[Request] Add Fail2Ban
lordraiden opened this issue · comments
Please consider fail2ban
https://www.fail2ban.org/wiki/index.php/Main_Page
and a 2 step verification method
https://www.authelia.com/
https://github.com/clems4ever/authelia
BTW your software is being a total sucess here https://forums.unraid.net/topic/76460-support-djoss-nginx-proxy-manager/
I agree on the fail2ban, I can see 2fa being good if it is going to be externally available.
Big thing if you implement f2b, make sure it will pay attention to the forwarded-for IP. That way you don't end up blocking cloudflare.
I switched away from that docker container actually simply because it wasn't up-to-date enough for me. I needed the latest features such as the ability to forward HTTPS enabled sites.
@lordraiden Thanks for the heads up, makes sense why so many issues being logged in the last 2 weeks! F2B is definitely a good improvement to be considered.
@vrelk Upstream SSL hosts support is done, in the next version I'll release today. Is that the only thing you needed that the docker version couldn't do?
@jc21 I guess I should have specified that I was referring to the docker container linked in the first post (unRAID). It is a few months out of date. My switch was from the jlesage fork to yours.
please add fail2ban. otherwise you have a great software!
+1 for f2b!
@jc21
Is there any new about the fail2ban addition?
also voting for fail2ban 👍
Would be great
Would also like fail2ban!
Would be great to have fail2ban built in like the linuxserver/letsencrypt Docker container!
Would also love to see fail2ban, or in the meantime, if anyone has been able to get it working manually and can share their setup/script
Is there a (manual) way to use Nginx-proxy-manager reverse proxies in combination with Authelia 2FA? I love the proxy manager's interface and ease of use, and would like to use it together with a authentication service.
+1 for both fail2ban and 2fa support. I would rank fail2ban as a primary concern and 2fa as a nice to have. With both of those features added i think this solution would be ready for smb production environments.
+1 for fail2ban support.
+1 for fail2ban too !
Some update on fail2ban, since I don't see this happening anytime soon, I created a fail2ban filter myself. Create a file called "nginx-docker" in /etc/fail2ban/filder.d with the following contents
[INCLUDES]
[Definition]
failregex = ^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$
This will jail all requests that return a 4xx/3xx code on the main ip or a 400 on the specified hosts in the docker (no 300 here because of redirects used to force HTTPS)
enable the jail in the jail.local file:
[nginx-docker]
enabled = true
logpath = <docker-config-location>/nginx-proxy-manager/data/logs/default_host.log
<docker-config-location>/nginx-proxy-manager/data/logs/proxy_host-*.log
maxretry = 3
bantime = 360
findtime = 60
The only issue is that docker sort of bypasses all iptables entries, fail2ban makes the entry but those are ignored by docker, resulting in having the correct rule in iptables or ufw, but not actually blocking the IP. Maybe someone in here has a solution for this.
wessel145 - I have played with the same problem ( docker ip block ) few days :) finally I have working solution;
- in /etc/docker/daemon.json - you need to add option "iptables": true
- you need to be sure docker create chain in iptables DOCKER-USER
- for fail2ban ( docker port ) use SINGLE PORT ONLY - custom action.d/customaction.conf
--ctorigdstport !!! mine looks like this and it works
customaction.conf
[INCLUDES]
before = iptables-common.conf
[Definition]
actionstart = -N f2b-
-A f2b- -j
-I DOCKER-USER -p -m conntrack --ctorigdstport --ctdir ORIGINAL -j f2b-
actionstop = -D DOCKER-USER -p -m conntrack --ctorigdstport --ctdir ORIGINAL -j f2b-
-X f2b-
actioncheck = -n -L DOCKER-USER | grep -q 'f2b-[ \t]'
actionban = -I f2b- 1 -s -j
actionunban = -D f2b- -s -j
[Init]
- in your jail add action
[nginx-docker]
enabled = true
logpath = /nginx-proxy-manager/data/logs/default_host.log
/nginx-proxy-manager/data/logs/proxy_host-*.log
banaction = customaction
maxretry = 3
bantime = 360
findtime = 60
NOTE: for docker to ban port need to use single port and option iptables -m conntrack --ctorigdstport --ctdir ORIGINAL
my personal opinion nginx-proxy-manager should be ONLY nginx-proxy-manager ; as with docker concept fail2ban and etc, etc, you can have as separate containers; better to have one good nginx-proxy-manager without mixing; jc21/nginx-proxy-manager made nice job. ! thanks
@dariusateik i do not agree on that since the letsencrypt docker container also comes with fail2ban, 'all reverse proxy traffic' will go through this container and is therefore a good place to handle fail2ban.
@dariusateik the other side of docker containers is to make deployment easy. Currently fail2ban doesn't play so well sitting in the host OS and working with a container. Setting up fail2ban is also a bit more advanced then firing up the nginx-proxy-manager container and using a UI to easily configure subdomains. Having f2b inside the npm container and pre-configured, similiar to the linuxio container, gives end users without experience in building jails and filters an extra layer of security. And those of us with that experience can easily tweak f2b to our liking. If you are using volumes and backing them up nightly you can easily move your npm container or rebuild it if necessary. I want to try out this container in a production environment but am hesitant to do so without f2b baked in. In production I need to have security, back ups, and disaster recovery.
@dariusateik the other side of docker containers is to make deployment easy. Currently fail2ban doesn't play so well sitting in the host OS and working with a container. Setting up fail2ban is also a bit more advanced then firing up the nginx-proxy-manager container and using a UI to easily configure subdomains. Having f2b inside the npm container and pre-configured, similiar to the linuxio container, gives end users without experience in building jails and filters an extra layer of security. And those of us with that experience can easily tweak f2b to our liking. If you are using volumes and backing them up nightly you can easily move your npm container or rebuild it if necessary. I want to try out this container in a production environment but am hesitant to do so without f2b baked in. In production I need to have security, back ups, and disaster recovery.
it is always - we could find many "yes" and many "no" ; there is no one answer... If npm will have it - why not; but i am using crazymax/fail2ban for this; more complexing docker, more possible mistakes; configs, etc; how will be or f2b integrated - should decide jc21
Personally I don't understand the fascination with f2b. There's talk about security, but I've worked for multi million dollar companies with massive amounts of sensitive customer data, used by government agencies and never once have we been hacked or had any suspicious attempts to gain access.
