Mattermost, Inc.

Fail2Ban not working

Hello all

i’ve made fail2ban rule to identify incorrect password at log file.
When i’m testing by command :
fail2ban /opt/mattermost/logs/mattermost.log /etc/fail2ban/filter.d/mattermost-logfail.conf
everything works perfect, but after apply it to jail.conf:

[mattermost]
enabled = true
filter = /etc/fail2ban/filter.d/mattermost-logfail.conf
logpath = /opt/mattermost/logs/mattermost.log
findtime = 300
bantime = 600

After it, systemctl restart fail2ban, fail2ban-client status mattermost to check does it catch something and failed. It doesn’t count anything, but at same time, when i use again my regex test, it recognize incorrect password.

What could be wrong??

@paulrothrock Is the support team familiar with this?

I solved my problem by myself :slight_smile:

Logs type cannot be set to JSON, that was cause of my problems.

After switch logs to text and restart server, correct regex are:
For incorrect password:

failregex = .\Login failed because of invalid password.“ip_addr”: “”.

For locked account:

failregex = .\Your account is locked because of too many failed password attempts. Please reset your password.“ip_addr”: “”.

2 Likes

@czarek Glad to hear you got it working! I’m sure a lot of other users could benefit from using Fail2Ban with Mattermost. Do you think you could write up some more detailed instructions? I’ll be happy to help get them into the Mattermost docs.

Below is instruction, how to set up f2b for mattermost. When i was writing it, i discovered, that it doesn’t protect, when someone is trying to log as none existing user :frowning: but, after a while, addittion regex was ready and it’s included to this tutorial :smiley:

Before we start with fail2ban, You have to switch off JSON log type, from System Console > Log settings.
It is important to regex work properly.

To use fail2ban with mattermost, we have to install it from terminal

sudo apt install fail2ban

After it, edit your /etc/fail2ban/jail.conf file:
set your IP to ignore list in place of xxx.xxx.xxx.xxx to avoid ban yourself :slight_smile:

ignoreip = 127.0.0.1/8,xxx.xxx.xxx.xxx

At the end of file, add code:

[mattermost]
enabled = true
filter = mattermost-logfail
logpath = /opt/mattermost/logs/mattermost.log
findtime = 300
bantime = 600
maxretry = 5

[mattermost-passlockout]
enabled = true
filter = mattermost-passlockout
logpath = /opt/mattermost/logs/mattermost.log
findtime = 300
bantime = 600
maxretry = 5

You could change values above, to correct for your case. Meaning of all parameters, You could find in jail.conf comments :slight_smile:

The code above is enabling two filters:
The first [mattermost] is cheking log file, for incorrect password for existing users (after 5 tries, mattermost is locking account, but imho ban is better :smiley:) and for trying to log non existing (brute force? ), which is not normally protected via mattermost.
The second one [mattermost-passlockout] is to prevent another tries at already locked account, in same brute force case or something else.

Now we have to create two filter files:

sudo nano /etc/fail2ban/filter.d/mattermost-logfail.conf

and paste code into it and save:

[Definition]

failregex = .\Login failed because of invalid password.“ip_addr”: “”.
.\This team may require an invite from the team owner to join.“ip_addr”: “”.

ignoreregex =

and the second one:

sudo nano /etc/fail2ban/filter.d/mattermost-passlockout.conf

with code:

[Definition]

failregex = .\Your account is locked because of too many failed password attempts. Please reset your password.“ip_addr”: “”.

ignoreregex =

Now just restart your fail2ban by systemctl restart fail2ban and check does all jails are up by fail2ban-client status
You should see something like:
image

To check number of fails, use command fail2ban-client status
image

To check is everything work properly, try to log with incorrect password, but remember to do it from different than ignoreip in jail.conf :slight_smile:

1 Like