[Request] Add Fail2Ban

[lordraiden]

Please consider fail2ban https://www.fail2ban.org/wiki/index.php/Main_Page

and a 2 step verification method https://www.authelia.com/  https://github.com/clems4ever/authelia

BTW your software is being a total sucess here https://forums.unraid.net/topic/76460-support-djoss-nginx-proxy-manager/

[vrelk]

I agree on the fail2ban, I can see 2fa being good if it is going to be externally available. Big thing if you implement f2b, make sure it will pay attention to the forwarded-for IP. That way you don't end up blocking cloudflare.

I switched away from that docker container actually simply because it wasn't up-to-date enough for me. I needed the latest features such as the ability to forward HTTPS enabled sites.

[jc21]

@lordraiden Thanks for the heads up, makes sense why so many issues being logged in the last 2 weeks! F2B is definitely a good improvement to be considered.

@vrelk Upstream SSL hosts support is done, in the next version I'll release today. Is that the only thing you needed that the docker version couldn't do?

[vrelk]

@jc21 I guess I should have specified that I was referring to the docker container linked in the first post (unRAID). It is a few months out of date. My switch was from the jlesage fork to yours.

[macshack76]

please add fail2ban. otherwise you have a great software!

[WesSec]

+1 for f2b!

[lordraiden]

@jc21 Is there any new about the fail2ban addition?

[1337hium]

also voting for fail2ban 👍 Would be great

[Fiala06]

Would also like fail2ban!

[maximberezin97]

Would be great to have fail2ban built in like the linuxserver/letsencrypt Docker container!

[ghost]

Would also love to see fail2ban, or in the meantime, if anyone has been able to get it working manually and can share their setup/script

[Elmardus]

Is there a (manual) way to use Nginx-proxy-manager reverse proxies in combination with Authelia 2FA? I love the proxy manager's interface and ease of use, and would like to use it together with a authentication service.

[jsternadel]

+1 for both fail2ban and 2fa support. I would rank fail2ban as a primary concern and 2fa as a nice to have. With both of those features added i think this solution would be ready for smb production environments.

[neander]

+1 for fail2ban support.

[slobberbone]

+1 for fail2ban too !

[WesSec]

Some update on fail2ban, since I don't see this happening anytime soon, I created a fail2ban filter myself. Create a file called "nginx-docker" in /etc/fail2ban/filder.d with the following contents

[INCLUDES]  

[Definition]  

failregex = ^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
            ^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$

This will jail all requests that return a 4xx/3xx code on the main ip or a 400 on the specified hosts in the docker (no 300 here because of redirects used to force HTTPS)

enable the jail in the jail.local file:

[nginx-docker]
enabled = true
logpath = <docker-config-location>/nginx-proxy-manager/data/logs/default_host.log
          <docker-config-location>/nginx-proxy-manager/data/logs/proxy_host-*.log
maxretry = 3
bantime  = 360
findtime = 60

The only issue is that docker sort of bypasses all iptables entries, fail2ban makes the entry but those are ignored by docker, resulting in having the correct rule in iptables or ufw, but not actually blocking the IP. Maybe someone in here has a solution for this.

[dariusateik]

wessel145 - I have played with the same problem ( docker ip block ) few days :) finally I have working solution;

1. in /etc/docker/daemon.json - you need to add option "iptables": true
2. you need to be sure docker create chain in iptables DOCKER-USER
3. for fail2ban ( docker port ) use SINGLE PORT ONLY - custom action.d/customaction.conf --ctorigdstport !!! mine looks like this and it works customaction.conf [INCLUDES] before = iptables-common.conf [Definition] actionstart = -N f2b- -A f2b- -j -I DOCKER-USER -p -m conntrack --ctorigdstport --ctdir ORIGINAL -j f2b-

actionstop = -D DOCKER-USER -p -m conntrack --ctorigdstport --ctdir ORIGINAL -j f2b-

-X f2b- actioncheck = -n -L DOCKER-USER | grep -q 'f2b-[ \t]' actionban = -I f2b- 1 -s -j actionunban = -D f2b- -s -j [Init] 4. in your jail add action [nginx-docker] enabled = true logpath = /nginx-proxy-manager/data/logs/default_host.log /nginx-proxy-manager/data/logs/proxy_host-*.log **banaction = **customaction**** maxretry = 3 bantime = 360 findtime = 60 NOTE: for docker to ban port need to use single port and option iptables -m conntrack --ctorigdstport --ctdir ORIGINAL

[dariusateik]

my personal opinion nginx-proxy-manager should be ONLY nginx-proxy-manager ; as with docker concept fail2ban and etc, etc, you can have as separate containers; better to have one good nginx-proxy-manager without mixing; jc21/nginx-proxy-manager made nice job. ! thanks

[WesSec]

@dariusateik i do not agree on that since the letsencrypt docker container also comes with fail2ban, 'all reverse proxy traffic' will go through this container and is therefore a good place to handle fail2ban.