And we have never used f2b.
On one hand, this project's goals was for the average joe to be able to easily use HTTPS for their incoming websites; not become a network security specialist. I understand that there are malicious people out there and there are users who want to protect themselves, but is f2b the only way for them to do this?
On the other hand, f2b is easy to add to the docker container. It's the configuration of it that would be hard for the average joe. Anyone who wants f2b can take my docker image and build a new one with f2b installed.
Super secret stuff: I'm not working on v2 anymore, and instead slowly working on v3. I'll be considering all feature requests for this next version.
100 % agree - > ... On the other hand, f2b is easy to add to the docker container
hopping in to say that a 2fa solution (such the the one authelia brings) would be an amazing addition.
Authelia itself doesnt require a LDAP server or its own mysql database, it can use built in single file equivalents just fine for small personal installations
Any news on that?
To y'all looking to use fail2ban with your nginx-proxy-manager in docker here's a tip:
In your jail.local file under where the section (jail) for nginx-http-auth is you need to add this line so when something is banned it routes through iptables correctly with docker:
chain = DOCKER-USER
+1 for this thread. Thank jc21, great work!
+1 Any news on this?
+1 Last thing really need as of now. :)
+! Fail2ban would be amazing to secure our subdomains!
Anyone who has a guide how to implement this by myself in the image?
Any update on this? Or will this be even implemented?
+1 Any news on this?
I too would like to see fail2ban implementation. Then I can finally switch over to Nginx proxy manager instead of using swag since this is so much easier and user friendly to use.
fail2ban already has a GUI developed for it as well (Called fail2web). I would love to see that implemented into NGinx proxy manager
I would also love to see Fail2Ban implemented. It would be the final thing needed for me to switch to a much superior product!!!. Also would be great to see more formal support of GEOip2
I switched to NPM recently and I have to say it has been great. The one thing I do find is missing is f2b. I have a separate container running f2b but it somehow doesn’t play well with NPM. I have trouble getting the real IPs my hope is that an integrate solution would solve that problem.
so +1 for fail2ban
For all of you that would like to have f2b: try CloudFlare, the "free" edition can help you to make your NPM much safer, you can for example regulate which traffic from particular countries is allowed or blocked and your IP is not published to the entire world.
+1 for Fail2Ban, its absolutely necessary feature for applications that has no built in bruteforce protection.
Like to see Fail2Ban, too.
As v2 is not actively developed, just patched by the official author, it will not be added in v2 unless someone from the community implements it and opens a pull request.
| To show your support for this request, please use the 👍 (thumbs up) emoji on the first comment in this issue, instead of commenting +1 or I want this too. This just adds unnecessary length to the issue and notifies all users who have subscribed to this issue, without adding anything of value. Thanks! |
|---|
I adapted and modified examples from this thread and I think I might have it working with current npm release + fail2ban in docker:
run fail2ban in another container via https://github.com/crazy-max/docker-fail2ban
in fail2ban's docker-compose.yml mount npm log directory as read only like so:
version: "3.7"
services:
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban_docker-pi
network_mode: "host"
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- "./data:/data"
- "/var/log/auth.log:/var/log/auth.log:ro"
- "../nginx-proxy-manager/data/logs/:/log/npm/:ro"
restart: always
env_file:
- "./fail2ban.env"
then create data/filter.d/npm-docker.conf with contents:
[INCLUDES]
[Definition]
failregex = ^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$
then create data/jail.d/npm-docker.local with contents:
[npm-docker]
enabled = true
ignoreip = 127.0.0.1/8 192.168.1.0/24
chain = INPUT
logpath = /log/npm/default-host_*.log
/log/npm/proxy-host-*.log
maxretry = 3
bantime = 360
findtime = 60
output of fail2ban running:
fail2ban_docker-pi | 2021-08-29 15:32:35,193 fail2ban.jail [1]: INFO Creating new jail 'npm-docker'
fail2ban_docker-pi | 2021-08-29 15:32:35,194 fail2ban.jail [1]: INFO Jail 'npm-docker' uses pyinotify {}
fail2ban_docker-pi | 2021-08-29 15:32:35,197 fail2ban.jail [1]: INFO Initiated 'pyinotify' backend
fail2ban_docker-pi | 2021-08-29 15:32:35,206 fail2ban.filter [1]: INFO maxRetry: 3
fail2ban_docker-pi | 2021-08-29 15:32:35,207 fail2ban.filter [1]: INFO findtime: 60
fail2ban_docker-pi | 2021-08-29 15:32:35,207 fail2ban.actions [1]: INFO banTime: 360
fail2ban_docker-pi | 2021-08-29 15:32:35,208 fail2ban.filter [1]: INFO encoding: UTF-8
fail2ban_docker-pi | 2021-08-29 15:32:35,210 fail2ban.filter [1]: INFO Added logfile: '/log/npm/default-host_access.log' (pos = 0, hash = 98dbed3dfc4d46673456b12cc4aadba8db295499)
fail2ban_docker-pi | 2021-08-29 15:32:35,212 fail2ban.filter [1]: INFO Added logfile: '/log/npm/default-host_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,214 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-1_error.log' (pos = 0, hash = 002d489297abf02fd446464dcc7f2b4e46e163b9)
fail2ban_docker-pi | 2021-08-29 15:32:35,216 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-18_access.log' (pos = 0, hash = d6c441567a7f77d17d8a6a4d4b1a975e14b363ce)
fail2ban_docker-pi | 2021-08-29 15:32:35,219 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-19_error.log' (pos = 0, hash = a71091e5448a6eb07506461d1bd9690efcd0d351)
fail2ban_docker-pi | 2021-08-29 15:32:35,221 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-17_error.log' (pos = 0, hash = 2e6e50d6064bc37106ef181717583a97d07d38e7)
fail2ban_docker-pi | 2021-08-29 15:32:35,224 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-12_access.log' (pos = 0, hash = ddeda343d954ace650f7fcc50ad01940fa87e576)
fail2ban_docker-pi | 2021-08-29 15:32:35,226 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-17_access.log' (pos = 0, hash = 9edb67162ad55fa8e172b3fbe2ad21a391108266)
