No more SSO ban?

Dorian · January 22, 2025, 11:13pm

What type of hardware are you using: Old laptop or computer
What YunoHost version are you running: 12.0.10 (stable)
How are you able to access your server: SSH
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: I changed the sshd bantime before going into Bookworm

Describe your issue

Hi,

I wanted to update you that I can now send multiple requests to the SSO without being banned, whereas previously I would get banned after a few failed attempts. I performed a few tests, and I didn’t encounter any issues.

To ensure everything is working as expected, I checked the logs using:

sudo grep ‘Ban’ /var/log/fail2ban.log

I found no recent ban entries related to the SSO, which indicates that the bans are no longer being triggered.

I also reviewed the /etc/fail2ban/jail.d/yunohost-jails.conf file, and everything seems to be in place:

I confirmed that the wildcard in the logpath should cover the access logs properly, and everything appears to be integrated correctly. Given that I’m able to send multiple requests without being banned, I wanted to ask if this behavior is normal or if I should modify any of the jail settings to enforce stricter banning rules?

Let me know what you think.

Share relevant logs or error messages

[yunohost]
ignoreip = 192.168.0.0/24
enabled = true
port = http,https
protocol = tcp
filter = yunohost
logpath = /var/log/nginx/*error.log
/var/log/nginx/*access.log
bantime = 86400
maxretry = 3

Dorian · January 23, 2025, 7:56am

After searching in the /etc/fail2ban folder I found that the jail yunohost-portal was not created because i edited my files previoulsy.
I just had to create the jail everything work like previously.

If anyone is interested:

[yunohost-portal]
enabled = true
port = http,https
protocol = tcp
filter = yunohost-portal
logpath = /var/log/nginx/*error.log
/var/log/nginx/*access.log
bantime = whetever you wan
maxretry = whatever

wbk · January 23, 2025, 9:30am

Hi Dorian,

Welcome to the forums, and thank you for sharing the solution to your problem!

metyun · January 23, 2025, 6:42pm

Hi,

Don’t modify your yunohost files or they won’t be update. You can use a jail-perso.conf with your modification. Or a hook if you absolutely want to change the yunohost-jails.conf file.

Dorian · January 23, 2025, 8:26pm

Ok but I hardened the sshd jail.
I must do another jail named ssh-perso in order to be able to personalize it ?

Dorian · January 23, 2025, 8:36pm

And in order to avoid multiple rules watching the same port i need to modify the yunohost file which leads us to the beginning point no ?

If you have the command to remake the original file I will be thankful

metyun · January 23, 2025, 8:58pm

You can add your ssh-perso jail in the personal config file. What’s your hardened sshd jail?
The easiest way is to post your modify yunohost-jails.conf file to see if you can do your hardening in another file.

If you really want modify the original file, you can read this tuto If you don’t understand, you can send me a P.M. :

Dorian · January 23, 2025, 9:37pm

Well to be honest the only thing that I did was to put the max retry at 3 and the ban time at 1day for ssh (with my modified port). I also upped the ban from recidive to 1 week.

metyun · January 23, 2025, 10:00pm

Ok, then you can do this (root user) :

cat <<EOF > /etc/fail2ban/jail.d/jail-perso.conf

then enter and type (the > is the prompt when you do enter between each line, it’s not in the final file:

> [sshd] 
> maxretry = 3
> bantime = 86400
> 
> [recidive]
> bantime = 604800
> EOF

Restart the service :

yunohost service restart fail2ban

Dorian · January 24, 2025, 7:21am

Ok that’s what I was thinking.
Last question, by doing that, will the sshd from yunohost be overriden ?
How fail2ban can know which one to use ?

metyun · January 24, 2025, 11:29am

Fail2ban read first the /etc/fail2ban/jail.conf file
After that, it read the /etc/fail2ban/jail.d/whatever.conf in alphabetical order. The last file conf overwrite the other if there is already the same configuration in another file

example:

2 bantime for sshd in test.conf and yunohost.conf, the configuration for this option is the one in yunohost.conf.

2 bantime for sshd in zoro.conf and yunohost.conf, the configuration for this option is the one in zoro.conf.

The .local files are read after the .conf files and avoid erase conf.file but it’s not useful here. Use only .conf file, it’s enough.

The sshd from yunohost is not erase (it is the last file). If you want erase it, you must name your conf file with a name after yunohost in alphabetical order. And if you don’t use the same option in 2 differents files, they are cumulative.
Example you have a bantime in test.conf and a maxretry in yunohost.conf is the same to have the 2 options in test.conf or yunohost.conf.

Dorian · January 24, 2025, 5:18pm

Thanks a lot this answers all my questions !

system · February 23, 2025, 5:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.