully,
Jamshid Tursunov

set fail2ban everything indicated as in the instructions.
It turned out the following:
4 lines appeared in the fail2ban log
2020-03-07 20: 07: 21,525 fail2ban.filter [1821]: INFO [playsms] Found 192.168.10.22 - 2020-03-07 20:07:21
2020-03-07 20: 07: 27,438 fail2ban.filter [1821]: INFO [playsms] Found 192.168.10.22 - 2020-03-07 20:07:27
2020-03-07 20: 07: 30,228 fail2ban.filter [1821]: INFO [playsms] Found 192.168.10.22 - 2020-03-07 20:07:30
2020-03-07 20: 07: 33,268 fail2ban.filter [1821]: INFO [playsms] Found 192.168.10.22 - 2020-03-07 20:07:33
and nothing else happened after that. logs looked through the second console in real time.
I tried at least 10 times, but more than 4 lines did not appear.

Respectfully,
Jamshid Tursunov

if the 10 times invalid logins appeared in the log then the issue is in fail2ban, try ask linux/networking community about that

links to fail2ban installation here: https://antonraharja.com/2020/03/07/fail2ban-for-playsms/#more-1188

anton

No no.
The situation is as follows:
I tried, tried 10 or 12 times, but 4 entries appeared in the fail2ban log.
I just checked, now some entries are not written in the fail2ban log

Screenshot_20200307_225033

And there is no reaction
P.S. The OS did not install AppArmon or SELinux

Respectfully,
Jamshid Tursunov

what I meant, if the 10 times invalid logins appeared in playSMS log (/home/komodo… or /var/log…playsms.log) then it means your fail2ban has issues

so check playSMS log, see if theres invalid logins theres as much as you tested

anton

Anton, you know, in cases where playsms will be located behind the reverse proxy, in such cases all requests will come from the reverse proxy address and it will be blocked.

Respectfully,
Jamshid Tursunov

PlaySMS log output:
192.168.10.22 example.com 2020-03-07 23:02:27 PID5e63e1b34a0c0 - L3 auth_validate_login # login attempt u:s45g-f uid:2 p:109c9001c75afb5e4313dzfd9472b4cd3c9d ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:02:27 PID5e63e1b34a0c0 - L2 auth_validate_login # IP blacklisted u:s45g-f uid:2 ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:02:35 PID5e63e1bbb66db - L3 auth_validate_login # login attempt u:s45g-f uid:2 p:f4b439a9bff80229cfhddf16d0a5191ezb21 ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:02:35 PID5e63e1bbb66db - L2 auth_validate_login # IP blacklisted u:s45g-f uid:2 ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:02:41 PID5e63e1c11271f - L3 auth_validate_login # login attempt u:s45g-f uid:2 p:c956a7cb279a87e857a28cfdsf5314czf1e0dc ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:02:41 PID5e63e1c11271f - L2 auth_validate_login # IP blacklisted u:s45g-f uid:2 ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:02:45 PID5e63e1c5a7b6b - L3 auth_validate_login # login attempt u:s45g-f uid:2 p:18940520f2d6d365dc4d2a9bsdfsb6cfcbb98 ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:02:45 PID5e63e1c5a7b6b - L2 auth_validate_login # IP blacklisted u:s45g-f uid:2 ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:03:36 PID5e63e1f8d2035 - L3 auth_validate_login # login attempt u:s45g-f uid:2 p:07c472ff26d7994ea0rc004bfsdf358767078 ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:03:36 PID5e63e1f8d2035 - L2 auth_validate_login # IP blacklisted u:s45g-f uid:2 ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:04:27 PID5e63e22bcde2f - L3 auth_validate_login # login attempt u:fsdafasdf uid: p:0efdf79bcd469e414s2c33fsde35751adf7d ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:04:27 PID5e63e22bcde2f - L2 auth_validate_login # invalid login u:fsdafasdf uid: ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:04:47 PID5e63e23f35c09 - L3 auth_validate_login # login attempt u:fsdafasdf uid: p:07c472ff26d7994eaf0c0sfs04b358767078 ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:04:47 PID5e63e23f35c09 - L2 auth_validate_login # invalid login u:fsdafasdf uid: ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:04:59 PID5e63e24b730c2 - L3 auth_validate_login # login attempt u:s45g-f uid:2 p:07c472ff26d7994ea0cs00sdfs4b358767078 ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:04:59 PID5e63e24b730c2 - L2 auth_validate_login # IP blacklisted u:s45g-f uid:2 ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:10:28 PID5e63e3949d56e - L3 auth_validate_login # login attempt u:s45g-f uid:2 p:c1fedb2d17ca40af1c27f252fsd8be48 ip:192.168.10.22
192.168.10.22 example.com 2020-03-07 23:10:28 PID5e63e3949d56e - L2 auth_validate_login # IP blacklisted u:s45g-f uid:2 ip:192.168.10.22