fail2ban_docker-pi | 2021-08-29 15:32:35,228 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-18_error.log' (pos = 0, hash = a32ecae86243b854ccff582d92184c5747862b60)
fail2ban_docker-pi | 2021-08-29 15:32:35,230 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-14_access.log' (pos = 0, hash = 7c01ddcdde3b0d2a37f4999a61b59ffccc9b2019)
fail2ban_docker-pi | 2021-08-29 15:32:35,232 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-9_error.log' (pos = 0, hash = 956b8525f2421035ae98df3f4400bdcaa9abde93)
fail2ban_docker-pi | 2021-08-29 15:32:35,234 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-7_access.log' (pos = 0, hash = fc8755bd7e108a2c56e0115dab00629f813b7ab8)
fail2ban_docker-pi | 2021-08-29 15:32:35,236 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-23_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,238 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-1_access.log' (pos = 0, hash = 34a7d895c800d3e634f565c9ecc1df4b022e170f)
fail2ban_docker-pi | 2021-08-29 15:32:35,240 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-10_access.log' (pos = 0, hash = cd835578da70ae9b2fafd6084acbc24092405092)
fail2ban_docker-pi | 2021-08-29 15:32:35,242 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-11_access.log' (pos = 0, hash = c2de13ad31329b8246eb7f4040289c50c7a66d32)
fail2ban_docker-pi | 2021-08-29 15:32:35,244 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-2_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,245 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-11_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,248 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-7_error.log' (pos = 0, hash = 64c54f707c4cce06fb1cf801c5866644cbeb71e0)
fail2ban_docker-pi | 2021-08-29 15:32:35,250 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-9_access.log' (pos = 0, hash = 2bee7d516e3c11f67734bdbc2afc58cbb6067342)
fail2ban_docker-pi | 2021-08-29 15:32:35,252 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-13_access.log' (pos = 0, hash = f744cae2bf29f56c49757d2005ec10ed24d109ba)
fail2ban_docker-pi | 2021-08-29 15:32:35,254 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-22_access.log' (pos = 0, hash = 997c42664d4262b041ad90d44af42f287c024c04)
fail2ban_docker-pi | 2021-08-29 15:32:35,256 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-8_access.log' (pos = 0, hash = 554281ecadfacc5ffe8421a92f8aba75191ebf98)
fail2ban_docker-pi | 2021-08-29 15:32:35,258 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-16_access.log' (pos = 0, hash = d17bfa74568bb5bd8c52c6d74d15e14426e99642)
fail2ban_docker-pi | 2021-08-29 15:32:35,260 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-5_access.log' (pos = 0, hash = cb20ee90acfc07466e393391857e90065f68327f)
fail2ban_docker-pi | 2021-08-29 15:32:35,262 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-20_access.log' (pos = 0, hash = 4b8e69bc0473971bd28dc9dc70e98406fc7647ed)
fail2ban_docker-pi | 2021-08-29 15:32:35,264 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-19_access.log' (pos = 0, hash = 8d17caf2859165558a5b4338bf7a542aea6cfcec)
fail2ban_docker-pi | 2021-08-29 15:32:35,266 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-20_error.log' (pos = 0, hash = 23571c37a3799d9afa520dade10ca73683fe55d8)
fail2ban_docker-pi | 2021-08-29 15:32:35,268 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-15_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,270 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-4_access.log' (pos = 0, hash = 00949b08fb4bab3434e1339f75d5786ce169dd17)
fail2ban_docker-pi | 2021-08-29 15:32:35,271 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-4_error.log' (pos = 0, hash = 269c3c241871b692273b1571ab0e53e04b020036)
fail2ban_docker-pi | 2021-08-29 15:32:35,273 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-22_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,276 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-3_access.log' (pos = 0, hash = c1d9c70e0d29acd0672b272f1e96e4e6ba60d406)
fail2ban_docker-pi | 2021-08-29 15:32:35,277 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-12_error.log' (pos = 0, hash = a1487cb8ec170d336279969f05da5ce6e7c28812)
fail2ban_docker-pi | 2021-08-29 15:32:35,280 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-6_error.log' (pos = 0, hash = d704a9fcfeb6c203829cb9ee5b3a77c06dc191ce)
fail2ban_docker-pi | 2021-08-29 15:32:35,282 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-2_access.log' (pos = 0, hash = 62ca84f9e312920b631f336a01055d511d0d8dca)
fail2ban_docker-pi | 2021-08-29 15:32:35,284 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-6_access.log' (pos = 0, hash = bdf728007531437502020dcc9ab9792b74d205f2)
fail2ban_docker-pi | 2021-08-29 15:32:35,286 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-5_error.log' (pos = 0, hash = 492f086bf69542e329ff255394bebaf1dad1557b)
fail2ban_docker-pi | 2021-08-29 15:32:35,288 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-3_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,290 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-13_error.log' (pos = 0, hash = 57cb6e33531270e3624c6227606573ae398c8d21)
fail2ban_docker-pi | 2021-08-29 15:32:35,292 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-14_error.log' (pos = 0, hash = 9e77e91148dfec51c2ae62432c9579a03de62a37)
fail2ban_docker-pi | 2021-08-29 15:32:35,295 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-23_access.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,297 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-16_error.log' (pos = 0, hash = 6f6defa408ef41a25a2f1891b569f9bd72f261f3)
fail2ban_docker-pi | 2021-08-29 15:32:35,299 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-15_access.log' (pos = 0, hash = 9dd236575d9bd8b3b6c542fdb40b74619172b0ca)
fail2ban_docker-pi | 2021-08-29 15:32:35,301 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-10_error.log' (pos = 0, hash = deb2fc06fdeaf44c74b8317f92c677a82e1122a5)
fail2ban_docker-pi | 2021-08-29 15:32:35,303 fail2ban.filter [1]: INFO Added logfile: '/log/npm/proxy-host-8_error.log' (pos = 0, hash = 0b7a3e2defbc9bec678ca56b30f9cadde4e899a4)
fail2ban_docker-pi | 2021-08-29 15:32:35,307 fail2ban.jail [1]: INFO Jail 'sshd' started
fail2ban_docker-pi | 2021-08-29 15:32:35,310 fail2ban.jail [1]: INFO Jail 'npm-docker' started
fail2ban_docker-pi | Server ready
