Fail2Ban is a simple, but powerful, open source intrusion detection and prevention system which can run on most POSIX compliant operating systems. It works by monitoring various system logs for signs of intrusion attempts (failed logins etc), and on finding them, executes a preconfigured action.

Typically, this action is to block further access attempts from the remote host, using local firewall rules.

Out of the box, Fail2Ban comes configured to monitor SSH for signs of intrusion. However, since it works by monitoring log files, Fail2Ban can be configured to monitor many other services. I figured it would be pretty cool if you could also use it to protect Elgg sites as well.

Elgg already has a per user account lockout on login, however it is not without its limitations. It is pretty basic, and while it protects against access to specific accounts, it does not protect against dictionary attacks against multiple or non-existent accounts. Using Fail2Ban, you can protect against multiple access attempts from the same IP address easily, and the cut them off at the network level, frustrating the attack.

Installing Fail2Ban

The first step to getting this all working is to install Fail2Ban.

This is covered in detail elsewhere, but on Debian/Ubuntu it was a simple matter of pulling it from the apt repo:

sudo apt-get install fail2ban

Out of the box Fail2Ban will block using IPTables, but if you use shorewall, as I do, you’ll need to modify the actions to use that.

Getting Elgg to log access

It is an omission (quite possibly on my part), but the default Elgg login action does not explicitly log login attempts and login errors. While it is quite probable that you could hack together some regexp to parse the apache error logs, these are often quite noisy, highly changeable, often stored in odd locations, and, more often than not, are turned off in production environments.

I thought I’d make things a little easier on myself, and so I wrote a tiny Elgg plugin which overrides the default login action and outputs explicit error messages to the system auth.log, on both success and failure.

Once installed, you should begin to see logging messages start to appear in your server’s auth log (usually /var/log/auth.log) along the lines of this:

Mar 22 18:24:43 web elgg(web.example.com)[16483]: Authentication failure for fakeuser from 111.222.333.444
Mar 22 18:25:05 web elgg(web.example.com)[16483]: Accepted password for admin from 111.222.333.444

Again, to keep things simple, and to avoid getting a regular expression headache, I kept the authentication messages similar to those used by the SSH filter.

Monitoring the log with Fail2Ban

Finally, you need to configure fail2ban to look out for the Elgg messages in the auth.log.

  • Copy the elgg.conf into your fail2ban filters directory, on Debian this is in /etc/fail2ban/filters.d/
  • Create a jail.local in /etc/fail2ban/ if you have not already done so, and then create a rule, along the lines of the following:

    [elgg]
    enabled = true
    filter = elgg
    logpath = /var/log/auth.log
    port = all

Restart Fail2Ban, and you should be up and running! To test, attempt to log in (using a machine on a different machine if at all possible) and try a few failed logins.

A future enhancement of this that you could consider, especially if running in a production environment, is to modify the block action to redirect queries from the offender’s IP to a place-holder page explaining why they have been banned. This could probably be done quite easily using a REDIRECT rule, although I’ve not tried it yet.

Anyway, code, as always, is on github. Have a play!

» Visit the project on Github…

Over the past few weeks and months I’ve had to cause to write, update and dust off a number of Elgg plugins that I’ve had kicking about. As a good open source citizen I’ve stuck them up on github so others can have a play.

Here they are, in no particular order:

» H5F 1.8

This is an Elgg wrapper around the H5F HTML5 form compatibility library written by Ryan Seddon.

This plugin lets you use handy HTML 5 form extensions like “required” and “placeholder”, as well as some of the new types like <input type=”email” /> in your forms and have them work in older browsers.

» Input Country

Input country is a wrapper around Ben Werdmuller’s phpCountryDropdown tool, and provides a handy dandy country selector input type.

Install this plugin to be able to take advantage of this in your forms.

» Profile Completeness

This plugin provides a view and a widget that displays the completeness of a profile based on the number of fields in the profile that are populated. This list of fields can be extended and modified based on a plugin hook.

I’ve used various incarnations of this plugin now for a number of clients, and since it keeps coming up I’ve tidied it up a bit and stuck it on github.

» Recaptcha

Lastly, here’s an Elgg 1.8 version of a recaptcha plugin I wrote some time ago.

It hooks into the Elgg captcha engine, providing captcha verification for registration and the “request new password” functionality out of the box. It also replaces the input/captcha view.

There are a couple of other recaptcha plugins, but I couldn’t find one which just provided the captcha and nothing else, so here’s mine.

That’s it for now, enjoy!

HTML Mails is an Elgg plugin that lets notification emails be sent using HTML email templates.

The original plugin was written by Condiminds but doesn’t seem to have been updated for Elgg 1.8, at least not that I could find.

From the plugin notes:

This plugin allows elgg to send notifications into html emails.

This plugins supports 3 views:

I needed an updated version for a client project, so I hacked together a quick port. Have fun!

» Visit the project on Github…