Jump to content


Photo

secure X2 with fail2ban - anyone ?


  • Please log in to reply
3 replies to this topic

#1 Noime

Noime

    Member

  • Members
  • PipPip
  • 21 posts

Posted 07 November 2018 - 12:43 AM

I am securing my Wordpress installations with fail2ban on server level. Very happy with it, and it takes quite a bit of stress off the apache server.

 

Now I am looking how I can secure my X2 installation. Anyone has some opions on this ?

 

Thanks,

Noime



#2 Noime

Noime

    Member

  • Members
  • PipPip
  • 21 posts

Posted 07 November 2018 - 03:12 AM

Ok. Looking at the apache2 logs, they are flooded with notifications like "GET /index.php/notifications/get?lastNotifId=0&lastEventId=49&lastTimestamp=1541338711" which I don't need to know about.

 

Adding to the .htaccess

SetEnvIf Request_URI "/notifications/" notifications

Adding to the apache site config

CustomLog ${APACHE_LOG_DIR}/access.log combined env=!notifications
 
No more notification. Good.


#3 X2Peter

X2Peter

    Advanced Member

  • Administrators
  • 57 posts

Posted 07 November 2018 - 01:32 PM

Hello Noime,

 

I would not necessarily use notifications as a critieria for IP ban with fail2ban as the period at which the 'GET /index.php/notifications/get.*' can be configured within the admin panel (you might also inadvertently ban yourself as your browser would be maing the requests). The notification JS is run periodically to retrieve messages such as 'John Doe has opened an email!' etc and display them in the notification box (the box in the upper right corner with blue numbers). However removing them from the apache logs can be a good thing.

 

On our developer server we use some of the default apache fail2ban jails such as 'apache', 'apache-noscript' and 'apache-overflow'. I don't have any specific filters written out but I would recommend adding a filter for 403 errors on the login page, this should help against bots that are trying to brute force login to your app. The same goes with the API (protect against failed authentications of API).



#4 Noime

Noime

    Member

  • Members
  • PipPip
  • 21 posts

Posted 08 November 2018 - 01:31 AM

Thanks Peter !

 

No, no : I don't intend to ban on the notifications. I definitely wasn't clear on this. My two lines are meant to suppress the notification lines in the apache logs. There is, for a single user, one line per second added to the log. That's huge ! It not only bloats the log, it makes fail2ban scan loads of data that are good. I chose to suppress the line on apache-level instead of with an ignoreregex in fail2ban.

 

Protecting against brute force login attempts would be nice, but I don't see a 403 on wrong login. But I maybe try to hack up a new repeat-offender filter that checks for repeated login attempts.

 

Even better would be if one could rename the login page. If we had this, any attempt to reach index.php/site/login could be regarded as a hacking event.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users