fail2ban_docker-pi | 2021-08-29 15:33:18,925 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,927 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,929 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,932 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,934 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,937 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,940 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,943 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,945 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,950 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,962 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,965 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,994 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,997 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,999 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:19,371 fail2ban.actions [1]: NOTICE [npm-docker] Ban 138.199.28.44
fail2ban_docker-pi | 2021-08-29 15:33:23,111 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,115 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,135 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,138 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,174 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,176 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,178 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,218 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,221 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,234 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,274 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,276 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,279 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,302 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,337 fail2ban.filter [1]: INFO [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,452 fail2ban.actions [1]: NOTICE [npm-docker] 138.199.28.44 already banned
fail2ban_docker-pi | 2021-08-29 15:33:23,474 fail2ban.actions [1]: NOTICE [npm-docker] 138.199.28.44 already banned
fail2ban_docker-pi | 2021-08-29 15:33:23,475 fail2ban.actions [1]: NOTICE [npm-docker] 138.199.28.44 already banned
fail2ban_docker-pi | 2021-08-29 15:33:23,476 fail2ban.actions [1]: NOTICE [npm-docker] 138.199.28.44 already banned
fail2ban_docker-pi | 2021-08-29 15:33:23,478 fail2ban.actions [1]: NOTICE [npm-docker] 138.199.28.44 already banned
jail status:
Status for the jail: npm-docker
|- Filter
| |- Currently failed: 0
| |- Total failed: 30
| `- File list: /log/npm/default-host_access.log /log/npm/default-host_error.log /log/npm/proxy-host-1_error.log /log/npm/proxy-host-18_access.log /log/npm/proxy-host-19_error.log /log/npm/proxy-host-17_error.log /log/npm/proxy-host-12_access.log /log/npm/proxy-host-17_access.log /log/npm/proxy-host-18_error.log /log/npm/proxy-host-14_access.log /log/npm/proxy-host-9_error.log /log/npm/proxy-host-7_access.log /log/npm/proxy-host-23_error.log /log/npm/proxy-host-1_access.log /log/npm/proxy-host-10_access.log /log/npm/proxy-host-11_access.log /log/npm/proxy-host-2_error.log /log/npm/proxy-host-11_error.log /log/npm/proxy-host-7_error.log /log/npm/proxy-host-9_access.log /log/npm/proxy-host-13_access.log /log/npm/proxy-host-22_access.log /log/npm/proxy-host-8_access.log /log/npm/proxy-host-16_access.log /log/npm/proxy-host-5_access.log /log/npm/proxy-host-20_access.log /log/npm/proxy-host-19_access.log /log/npm/proxy-host-20_error.log /log/npm/proxy-host-15_error.log /log/npm/proxy-host-4_access.log /log/npm/proxy-host-4_error.log /log/npm/proxy-host-22_error.log /log/npm/proxy-host-3_access.log /log/npm/proxy-host-12_error.log /log/npm/proxy-host-6_error.log /log/npm/proxy-host-2_access.log /log/npm/proxy-host-6_access.log /log/npm/proxy-host-5_error.log /log/npm/proxy-host-3_error.log /log/npm/proxy-host-13_error.log /log/npm/proxy-host-14_error.log /log/npm/proxy-host-23_access.log /log/npm/proxy-host-16_error.log /log/npm/proxy-host-15_access.log /log/npm/proxy-host-10_error.log /log/npm/proxy-host-8_error.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 138.199.28.44
What confuses me here is the banned address is the IP of vpn I use to access internet on my workstations. Nothing seems to be affected functionality-wise though. I confirmed the fail2ban in docker is working by repeatedly logging in with bad ssh password and that got banned correctly and I was unable to ssh from that host for configured period.
I'm not all that technical so perhaps someone else can confirm whether this actually works for npm.
The above filter and jail are working for me, I managed to block myself. Thanks @hugalafutro
@BaukeZwart , Can you please let me know how to add the ban because I added the ban action but it's not banning the IP. I can still log into to site.
This is the action I am using:
action = iptables-multiport
@mastan30 I'm using cloudflare for all my exposed services and block IP in cloudflare using the API.
@BaukeZwart Can we get free domain using cloudfare, I got a domain from duckdns and added it nginx reverse proxy but fail2ban is not banning the ip's, can I use cloudfare with free domain and nginx proxy, do you have any config for docker please?
My hardware is Raspberry Pi 4b with 4gb using as NAS with OMV, Emby, NPM reverse Proxy, Duckdns, Fail2Ban
Finally I am able to ban Ip using fail2ban-docker, npm-docker and emby-docker.
- Create a folder fail2ban and create the docker-compose.yml adding the following code:
version: "3.7"
services:
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban_docker
network_mode: "host"
environment:
- TZ=US/Eastern
- F2B_LOG_TARGET=STDOUT
- F2B_LOG_LEVEL=INFO
- F2B_DB_PURGE_AGE=1d
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- "path/to/storage/fail2ban/data:/data"
- "path/to/storage/fail2ban/log/:/var/log/"
- "path/to/storage/nginxproxymanager/AppData/data/logs:/log/npm/:ro"
- "path/to/storage/emby/logs:/log/emby/:ro"
restart: unless-stopped
- In the fail2ban/data/ folder you created in your storage, create action.d, jail.d, filter.d folders and copy the files in the corresponding folder of git into them.
i.e jail.d will have npm-docker.local,emby.local, filter.d will have npm-docker.conf,emby.conf and filter.d will have docker-action.conf,emby-action.conf respectively .