[jsternadel]

@dariusateik the other side of docker containers is to make deployment easy. Currently fail2ban doesn't play so well sitting in the host OS and working with a container. Setting up fail2ban is also a bit more advanced then firing up the nginx-proxy-manager container and using a UI to easily configure subdomains. Having f2b inside the npm container and pre-configured, similiar to the linuxio container, gives end users without experience in building jails and filters an extra layer of security. And those of us with that experience can easily tweak f2b to our liking. If you are using volumes and backing them up nightly you can easily move your npm container or rebuild it if necessary. I want to try out this container in a production environment but am hesitant to do so without f2b baked in. In production I need to have security, back ups, and disaster recovery.

[dariusateik]

@dariusateik the other side of docker containers is to make deployment easy. Currently fail2ban doesn't play so well sitting in the host OS and working with a container. Setting up fail2ban is also a bit more advanced then firing up the nginx-proxy-manager container and using a UI to easily configure subdomains. Having f2b inside the npm container and pre-configured, similiar to the linuxio container, gives end users without experience in building jails and filters an extra layer of security. And those of us with that experience can easily tweak f2b to our liking. If you are using volumes and backing them up nightly you can easily move your npm container or rebuild it if necessary. I want to try out this container in a production environment but am hesitant to do so without f2b baked in. In production I need to have security, back ups, and disaster recovery.

it is always - we could find many "yes" and many "no" ; there is no one answer... If npm will have it - why not; but i am using crazymax/fail2ban for this; more complexing docker, more possible mistakes; configs, etc; how will be or f2b integrated - should decide jc21

[jc21]

Personally I don't understand the fascination with f2b. There's talk about security, but I've worked for multi million dollar companies with massive amounts of sensitive customer data, used by government agencies and never once have we been hacked or had any suspicious attempts to gain access.

And we have never used f2b.

On one hand, this project's goals was for the average joe to be able to easily use HTTPS for their incoming websites; not become a network security specialist. I understand that there are malicious people out there and there are users who want to protect themselves, but is f2b the only way for them to do this?

On the other hand, f2b is easy to add to the docker container. It's the configuration of it that would be hard for the average joe. Anyone who wants f2b can take my docker image and build a new one with f2b installed.

Super secret stuff: I'm not working on v2 anymore, and instead slowly working on v3. I'll be considering all feature requests for this next version.

[dariusateik]

100 % agree - > ... On the other hand, f2b is easy to add to the docker container

[Rami-Pastrami]

hopping in to say that a 2fa solution (such the the one authelia brings) would be an amazing addition.

Authelia itself doesnt require a LDAP server or its own mysql database, it can use built in single file equivalents just fine for small personal installations

[JoschaMiddendorf]

Any news on that?

[wtf911]

To y'all looking to use fail2ban with your nginx-proxy-manager in docker here's a tip:

In your jail.local file under where the section (jail) for nginx-http-auth is you need to add this line so when something is banned it routes through iptables correctly with docker:

chain = DOCKER-USER

[Nenodema]

+1 for this thread. Thank jc21, great work!

[johnnny1337]

+1 Any news on this?

[EmmanuelZapata]

+1 Last thing really need as of now. :)

[maxi1134]

+! Fail2ban would be amazing to secure our subdomains!

[johnnny1337]

Anyone who has a guide how to implement this by myself in the image?

[timmy1420]

Any update on this? Or will this be even implemented?

[iamNCJ]

+1 Any news on this?

