Fail2ban regex filter against brute-force attacks

Superpaul209

Hi everyone,

I have made a new filter today to secure my CryptPad instance against brute-force attacks. Im using a fail2ban regex filter to match all failed login attempts.

Add the following lines into /etc/fail2ban/filter.d/cryptpad.conf :

[Definition]

failregex = ^<HOST>+[^"]+\"GET /block/+[^"]+\" 404+[^"]+\"https://+[^/]+/login/"

After its done, copy the /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local and add the following lines into /etc/fail2ban/jail.local :

[cryptpad]

enabled = true
filter  = cryptpad
port    = http,https
logpath = /var/log/nginx/access.log

Please check if your logpath is right for your server, by default, its inside the /var/log/nginx folder.

The regex filter will find all login attempts that dont find any block files (404 error). It means if someone enters a wrong login and/or password, the hash algorithm will generate a block file which doesn't exist. The filter will catch it.
If someone logins successfully, the block is found so it doesn't generate an error.

I hope this will helps people and the CryptPad team to improve their security !

Thanks for reading 😊

Mathilde

Hey,

As said on our Matrix chat announcement, thank you very much for your contribution! 🤗

We are curious about the number of attempts needed to have your IP address banned. If I understand Fail2ban properly you normally have to setup a maxretry = X value. Do you know what its default is?

Superpaul209

Mathilde By default :

# "bantime" is the number of seconds that a host is banned.
bantime  = 10m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

You can set the variables under [cryptpad] if you want different values