Jump to content

Can Revive used with fail2ban?


Neurogami

Recommended Posts

  • 3 weeks later...

Not yet, but I do not want to deploy until I have sufficient security in place.  I've been using Revive locally as I get familiar with it.  

I do not want to wait until the brute force happens (and it will) and then have to rely on the Revive random delay for log-in attempts.

I see now that Revive has no option to log sign-in attempts so I've been hacking about to write a plugin for that. 

Sadly, the plugin development docs are pretty dismal.  (Current Revive source code still references the now-dead URL https://developer.openx.org/wiki/display/COMM/Plugins+for+2.8)

 

edit:  It occurred to me that, with no failed authorization logging, how would one know if there have been brute-force attacks? Parse the access log for repeated calls to the sign-in page?   Anyways, I added code (maybe 10 lines in total) to my installation to write to the syslog when sign-in fails, and now I can have fail2ban handle this for me.

Edited by Neurogami
more information
Link to comment
Share on other sites

  • 6 months later...
  • 5 years later...

Hi,

 

I had the same need as @Neurogami and just did what @andrewatfornax suggested.

 

Here is a pull request for Revive to support fail2ban:

https://github.com/revive-adserver/revive-adserver/pull/1389

 

Here is my comment on that PR:

 

In constants.php , set $GLOBALS['badLoginLogFilePath'] to the path of the log file fail2ban can use to ban an IP trying to brute force your site. For example /var/log/reviveBadLogin.log .
Run the following commands to make the file writable:
$ touch /var/log/reviveBadLogin.log
$ chown www-data:www-data /var/log/reviveBadLogin.log

Add the following in the /etc/fail2ban/filter.d/revive.conf file:
[Definition]
failregex = ^.*: $
datepattern = {^LN-BEG}Epoch

Add the following in the /etc/fail2ban/filter.d/revive.conf file:
[revive]
enabled = true
port = 80,443
protocol = tcp
filter = revive
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /var/log/reviveBadLogin.log

Restart fail2ban with the following command:
$ systemctl restart fail2ban

I was able to test this with a VPN. I entered 3 times bad credentials and by IP got banned.

It is likely that call to badLogin.php would be desirable from other places susceptible to be used for brute forcing.

 

I hope this can be merged without too much difficulties.

Please let me know if there is anything else I can do for this PR.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...