[pto199]

I too would like to see fail2ban implementation. Then I can finally switch over to Nginx proxy manager instead of using swag since this is so much easier and user friendly to use.

fail2ban already has a GUI developed for it as well (Called fail2web). I would love to see that implemented into NGinx proxy manager

[Aceriz]

I would also love to see Fail2Ban implemented. It would be the final thing needed for me to switch to a much superior product!!!. Also would be great to see more formal support of GEOip2

[Antergosgeek]

I switched to NPM recently and I have to say it has been great. The one thing I do find is missing is f2b. I have a separate container running f2b but it somehow doesn’t play well with NPM. I have trouble getting the real IPs my hope is that an integrate solution would solve that problem.

so +1 for fail2ban

[Nenodema]

For all of you that would like to have f2b: try CloudFlare, the "free" edition can help you to make your NPM much safer, you can for example regulate which traffic from particular countries is allowed or blocked and your IP is not published to the entire world.

[chaptergy]

I'll make this just Fail2Ban, for 2FA please use https://github.com/jc21/nginx-proxy-manager/issues/313

[Nico1320]

+1 for Fail2Ban, its absolutely necessary feature for applications that has no built in bruteforce protection.

[mgutt]

Like to see Fail2Ban, too.

[chaptergy]

As v2 is not actively developed, just patched by the official author, it will not be added in v2 unless someone from the community implements it and opens a pull request.

To show your support for this request, please use the :+1: (thumbs up) emoji on the first comment in this issue, instead of commenting +1 or I want this too. This just adds unnecessary length to the issue and notifies all users who have subscribed to this issue, without adding anything of value. Thanks!

[hugalafutro]

I adapted and modified examples from this thread and I think I might have it working with current npm release + fail2ban in docker:

run fail2ban in another container via https://github.com/crazy-max/docker-fail2ban in fail2ban's docker-compose.yml mount npm log directory as read only like so:

version: "3.7"
services:
  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban_docker-pi
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - "./data:/data"
      - "/var/log/auth.log:/var/log/auth.log:ro"
      - "../nginx-proxy-manager/data/logs/:/log/npm/:ro"
    restart: always
    env_file:
      - "./fail2ban.env"

then create data/filter.d/npm-docker.conf with contents:

[INCLUDES]

[Definition]

failregex = ^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
            ^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$

then create data/jail.d/npm-docker.local with contents:

[npm-docker]
enabled = true
ignoreip = 127.0.0.1/8 192.168.1.0/24
chain = INPUT
logpath = /log/npm/default-host_*.log
          /log/npm/proxy-host-*.log
maxretry = 3
bantime  = 360
findtime = 60

output of fail2ban running:

fail2ban_docker-pi | 2021-08-29 15:32:35,193 fail2ban.jail           [1]: INFO    Creating new jail 'npm-docker'
fail2ban_docker-pi | 2021-08-29 15:32:35,194 fail2ban.jail           [1]: INFO    Jail 'npm-docker' uses pyinotify {}
fail2ban_docker-pi | 2021-08-29 15:32:35,197 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend
fail2ban_docker-pi | 2021-08-29 15:32:35,206 fail2ban.filter         [1]: INFO      maxRetry: 3
fail2ban_docker-pi | 2021-08-29 15:32:35,207 fail2ban.filter         [1]: INFO      findtime: 60
fail2ban_docker-pi | 2021-08-29 15:32:35,207 fail2ban.actions        [1]: INFO      banTime: 360
fail2ban_docker-pi | 2021-08-29 15:32:35,208 fail2ban.filter         [1]: INFO      encoding: UTF-8
fail2ban_docker-pi | 2021-08-29 15:32:35,210 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/default-host_access.log' (pos = 0, hash = 98dbed3dfc4d46673456b12cc4aadba8db295499)
fail2ban_docker-pi | 2021-08-29 15:32:35,212 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/default-host_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,214 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-1_error.log' (pos = 0, hash = 002d489297abf02fd446464dcc7f2b4e46e163b9)
fail2ban_docker-pi | 2021-08-29 15:32:35,216 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-18_access.log' (pos = 0, hash = d6c441567a7f77d17d8a6a4d4b1a975e14b363ce)
fail2ban_docker-pi | 2021-08-29 15:32:35,219 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-19_error.log' (pos = 0, hash = a71091e5448a6eb07506461d1bd9690efcd0d351)
fail2ban_docker-pi | 2021-08-29 15:32:35,221 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-17_error.log' (pos = 0, hash = 2e6e50d6064bc37106ef181717583a97d07d38e7)
fail2ban_docker-pi | 2021-08-29 15:32:35,224 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-12_access.log' (pos = 0, hash = ddeda343d954ace650f7fcc50ad01940fa87e576)
fail2ban_docker-pi | 2021-08-29 15:32:35,226 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-17_access.log' (pos = 0, hash = 9edb67162ad55fa8e172b3fbe2ad21a391108266)
fail2ban_docker-pi | 2021-08-29 15:32:35,228 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-18_error.log' (pos = 0, hash = a32ecae86243b854ccff582d92184c5747862b60)
fail2ban_docker-pi | 2021-08-29 15:32:35,230 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-14_access.log' (pos = 0, hash = 7c01ddcdde3b0d2a37f4999a61b59ffccc9b2019)
fail2ban_docker-pi | 2021-08-29 15:32:35,232 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-9_error.log' (pos = 0, hash = 956b8525f2421035ae98df3f4400bdcaa9abde93)
fail2ban_docker-pi | 2021-08-29 15:32:35,234 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-7_access.log' (pos = 0, hash = fc8755bd7e108a2c56e0115dab00629f813b7ab8)
fail2ban_docker-pi | 2021-08-29 15:32:35,236 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-23_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,238 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-1_access.log' (pos = 0, hash = 34a7d895c800d3e634f565c9ecc1df4b022e170f)
fail2ban_docker-pi | 2021-08-29 15:32:35,240 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-10_access.log' (pos = 0, hash = cd835578da70ae9b2fafd6084acbc24092405092)
fail2ban_docker-pi | 2021-08-29 15:32:35,242 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-11_access.log' (pos = 0, hash = c2de13ad31329b8246eb7f4040289c50c7a66d32)
fail2ban_docker-pi | 2021-08-29 15:32:35,244 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-2_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,245 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-11_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,248 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-7_error.log' (pos = 0, hash = 64c54f707c4cce06fb1cf801c5866644cbeb71e0)
fail2ban_docker-pi | 2021-08-29 15:32:35,250 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-9_access.log' (pos = 0, hash = 2bee7d516e3c11f67734bdbc2afc58cbb6067342)
fail2ban_docker-pi | 2021-08-29 15:32:35,252 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-13_access.log' (pos = 0, hash = f744cae2bf29f56c49757d2005ec10ed24d109ba)
fail2ban_docker-pi | 2021-08-29 15:32:35,254 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-22_access.log' (pos = 0, hash = 997c42664d4262b041ad90d44af42f287c024c04)
fail2ban_docker-pi | 2021-08-29 15:32:35,256 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-8_access.log' (pos = 0, hash = 554281ecadfacc5ffe8421a92f8aba75191ebf98)
fail2ban_docker-pi | 2021-08-29 15:32:35,258 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-16_access.log' (pos = 0, hash = d17bfa74568bb5bd8c52c6d74d15e14426e99642)
fail2ban_docker-pi | 2021-08-29 15:32:35,260 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-5_access.log' (pos = 0, hash = cb20ee90acfc07466e393391857e90065f68327f)
fail2ban_docker-pi | 2021-08-29 15:32:35,262 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-20_access.log' (pos = 0, hash = 4b8e69bc0473971bd28dc9dc70e98406fc7647ed)
fail2ban_docker-pi | 2021-08-29 15:32:35,264 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-19_access.log' (pos = 0, hash = 8d17caf2859165558a5b4338bf7a542aea6cfcec)
fail2ban_docker-pi | 2021-08-29 15:32:35,266 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-20_error.log' (pos = 0, hash = 23571c37a3799d9afa520dade10ca73683fe55d8)
fail2ban_docker-pi | 2021-08-29 15:32:35,268 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-15_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,270 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-4_access.log' (pos = 0, hash = 00949b08fb4bab3434e1339f75d5786ce169dd17)