Folder: fail2ban/data/jail.d
npm-docker.local
[npm-docker]
enabled = true
ignoreip = 127.0.0.1/8 192.168.1.0/24
logpath = /log/npm/default-host_*.log
/log/npm/proxy-host-*.log
maxretry = 3
bantime = 86400
findtime = 60
action = docker-action
emby.local
[emby]
enabled = true
logpath = /log/emby/embyserver.txt
ignoreip = 127.0.0.1/8 192.168.1.0/24 # your local IP subnets
maxretry = 3
bantime = 84600
findtime = 60
action = emby-docker-action
Folder: fail2ban/data/filter.d
emby.conf
[INCLUDES]
[Definition]
failregex = Response.4\d\d.to <HOST>.+ Time
AUTH-ERROR: <HOST>.+-
npm-docker.conf
[INCLUDES]
[Definition]
failregex = ^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$
Folder: fail2ban/data/action.d
docker-action.conf
[Definition]
actionstart = iptables -N f2b-npm-docker
iptables -A f2b-npm-docker -j RETURN
iptables -I FORWARD -p tcp -m multiport --dports 0:65535 -j f2b-npm-docker
actionstop = iptables -D FORWARD -p tcp -m multiport --dports 0:65535 -j f2b-npm-docker
iptables -F f2b-npm-docker
iptables -X f2b-npm-docker
actioncheck = iptables -n -L FORWARD | grep -q 'f2b-npm-docker[ \t]'
actionban = iptables -I f2b-npm-docker -s <ip> -j DROP
actionunban = iptables -D f2b-npm-docker -s <ip> -j DROP
emby-action.conf
[Definition]
actionstart = iptables -N f2b-emby
iptables -A f2b-emby-docker -j RETURN
iptables -I FORWARD -p tcp -m multiport --dports 0:65535 -j f2b-emby
actionstop = iptables -D FORWARD -p tcp -m multiport --dports 0:65535 -j f2b-emby
iptables -F f2b-emby
iptables -X f2b-emby
actioncheck = iptables -n -L FORWARD | grep -q 'f2b-emby[ \t]'
actionban = iptables -I f2b-emby -s <ip> -j DROP
actionunban = iptables -D f2b-emby -s <ip> -j DROP
- Once these are set, run the docker compose and check if the container is up and running or not
Solution: It's setting custom action to ban and unban and also use Iptables forward from forward to f2b-npm-docker, f2b-emby which is more configuring up docker network, my docker containers are all in forward chain network, you can change FOWARD to DOCKER-USER or INPUT according to your docker-containers network.
I used following guides to finally come up with this:
#39 (comment) - setup
https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/ - iptable commands etc ..
Hope this helps some one like me who is trying to solve the issues they face with fail2ban and docker networks :)
Almost 4 years now. I guess fail2ban will never be implemented :(. I guess Ill stick to using swag until maybe one day it does.
Hope I have time to do some testing on this subject, soon.
I have a question about @mastan30 solution: fail2ban-docker requires that fail2ban itself has to (or must not) be installed on the host machine (dont think, iti is in the container...)?
Because I have already use it to protect ssh access to the host... so to avoid conflicts it is not clear to me how to manage this situation (f.e. : I should unistall fail2ban on host and moving the ssh jail into the fail2ban-docker config... or what? I'm confused).
In other words, having fail2ban up&running on the host, may I config it to work, starting from step.2?
Hi @posta246 , Yes my fail2ban is not installed directly on the container, I used it inside a docker-container and forwarded ip ban rules to docker chains. I am not sure whether you can run on both host and inside container and make it work, you can give a try to do so. But anytime having it either totally running on host or totally on Container for any software is best thing to do.
Hi, sorry me if I dont understand...:( I've tried to add the config file outside the container, fail2ban is running but seems to not catch the bad ip, i've tried your rules with fail2ban-regex too... but I noted:
- [PARTIALLY SOLVED, YOU REFER TO THE MAPPED FOLDERS] my logs make by npm are all in in a logs folder (no log, logS), and has the following pattern: /logs/proxy-host-*.log and also fallback*.log;
- [UPDATE, PARTIALLY SOLVED] the regex seems to work, files proxy* contain:
[13/Nov/2021:12:16:40 +0000] 444 - GET https MY_IP "/" [Client 45.146.164.110] [Length 0] [Gzip -] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" "-"
while fallback*.log contain:
[13/Nov/2021:14:15:00 +0000] 444 - GET https ONE_OF_THEPROXIED_DOMAIN "/api/" [Client xx.xx.xx.xxx] [Length 0] [Gzip -] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0" "https://proxy_name"
May you help me to catch the malicious clients in the fallbak*?
By the way, the jail is empty, maybe bacause some timezone errors... have to go deeply.
SUMMARY: it works, using the suggested config outside the container, on the host. Just need to understand if fallback file are useful
SUMMARY: it works, using the suggested config outside the container, on the host. Just need to understand if fallback file are useful
It works for me also.
Adding the fallback files seems useful to me. So I added the fallback_.log and the fallback-.log to my jali.d/npm-docker.local. But is the regex in the filter.d/npm-docker.conf good for this? If I test I get no hits. I'm not an regex expert so any help would be appreciated.
SUMMARY: it works, using the suggested config outside the container, on the host. Just need to understand if fallback file are useful
It works for me also. Adding the fallback files seems useful to me. So I added the fallback__.log and the fallback-_.log to my jali.d/npm-docker.local. But is the regex in the filter.d/npm-docker.conf good for this? If I test I get no hits. I'm not an regex expert so any help would be appreciated.
So why not make the failregex scan al log files including fallback*.log only for Client.<HOST>
if you have all local networks excluded and use a VPN for access. It works form me.
The following regex does not work for me could anyone help me with understanding it?
UsingRegex:
^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$ ^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$
Log output from npm:
[20/Jan/2022:19:19:45 +0000] - - 404 - GET https somesite.ca "/wp-login.php" [Client 8.8.8.8] [Length 172] [Gzip 3.21] [Sent-to somesite] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "-"
DISREGARD It Works just fine! My dumbness
I am currently using NPM with a MACVLAN, therefore the fail2ban container can read the mounted logs and create ip tables on the host, but the traffice from and to NPM is not going to the iptables of the host because of the MACVLAN and so banning does not work. Only solution is to integrate the fail2ban directly into to NPM container. So please let this happen! :)
I am currently using NPM with a MACVLAN, therefore the fail2ban container can read the mounted logs and create ip tables on the host, but the traffice from and to NPM is not going to the iptables of the host because of the MACVLAN and so banning does not work. Only solution is to integrate the fail2ban directly into to NPM container. So please let this happen! :)
Same for me, would be really great if it could added.
@hugalafutro I tried that approach and it works. However, it has an unintended side effect of blocking services like Nextcloud or Home Assistant where we define the trusted proxies. For example, Nextcloud required you to specify the trusted domains (https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html). Similarly, Home Assistant requires trusted proxies (https://www.home-assistant.io/integrations/http/#trusted_proxies). Did you try this out with any of those?