Respectfully,
Jamshid Tursunov

Yes, it is blocked, but at the same time fail2ban.actions does not appear in the fail2ban log, after 4 entries (INFO),

nothing is written, as in the above screenshot.

P.S. Installed latest version of fail2ban

After several time:

based on fail2ban settings:

it can be seen that the ban is given for 10 minutes. But I tried to log in after 10 minutes, it does not work.

In PlaySMS log:
L3 auth_validate_login # login attempt
L2 auth_validate_login # IP blacklisted

Respectfully,
Jamshid Tursunov

interesting, blacklist an IP need to be made through web UI, no automation in playSMS. unless you customised it

as for no action in fail2ban, Im sure its fail2ban config, or perhaps missing parts, like the firewalld need to be install (if you’re using Centos)

anton

Yes, probably
Screenshot_20200308_173249

As can be seen from the screenshot, fail2ban blocked IP, this happened on the side of PlaySMS.
How to remove IP and user from the blacklist now?

Respectfully,
Jamshid Tursunov

the fail2ban screenshot shown no IP banned by fail2ban, perhaps the action part not configured properly, Ill try to update the article with my full config soon

removing blacklisted IP from playSMS is by going through login admin and menu Firewall

anton

Hi Anton!
Only now, most likely, you need to understand the point that playsms can be located behind the reverse proxy, where the address of the client will be the address of the reverse proxy.

Respectfully,
Jamshid Tursunov

you can bring real IP to playSMS behind reverse proxy, you just need to configure the proxy to do that

and possibly modify plugin/core/logger/fn.php and plugin/core/auth/fn.php to not read the IP from REMOTE_ADDR

anton

Good day, Anton!
After all the changes, the variable $ _SERVER [‘REMOTE_ADDR’] will still receive 127.0.0.1, but the real IP address of the user will come to $ _SERVER [‘HTTP_X_REAL_IP’]. This is the conclusion of phpinfo.
Fields $ _SERVER [‘HTTP_X_FORWARDED_FOR’] and
$ _SERVER [‘HTTP_X_REAL_IP’] issue my real IP.

Anton, tell me how to continue, where to change what?
Thanks in advance.

Respectfully,
Jamshid Tursunov

here in this files @MAPIIIAJI find and replace REMOTE_ADDR

Anton, I’m sorry, I didn’t fully understand, should REMOTE_ADDR be changed?