fail2ban_docker-pi | 2021-08-29 15:32:35,271 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-4_error.log' (pos = 0, hash = 269c3c241871b692273b1571ab0e53e04b020036)
fail2ban_docker-pi | 2021-08-29 15:32:35,273 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-22_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,276 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-3_access.log' (pos = 0, hash = c1d9c70e0d29acd0672b272f1e96e4e6ba60d406)
fail2ban_docker-pi | 2021-08-29 15:32:35,277 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-12_error.log' (pos = 0, hash = a1487cb8ec170d336279969f05da5ce6e7c28812)
fail2ban_docker-pi | 2021-08-29 15:32:35,280 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-6_error.log' (pos = 0, hash = d704a9fcfeb6c203829cb9ee5b3a77c06dc191ce)
fail2ban_docker-pi | 2021-08-29 15:32:35,282 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-2_access.log' (pos = 0, hash = 62ca84f9e312920b631f336a01055d511d0d8dca)
fail2ban_docker-pi | 2021-08-29 15:32:35,284 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-6_access.log' (pos = 0, hash = bdf728007531437502020dcc9ab9792b74d205f2)
fail2ban_docker-pi | 2021-08-29 15:32:35,286 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-5_error.log' (pos = 0, hash = 492f086bf69542e329ff255394bebaf1dad1557b)
fail2ban_docker-pi | 2021-08-29 15:32:35,288 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-3_error.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,290 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-13_error.log' (pos = 0, hash = 57cb6e33531270e3624c6227606573ae398c8d21)
fail2ban_docker-pi | 2021-08-29 15:32:35,292 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-14_error.log' (pos = 0, hash = 9e77e91148dfec51c2ae62432c9579a03de62a37)
fail2ban_docker-pi | 2021-08-29 15:32:35,295 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-23_access.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
fail2ban_docker-pi | 2021-08-29 15:32:35,297 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-16_error.log' (pos = 0, hash = 6f6defa408ef41a25a2f1891b569f9bd72f261f3)
fail2ban_docker-pi | 2021-08-29 15:32:35,299 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-15_access.log' (pos = 0, hash = 9dd236575d9bd8b3b6c542fdb40b74619172b0ca)
fail2ban_docker-pi | 2021-08-29 15:32:35,301 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-10_error.log' (pos = 0, hash = deb2fc06fdeaf44c74b8317f92c677a82e1122a5)
fail2ban_docker-pi | 2021-08-29 15:32:35,303 fail2ban.filter         [1]: INFO    Added logfile: '/log/npm/proxy-host-8_error.log' (pos = 0, hash = 0b7a3e2defbc9bec678ca56b30f9cadde4e899a4)
fail2ban_docker-pi | 2021-08-29 15:32:35,307 fail2ban.jail           [1]: INFO    Jail 'sshd' started
fail2ban_docker-pi | 2021-08-29 15:32:35,310 fail2ban.jail           [1]: INFO    Jail 'npm-docker' started
fail2ban_docker-pi | Server ready
fail2ban_docker-pi | 2021-08-29 15:33:18,925 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,927 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,929 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,932 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,934 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,937 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,940 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,943 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,945 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,950 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,962 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,965 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,994 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,997 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:18,999 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:18
fail2ban_docker-pi | 2021-08-29 15:33:19,371 fail2ban.actions        [1]: NOTICE  [npm-docker] Ban 138.199.28.44
fail2ban_docker-pi | 2021-08-29 15:33:23,111 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,115 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,135 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,138 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,174 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,176 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,178 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,218 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,221 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,234 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,274 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,276 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,279 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,302 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,337 fail2ban.filter         [1]: INFO    [npm-docker] Found 138.199.28.44 - 2021-08-29 15:33:23
fail2ban_docker-pi | 2021-08-29 15:33:23,452 fail2ban.actions        [1]: NOTICE  [npm-docker] 138.199.28.44 already banned
fail2ban_docker-pi | 2021-08-29 15:33:23,474 fail2ban.actions        [1]: NOTICE  [npm-docker] 138.199.28.44 already banned
fail2ban_docker-pi | 2021-08-29 15:33:23,475 fail2ban.actions        [1]: NOTICE  [npm-docker] 138.199.28.44 already banned
fail2ban_docker-pi | 2021-08-29 15:33:23,476 fail2ban.actions        [1]: NOTICE  [npm-docker] 138.199.28.44 already banned
fail2ban_docker-pi | 2021-08-29 15:33:23,478 fail2ban.actions        [1]: NOTICE  [npm-docker] 138.199.28.44 already banned

