====== fail2ban for SoSci Survey ====== To access interviews in progress, each interview is assigned a "token," a 12-character alphanumeric string. Everyone who knows the interview token can continue the interview and can see if applicable with the back button the entered data. To prevent valid tokens from being determined simply by trial and error (brute force), the server should block IP addresses if they use invalid tokens. Therefore SoSci Survey saves invalid inputs in the file ''system/logfiles/token-fail.log''. Also invalid serialnumbers and serialmail keys are noted in this file. On Linux systems, you can temporarily block IP addresses that appear frequently in this list using [[https://www.fail2ban.org|fail2ban]]. On systems based on Debian a failb2ban can be insatlles as following: sudo apt-get install fail2ban First a file ''/etc/fail2ban/filter.d/serial-fail.conf'' with the following content must be created. [Definition] failregex = \s+(invalid|serial|deliveryToken|session\.id) ignoreregex = Afterwards the file ''/etc/fail2ban/jail.local'' has to be created or (if already existing) a section ''[serial-fail]'' has to be inserted which points to the log file with the invalid entries: [DEFAULT] ignoreip = 127.0.0.1/8 maxretry = 3 banaction = iptables-multiport [serial-fail] enabled = true port = http,https filter = serial-fail action = iptables-allports mail-whois[name=Serial Fail, dest=IHRE@E-MAIL-ADRESSE] logpath = /PFAD_ZU_SOSCI/system/logfiles/token-fail.log maxretry = 50 bantime = 7200 # SoSci Survey will lock IPs by itself, this is just the uppermost limit [sshd-ddos] enabled = true [php-url-fopen] enabled = true This entry blocks an IP address for 2 hours (`bantime`), if within 10 minutes (default setting for `findtime`) 50 erroneous entries (`maxretry`) have been made from this address. It is also possible to set the blocking time to be shorter and to block after e.g. 10 erroneous entries, but since SoSci Survey already blocks erroneous serial numbers anyway, this configuration is only a second security barrier. Load the configuration and check if everything is running: Laden Sie die Konfiguration und überprüfen Sie, ob alles funktioniert: sudo fail2ban-client reload sudo fail2ban-client status The output looks for example as follows:Die Ausgabe sieht z.B. wie folgt aus: Status |- Number of jail: 3 `- Jail list: serial-fail, sshd, sshd-ddos