@arsaboo I use both ha and nextcloud (and other 13-ish services, including mail server) with n-p-m set up with fail2ban as I outlined above without any issue.
I used to have all these on the same vm and it worked then, later I moved n-p-m to vm where my mail server is, and the vm with nextcloud and ha and other stuff is being tunelled via mullvad and everything still seems to work.
I just cobbled the fail2ban "integration" together from various tutorials, with zero understanding of iptables or docker networking etc. It seemed to work (as in I could see some addresses getting banned), for my configuration, but I'm not technically adept enough to say why it wouldn't for you.
edit:
for reference
in nextcloud I define the trusted proxy like so in config.php:
'trusted_proxies' =>
array (
0 => '192.168.1.142',
),
in ha I define it in configuration.yaml like so:
http:
server_host: 0.0.0.0
use_x_forwarded_for: true
cors_allowed_origins:
- https://google.com
- https://www.home-assistant.io
trusted_proxies:
- 192.168.1.142
ip_ban_enabled: false
login_attempts_threshold: 5
Hi all,
not running on docker, but on a Proxmox LCX I managed to get a working jail watching the access list rules I setup.
In addition, being proxied by cloudflare, added also a custom line in config to get real origin IP.
/etc/fail2ban/filter.d/nginx-access.conf
# fail2ban filter configuration for nginx
[Definition]
failregex = ^ \[error\] \d+#\d+: \*\d+ access forbidden by rule, client: <HOST>, server.+$
ignoreregex = ^ \[warn\] .+$
/etc/fail2ban/jail.conf extract:
[nginx-access]
enabled = true
filter = nginx-access
logpath = /data/logs/proxy-host-*.log
/data/logs/default-host*.log
maxretry = 3
bantime = 360
findtime = 60
In NPM Edit Proxy Host added the following for real IP behind Cloudflare in Custom Nginx Configuration:
real_ip_header CF-Connecting-IP;
hope this can be useful. Please let me know if any way to improve
This works for me: #39 (comment)
Hello @mastan30,
in this file fail2ban/data/jail.d/npm-docker.local
filter=npm-docker must be specified otherwise the filter is not applied, in my tests my ip is always found and then banned even for no reason.
I also adjusted the failregex in filter.d/npm-docker.conf, here is the file content:
[INCLUDES]
[Definition]
failregex = ^.+ ".*w00tw00t.*" \[Client <HOST>\] \[Length .+\] .+$
^.+ (4\d\d|5\d\d) .*- .+ ".*(~|admin|dbadmin|install|myadmin|MyAdmin|mysql|websql|pma|wp-|manager|blackcat|sprawdza).*" \[Client <HOST>\] \[Length .+\] .+$
^.+ (5\d\d|4(?!04)\d\d) - .+ \[Client <HOST>\] \[Length .+\] .+$
Thank you it helps me so much!
Referencing the instructions that @hugalafutro mentions here:
I attempted to follow your steps, however had a few issues:
-
The compose file you mention includes a .env file, however you didn't provide the contents of this file. Is it save to assume it is the default file from the developer's repository?
-
In the volume directive of the compose file, you mention the path as
- "../nginx-proxy-manager/data/logs/:/log/npm/:ro". I'm assuming this should be adjusted relative to the specific location of the NPM folder? In my case, my folder is just called "npm" and is within the~/servicesdirectory on my server, so I modified it to be (relative to the f2b compose file)../npm/data/logs. -
In your instructions, you mount the NPM files as /data/logs and mount it to /log/npm, but in this blog post, the author specifically mentions "Ensure that you properly bind mount the logs at /data/logs of your NPM reverse proxy into the Fail2ban docker container at /var/log/npm. Otherwise, Fail2ban is not able to inspect your NPM logs!". I've tried both, and both work, so not sure which is the "most" correct.
I followed the above linked blog and (on the second attempt) got the fail2ban container running and detecting my logs, but I do get an error which (I'm assuming) actually blocks any of the ban behavior from taking effect:
f2b | 2023-01-28T16:41:28.094008433Z 2023-01-28 11:41:28,093 fail2ban.actions [1]: ERROR Failed to execute ban jail 'npm-general-forceful-browsing' action 'action-ban-docker-forceful-browsing' info 'ActionInfo({'ip': '75.225.129.88', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f0d4ec48820>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f0d4ec48ee0>})': Error banning 75.225.129.88
But what is interesting is that after 10 minutes, it DID un-ban the IP, though I never saw a difference in behavior, banned or otherwise:
f2b | 2023-01-28T16:51:41.122149261Z 2023-01-28 11:51:41,121 fail2ban.actions [1]: NOTICE [npm-general-forceful-browsing] Unban 75.225.129.88
I then created a separate instance of the f2b container following your instructions, which also seem to work (at least so far).
Additionally, how did you view the status of the fail2ban jails? What command did you issue, I'm assuming, from within the f2b container itself?
I'm curious to get this working, but may actually try CrowdSec instead, since the developers officially support the integration into NPM.
I followed the guide that @mastan30 posted and observed a successful ban (though 24 hours after 3 tries is a bit long, so I have to figure out how to un-ban myself). Additionally I tried what you said about adding the filter=npm-docker to my file in jail.d, however I observed this actually did not detect the IP's, so I removed that line.
So I have 2 "working" iterations, and need to figure out the best from each and begin to really understand what I'm doing, rather than blindly copying others' logs.
@kmanwar89
edit: most of your issues stem from having different paths / container / filter names imho, set it up exactly as I posted as that works to try it out, and then you can start adjusting paths and file locations and container names provided you change them in all relevant places. i.e. if you name your file instead of npm-docker.local to haha-hehe-hihi.local, you need to put filter=haha-hehe-hihi instead of filter=npm-docker etc.
- Yes
- Yes this is just relative path of the npm logs you mount read-only into the fail2ban container, you have to adjust accordingly to your path
- Doesn't matter at all as long the
logpath = /log/npm/default-host_*.log
/log/npm/proxy-host-*.log
inside the jail definition file matches the path you mounted the logs inside the f2b container
I do not want to comment on others instructions as the ones I posted are the only ones that ever worked for me.