jail status:

Status for the jail: npm-docker
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     30
|  `- File list:        /log/npm/default-host_access.log /log/npm/default-host_error.log /log/npm/proxy-host-1_error.log /log/npm/proxy-host-18_access.log /log/npm/proxy-host-19_error.log /log/npm/proxy-host-17_error.log /log/npm/proxy-host-12_access.log /log/npm/proxy-host-17_access.log /log/npm/proxy-host-18_error.log /log/npm/proxy-host-14_access.log /log/npm/proxy-host-9_error.log /log/npm/proxy-host-7_access.log /log/npm/proxy-host-23_error.log /log/npm/proxy-host-1_access.log /log/npm/proxy-host-10_access.log /log/npm/proxy-host-11_access.log /log/npm/proxy-host-2_error.log /log/npm/proxy-host-11_error.log /log/npm/proxy-host-7_error.log /log/npm/proxy-host-9_access.log /log/npm/proxy-host-13_access.log /log/npm/proxy-host-22_access.log /log/npm/proxy-host-8_access.log /log/npm/proxy-host-16_access.log /log/npm/proxy-host-5_access.log /log/npm/proxy-host-20_access.log /log/npm/proxy-host-19_access.log /log/npm/proxy-host-20_error.log /log/npm/proxy-host-15_error.log /log/npm/proxy-host-4_access.log /log/npm/proxy-host-4_error.log /log/npm/proxy-host-22_error.log /log/npm/proxy-host-3_access.log /log/npm/proxy-host-12_error.log /log/npm/proxy-host-6_error.log /log/npm/proxy-host-2_access.log /log/npm/proxy-host-6_access.log /log/npm/proxy-host-5_error.log /log/npm/proxy-host-3_error.log /log/npm/proxy-host-13_error.log /log/npm/proxy-host-14_error.log /log/npm/proxy-host-23_access.log /log/npm/proxy-host-16_error.log /log/npm/proxy-host-15_access.log /log/npm/proxy-host-10_error.log /log/npm/proxy-host-8_error.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   138.199.28.44

What confuses me here is the banned address is the IP of vpn I use to access internet on my workstations. Nothing seems to be affected functionality-wise though. I confirmed the fail2ban in docker is working by repeatedly logging in with bad ssh password and that got banned correctly and I was unable to ssh from that host for configured period.

I'm not all that technical so perhaps someone else can confirm whether this actually works for npm.

[BaukeZwart]

The above filter and jail are working for me, I managed to block myself. Thanks @hugalafutro

[mastan30]

@BaukeZwart , Can you please let me know how to add the ban because I added the ban action but it's not banning the IP. I can still log into to site.

This is the action I am using:

action = iptables-multiport

[BaukeZwart]

@mastan30 I'm using cloudflare for all my exposed services and block IP in cloudflare using the API.

[mastan30]

@BaukeZwart Can we get free domain using cloudfare, I got a domain from duckdns and added it nginx reverse proxy but fail2ban is not banning the ip's, can I use cloudfare with free domain and nginx proxy, do you have any config for docker please?

My hardware is Raspberry Pi 4b with 4gb using as NAS with OMV, Emby, NPM reverse Proxy, Duckdns, Fail2Ban

[mastan30]

@BaukeZwart @hugalafutro

Finally I am able to ban Ip using fail2ban-docker, npm-docker and emby-docker.

1. Create a folder fail2ban and create the docker-compose.yml adding the following code:

version: "3.7"
services:
  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban_docker
    network_mode: "host"
    environment:
      - TZ=US/Eastern
      - F2B_LOG_TARGET=STDOUT
      - F2B_LOG_LEVEL=INFO
      - F2B_DB_PURGE_AGE=1d
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - "path/to/storage/fail2ban/data:/data"
      - "path/to/storage/fail2ban/log/:/var/log/"
      - "path/to/storage/nginxproxymanager/AppData/data/logs:/log/npm/:ro"
      - "path/to/storage/emby/logs:/log/emby/:ro"
    restart: unless-stopped

2. In the fail2ban/data/ folder you created in your storage, create action.d, jail.d, filter.d folders and copy the files in the corresponding folder of git into them.

i.e jail.d will have npm-docker.local,emby.local, filter.d will have npm-docker.conf,emby.conf and filter.d will have docker-action.conf,emby-action.conf respectively .