/var/www/playsms# cat -n plugin/core/auth/fn.php |grep -i remote_addr

34                  _log('invalid username u:' . $username . ' ip:' . $_SERVER['REMOTE_ADDR'], 2, 'auth_validate_login');
40          _log('login attempt u:' . $username . ' uid:' . $uid . ' p:' . md5($password) . ' ip:' . $_SERVER['REMOTE_ADDR'], 3, 'auth_validate_login');
43          if (blacklist_ifipexists($username, $_SERVER['REMOTE_ADDR'])) {
44                  _log('IP blacklisted u:' . $username . ' uid:' . $uid . ' ip:' . $_SERVER['REMOTE_ADDR'], 2, 'auth_validate_login');
49                  _log('user banned u:' . $username . ' uid:' . $uid . ' ip:' . $_SERVER['REMOTE_ADDR'], 2, 'auth_validate_login');
58                  _log('valid login u:' . $username . ' uid:' . $uid . ' ip:' . $_SERVER['REMOTE_ADDR'], 2, 'auth_validate_login');
61                  blacklist_clearip($username, $_SERVER['REMOTE_ADDR']);
68                          _log('valid login u:' . $username . ' uid:' . $uid . ' ip:' . $_SERVER['REMOTE_ADDR'] . ' using temporary password', 2, 'auth_validate_login');
74                          blacklist_clearip($username, $_SERVER['REMOTE_ADDR']);
81          blacklist_checkip($username, $_SERVER['REMOTE_ADDR']);
83          _log('invalid login u:' . $username . ' uid:' . $uid . ' ip:' . $_SERVER['REMOTE_ADDR'], 2, 'auth_validate_login');
98          _log('login attempt email:' . $email . ' u:' . $username . ' p:' . md5($password) . ' ip:' . $_SERVER['REMOTE_ADDR'], 3, 'auth_validate_email');
   112                  _log('login attempt token:' . $token . ' ip:' . $_SERVER['REMOTE_ADDR'], 3, 'auth_validate_token');
   122                  if (blacklist_ifipexists($username, $_SERVER['REMOTE_ADDR'])) {
   123                          _log('IP blacklisted u:' . $username . ' uid:' . $uid . ' ip:' . $_SERVER['REMOTE_ADDR'], 2, 'auth_validate_login');
   132                                          if (core_net_match($net, $_SERVER['REMOTE_ADDR'])) {
   134                                                          _log('user banned u:' . $username . ' uid:' . $uid . ' ip:' . $_SERVER['REMOTE_ADDR'], 2, 'auth_validate_token');
   140                                                          _log('valid login u:' . $username . ' uid:' . $uid . ' ip:' . $_SERVER['REMOTE_ADDR'], 2, 'auth_validate_token');
   144                                                  blacklist_clearip($username, $_SERVER['REMOTE_ADDR']);
   154          blacklist_checkip($username, $_SERVER['REMOTE_ADDR']);
   156          _log('invalid login t:' . $token . ' ip:' . $_SERVER['REMOTE_ADDR'], 2, 'auth_validate_token');

cat -n plugin/core/logger/fn.php|grep -i remote_addr

25          $remote = ( trim($_SERVER['REMOTE_ADDR']) ? trim($_SERVER['REMOTE_ADDR']) : '-' );
48                          // REMOTE_ADDR HTTP_HOST DATE TIME PID USERNAME TYPE LABEL # LOG
92                  $ip = $_SERVER['REMOTE_ADDR'];

All rows containing REMOTE_ADDR

Respectfully,
Jamshid Tursunov

yes, and you can open the file with text editor, search and replace all REMOTE_ADDR with HTTP_X_REAL_IP

anton

Great, Anton works, thanks.
Two points that I would like to clarify:
While fail2ban has not yet been installed, and not tested, I will test it and if there are questions, I will bother you =)

  1. The blocking threshold, as I understand it, 5 attempts and the urge falls into the Blocked IP address, therefore the question is, how can this threshold be increase or decrease (manage)?
  2. After 5 attempts, the user also receives a message:

Wouldn’t it be better to show the user a warning, something like:

Warning
Due to frequent login attempts, your account has been locked.

Yes, I understand, this imposes additional lines of code, but it seems to me that it would be visually more competent.

Respectfully,
Jamshid Tursunov

Did you customise playSMS to get failed logins blocked ? I forgot if I ever added it in playSMS, I don’t remember if such action already added to playSMS.

anton