For reference this is my current config that bans ip on 3 different nginx-proxy-manager installations, I have joined the npm and fail2ban containers into 1 compose now:
directory structure
pi@pi-docker:~/docker/nginx-proxy-manager $ find ./ -type d -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g'
|____
|____data_npm
| |____logs
| |____custom_ssl
| |____letsencrypt-acme-challenge
| | |____.well-known
| | | |____acme-challenge
| |____access
| |____nginx
| | |____default_www
| | |____dead_host
| | |____proxy_host
| | |____temp
| | |____redirection_host
| | |____default_host
| | |____stream
|____data_f2b
| |____db
| |____action.d
| |____jail.d
| |____filter.d
|____letsencrypt
| |____csr
| |____archive
| | |____npm-10
| | |____npm-1
| | |____npm-48
| | |____npm-46
| | |____npm-26
| | |____npm-15
| |____renewal-hooks
| | |____post
| | |____deploy
| | |____pre
| |____keys
| |____renewal
| |____live
| | |____npm-10
| | |____npm-1
| | |____npm-48
| | |____npm-46
| | |____npm-26
| | |____npm-15
| |____accounts
| | |____acme-v02.api.letsencrypt.org
| | | |____directory
| | | | |____b1fc0554c1bcfe0b429559f8bcefaf4b
docker-compose.yml
version: '3'
services:
nginx-proxy-manager:
container_name: nginx-proxy-manager_pi-docker
image: 'jc21/nginx-proxy-manager:latest'
ports:
- '10080:80'
- '10081:81'
- '10443:443'
volumes:
- ./data_npm:/data
- ./letsencrypt:/etc/letsencrypt
restart: always
environment:
X_FRAME_OPTIONS: "sameorigin"
DB_SQLITE_FILE: "/data/database.sqlite"
TZ: "Europe/London"
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban_pi-docker
network_mode: "host"
cap_add:
- NET_ADMIN
- NET_RAW
privileged: true
volumes:
- "./data_f2b:/data"
- "./data_npm/logs/:/log/npm/:ro"
restart: always
env_file:
- "./fail2ban.env"
depends_on:
- nginx-proxy-manager
data_f2b/jail.d/npm-docker.local
pi@pi-docker:~/docker/nginx-proxy-manager $ cat data_f2b/jail.d/npm-docker.local
[npm-docker]
enabled = true
ignoreip = 127.0.0.1/8 192.168.1.0/24 172.16.0.1/16 192.168.1.1
chain = INPUT
logpath = /log/npm/default-host_*.log
/log/npm/proxy-host-*.log
maxretry = 3
bantime = 2419200
findtime = 86400
filter = npm-docker
data_f2b/filter.d/npm-docker.conf
pi@pi-docker:~/docker/nginx-proxy-manager $ cat data_f2b/filter.d/npm-docker.conf
[INCLUDES]
[Definition]
ignoreregex = ^ [warn] .+$
failregex = ^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$
^.+ (4\d\d|5\d\d) .*- .+ ".*(~|admin|dbadmin|install|myadmin|MyAdmin|mysql|websql|pma|wp-|manager).*" \[Client <HOST>\] \[Length .+\] .+$
^.+ (5\d\d|4(?!04)\d\d) - .+ \[Client <HOST>\] \[Length .+\] .+$
check current bans
docker exec -it fail2ban_pi-docker fail2ban-client status npm-docker
example output
pi@pi-docker:~/docker/nginx-proxy-manager $ docker exec -it fail2ban_pi-docker fail2ban-client status npm-docker
Status for the jail: npm-docker
|- Filter
| |- Currently failed: 58
| |- Total failed: 4661
| `- File list: /log/npm/default-host_access.log /log/npm/default-host_error.log /log/npm/proxy-host-3_access.log /log/npm/proxy-host-10_error.log /log/npm/proxy-host-43_error.log /log/npm/proxy-host-22_error.log /log/npm/proxy-host-43_access.log /log/npm/proxy-host-15_error.log /log/npm/proxy-host-3_error.log /log/npm/proxy-host-22_access.log /log/npm/proxy-host-10_access.log /log/npm/proxy-host-1_access.log /log/npm/proxy-host-1_error.log /log/npm/proxy-host-15_access.log
`- Actions
|- Currently banned: 255
|- Total banned: 258
`- Banned IP list: 101.68.211.3 103.72.147.115 104.155.129.44 107.150.126.151 108.194.208.147 109.237.97.180 109.237.98.226 109.249.187.77 109.74.204.123 111.30.107.154 116.203.223.117 118.193.56.146 128.14.188.209 134.122.40.17 134.209.105.9 134.209.172.210 136.33.158.151 137.184.147.18 137.184.214.147 137.184.69.186 138.197.12.104 138.197.147.198 138.197.157.88 139.59.101.36 139.59.190.229 139.59.251.216 139.64.164.73 139.99.120.203 139.99.123.180 141.255.167.130 142.93.240.129 143.110.178.178 143.198.212.64 143.198.220.72 143.198.239.27 143.244.140.48 144.126.236.89 144.91.106.14 146.148.39.73 146.19.24.230 146.190.244.19 146.70.119.3 146.70.119.35 146.70.119.37 146.70.119.67 148.63.28.25 150.129.81.213 152.32.227.68 152.89.196.211 157.245.136.139 157.245.99.223 159.203.35.125 159.223.68.123 159.65.111.248 159.89.107.64 159.89.111.42 161.35.161.99 161.35.188.150 162.142.125.10 162.142.125.210 162.142.125.211 162.142.125.212 162.142.125.213 162.142.125.219 162.142.125.221 162.142.125.7 162.142.125.8 162.142.125.9 164.92.135.200 165.22.54.62 165.22.65.114 165.227.208.24 165.227.212.9 165.232.124.165 165.232.64.133 167.172.103.51 167.172.188.222 167.172.90.80 167.172.93.19 167.248.133.117 167.248.133.120 167.248.133.44 167.248.133.46 167.248.133.60 167.248.133.61 167.248.133.62 167.71.201.171 167.71.73.251 167.71.85.7 167.94.138.119 167.94.138.120 167.94.138.44 167.94.138.46 167.94.138.47 167.94.138.60 167.94.138.61 167.94.138.62 167.94.146.57 167.94.146.58 167.94.146.60 167.99.207.240 170.64.134.42 170.64.148.163 170.64.176.251 170.64.176.7 170.64.180.140 176.65.137.4 179.43.155.157 179.43.177.242 183.106.161.103 183.136.225.32 183.136.225.45 184.105.139.67 184.105.139.70 185.180.143.141 185.180.143.81 185.195.232.131 185.195.232.133 185.195.232.139 185.195.232.140 185.195.232.141 185.195.232.149 185.195.232.152 185.195.232.160 185.195.232.161 185.195.232.169 185.195.232.170 185.195.232.180 185.213.175.253 