Folder: fail2ban/data/jail.d

npm-docker.local

[npm-docker]
enabled = true
ignoreip = 127.0.0.1/8 192.168.1.0/24
logpath = /log/npm/default-host_*.log
          /log/npm/proxy-host-*.log
maxretry = 3
bantime  = 86400
findtime = 60
action = docker-action

emby.local

[emby]
enabled = true
logpath = /log/emby/embyserver.txt
ignoreip = 127.0.0.1/8 192.168.1.0/24 # your local IP subnets
maxretry = 3
bantime = 84600
findtime = 60
action = emby-docker-action

Folder: fail2ban/data/filter.d

emby.conf

[INCLUDES]

[Definition]

failregex = Response.4\d\d.to <HOST>.+ Time
           AUTH-ERROR: <HOST>.+-

npm-docker.conf

[INCLUDES]

[Definition]

failregex = ^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
            ^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$

Folder: fail2ban/data/action.d

docker-action.conf

[Definition]

actionstart = iptables -N f2b-npm-docker
              iptables -A f2b-npm-docker -j RETURN
              iptables -I FORWARD -p tcp -m multiport --dports 0:65535 -j f2b-npm-docker

actionstop = iptables -D FORWARD -p tcp -m multiport --dports 0:65535 -j f2b-npm-docker
             iptables -F f2b-npm-docker
             iptables -X f2b-npm-docker

actioncheck = iptables -n -L FORWARD | grep -q 'f2b-npm-docker[ \t]'

actionban = iptables -I f2b-npm-docker -s <ip> -j DROP

actionunban = iptables -D f2b-npm-docker -s <ip> -j DROP

emby-action.conf

[Definition]

actionstart = iptables -N f2b-emby
              iptables -A f2b-emby-docker -j RETURN
              iptables -I FORWARD -p tcp -m multiport --dports 0:65535 -j f2b-emby

actionstop = iptables -D FORWARD -p tcp -m multiport --dports 0:65535 -j f2b-emby
             iptables -F f2b-emby
             iptables -X f2b-emby

actioncheck = iptables -n -L FORWARD | grep -q 'f2b-emby[ \t]'

actionban = iptables -I f2b-emby -s  <ip> -j DROP

actionunban = iptables -D f2b-emby -s <ip> -j DROP

3. Once these are set, run the docker compose and check if the container is up and running or not

Solution: It's setting custom action to ban and unban and also use Iptables forward from forward to f2b-npm-docker, f2b-emby which is more configuring up docker network, my docker containers are all in forward chain network, you can change FOWARD to DOCKER-USER or INPUT according to your docker-containers network.

I used following guides to finally come up with this:

https://github.com/jc21/nginx-proxy-manager/issues/39#issuecomment-907795521 - setup

https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/ - iptable commands etc ..

Hope this helps some one like me who is trying to solve the issues they face with fail2ban and docker networks :)

[pto199]

Almost 4 years now. I guess fail2ban will never be implemented :(. I guess Ill stick to using swag until maybe one day it does.

[posta246]

Hope I have time to do some testing on this subject, soon. I have a question about @mastan30 solution: fail2ban-docker requires that fail2ban itself has to (or must not) be installed on the host machine (dont think, iti is in the container...)? Because I have already use it to protect ssh access to the host... so to avoid conflicts it is not clear to me how to manage this situation (f.e. : I should unistall fail2ban on host and moving the ssh jail into the fail2ban-docker config... or what? I'm confused). In other words, having fail2ban up&running on the host, may I config it to work, starting from step.2?

[mastan30]

Hi @posta246 , Yes my fail2ban is not installed directly on the container, I used it inside a docker-container and forwarded ip ban rules to docker chains. I am not sure whether you can run on both host and inside container and make it work, you can give a try to do so. But anytime having it either totally running on host or totally on Container for any software is best thing to do.

[posta246]

Hi, sorry me if I dont understand...:( I've tried to add the config file outside the container, fail2ban is running but seems to not catch the bad ip, i've tried your rules with fail2ban-regex too... but I noted:

1. [PARTIALLY SOLVED, YOU REFER TO THE MAPPED FOLDERS] my logs make by npm are all in in a logs folder (no log, logS), and has the following pattern: /logs/proxy-host-*.log and also fallback*.log;
2. [UPDATE, PARTIALLY SOLVED] the regex seems to work, files proxy contain: [13/Nov/2021:12:16:40 +0000] 444 - GET https MY_IP "/" [Client 45.146.164.110] [Length 0] [Gzip -] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" "-" while fallback.log contain: [13/Nov/2021:14:15:00 +0000] 444 - GET https ONE_OF_THEPROXIED_DOMAIN "/api/" [Client xx.xx.xx.xxx] [Length 0] [Gzip -] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0" "https://proxy_name" May you help me to catch the malicious clients in the fallbak*? By the way, the jail is empty, maybe bacause some timezone errors... have to go deeply.