Security Request: Integrated Fail2Ban for login window

astrugatch

Might be useful for FOS login too. Shouldn’t be impossible to implement. Add Fail2Ban to list of apps to get from the repo and point it to the login logs. I’m sure I’m way over simplifying it (not a dev obviously). As FOG moves to a more secure standard install (SQL password, HTTPS etc) this would be another great feature to have.

lukebarone

@george1421 Thanks for the input!

I’m not looking to specifically put F2B in; I am putting in code to log to a file login failures and successes, then the SysAdmin can choose to setup a F2B jail based on that. I believe heavily in separation of responsibilities, so I will definitely look into writing a proper tutorial.

Do you think code for simply logging the login attempts would get merged?

george1421

@lukebarone I’ve been looking into this too. To implement fail2ban correctly iptables needs to be initialized if you want real protection other than just blocking on http or ssh logon failures. There are difficulties with the current fog configuration to really tighten down the open ports. For FOG 1.6 there is a request to move to nfsv4 this will send all nfs traffic over a single port that can be firewalled successfully. Other options would be for the FOG Installer (optionally) enable access restrictions to a specific network subnet.

Fail2ban may not be something the developers want to include in the core base code, but surely a tutorial can be developed to show others how to install and enable its protection.

lukebarone

WIP - I have FOG now logging to a text file with the remote IP, and an indicator of whether the username supplied was a success or not. I’ll continue testing this next week, and report back if I get it working on new installs too.

If it works, I’ll create a merge request on Github. This has been a fun challenge so far

lukebarone

I would like this as well, for my schools that I administer.

astrugatch

@Quazz

In K12 its pretty common to treat many of your internal users as hostile (right or wrong) since students seem to always try to mess with things whether with malice or just screwing around.

Also with some of the other changes in security on FOG (DB and HTTPS etc) pointing toward the outside to manage devices via the client doesn’t sound impossible for small deployments. Again, it’s not what I’m doing or planning to do, but it would be possible if measures like these were in place.

george1421

@Sebastian-Roth If fog logged failed logins to syslog then if a FOG Admin wanted to implement Fail2Ban then it would be possible. Fail2Ban is not something that the FOG Project should be concerned with (IMO). I can see value in FOG logging invalid log attempts to syslog or a /opt/fog/log file. There would be (minimal but) value to log valid attempts too if security is a top concern. Possibly something for FOG 1.6?

Quazz

@Sebastian-Roth Agreed.

You have a bigger problem on your hands if people are trying to brute force from inside your network, imo.

And even more so if you publically expose FOG.

Though logging failed auth attempts could potentially be interesting.

@astrugatch Can you explain why you would like this?

Sebastian Roth

@astrugatch As FOG is mostly used in internal networks I don’t see too much value in this. Just my personal opinion. Any one else?