185.224.128.219 185.225.73.198 185.225.74.45 185.225.74.55 185.248.85.10 185.248.85.31 185.248.85.32 185.248.85.36 185.248.85.4 188.166.232.195 191.254.254.119 193.32.162.159 193.35.18.189 193.35.18.227 193.35.18.228 193.35.18.242 193.38.55.200 194.180.49.233 194.55.186.216 195.133.40.86 195.154.77.190 198.20.69.98 2.57.122.80 20.163.207.204 201.163.190.64 201.23.6.2 207.154.245.167 208.100.26.229 209.126.151.116 209.126.151.117 209.126.151.119 209.126.151.120 209.126.151.122 209.141.33.8 212.18.176.230 213.205.192.74 213.205.196.194 213.205.241.29 213.205.241.92 213.205.242.98 219.85.88.188 23.224.186.225 24.150.82.71 24.199.92.233 34.121.19.107 34.122.44.159 34.135.91.26 34.136.137.67 34.171.253.186 34.172.163.221 34.172.175.164 34.172.209.163 34.173.116.45 34.201.148.42 34.27.133.230 34.29.37.32 34.67.120.116 34.67.167.189 34.67.214.23 34.69.204.32 34.70.93.107 34.71.162.68 35.192.12.146 35.202.182.162 35.202.234.8 35.216.248.122 35.222.78.111 35.224.175.167 35.225.212.38 35.226.241.168 35.226.97.237 35.232.70.169 35.238.41.231 35.239.89.230 37.44.238.144 37.44.238.71 43.134.171.148 43.135.123.64 45.12.253.180 45.61.186.176 45.9.110.186 45.93.201.64 46.19.136.74 47.89.188.40 49.234.150.132 5.188.210.227 5.75.202.224 52.4.28.5 61.147.15.65 61.147.15.67 62.171.128.107 62.210.75.103 64.225.103.50 64.225.18.115 64.225.56.220 65.49.20.66 65.49.20.68 67.222.109.195 68.183.111.90 68.183.12.150 71.6.135.131 72.55.136.154 74.82.47.3 74.82.47.4 77.81.142.251 79.124.59.150 80.94.92.57 82.170.148.96 89.248.165.204 89.248.165.52 89.31.112.234 90.2.97.189 91.107.142.252 92.118.39.29 92.118.39.82 94.62.138.31 185.195.232.165 112.47.34.246 159.89.171.91 35.153.144.36 193.35.18.206 161.35.213.143 134.209.159.229 163.123.181.180 185.195.232.159 34.136.218.224
Apologies if this is offtopic, but if anyone doubts usefulness of adding f2b to npm or whether the method I used is working I'd like to share some statistics from my cloud server with exposed ssh and http(s) ports. Along banning failed attempts for n-p-m I also ban failed ssh log ins. Endlessh is a wonderful little app that sits on the default ssh port and drags out random ssh responses until they time out to waste the script kiddie's time and then f2b bans them for a month. Graphs are from LibreNMS.
I get about twice the amount of bans on my cloud based mailcow mail server, along the bans that mailcow itself facilitates for failed mail logins.
| |____action.d
@hugalafutro : just to make it sure, in a totally new setup, npm and fail2ban:
do I need something in this action.d folder?
a docker.conf file or something?
with definition like
actionstart
actionstop
actioncheck
actionban
actionunban
@alneven In both my setups using n-p-m+f2b the directory ended up empty. I'm not really sure what it's for (every tutorial for implementing f2b whether in docker or on the bare metal I followed only talks about making a filter and a jail).
In both my setups using n-p-m+f2b the directory ended up empty.
thanks for the prompt feedback, I will ignore it as well
Sorry to bump and old topic but i was considering trying to get this to work- Think it would be great to have another tab on the dashboard that shows you blocked IPs and various stats about fail2ban. Has anyone actually got this working nicely inside the nginx container? I do agree that i think it's better to have it all in one as it's the main entry point to services
I hope to merge the functions of Fail2Ban and make a dashboard to display the banned logs.
I hope to merge the functions of Fail2Ban and make a dashboard to display the banned logs.
I love to help out where i can and i love the idea of having a dashboard to monitor what's been blocked and why. Maybe with the option to expose it to something like grafana? Just ideas
Add me to the list of people that would be eternally grateful to see fail2ban integration with npm. I use proxmox (LXC containers), so it would be great if this was available using the proxmox script and not just docker.
Add me to the list of people that would be eternally grateful to see fail2ban integration with npm. I use proxmox (LXC containers), so it would be great if this was available using the proxmox script and not just docker.
it is! just install Fail2ban on your LXC after NPM install
``> Hi all, not running on docker, but on a Proxmox LCX I managed to get a working jail watching the access list rules I setup. In addition, being proxied by cloudflare, added also a custom line in config to get real origin IP.
/etc/fail2ban/filter.d/nginx-access.conf
# fail2ban filter configuration for nginx [Definition] failregex = ^ \[error\] \d+#\d+: \*\d+ access forbidden by rule, client: <HOST>, server.+$ ignoreregex = ^ \[warn\] .+$/etc/fail2ban/jail.conf extract:
[nginx-access] enabled = true filter = nginx-access logpath = /data/logs/proxy-host-*.log /data/logs/default-host*.log maxretry = 3 bantime = 360 findtime = 60In NPM Edit Proxy Host added the following for real IP behind Cloudflare in Custom Nginx Configuration:
real_ip_header CF-Connecting-IP;hope this can be useful. Please let me know if any way to improve
For me the /etc/fail2ban/filter.d/nginx-access.conf was not working to ban someone. With this nginx-access.conf it works
nano/etc/fail2ban/filter.d/nginx-access.conf
[INCLUDES]
[Definition]
failregex = ^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$