search

crazy-max / docker-fail2ban

Fail2ban Docker image
MIT License
620 stars 77 forks source link

Fail2ban docker not banning even if it says "already banned" #157

Closed sblantipodi closed 7 months ago

sblantipodi commented 8 months ago

Support guidelines

I've found a bug and checked that ...

Description

Fail2ban docker not banning even if it says "already banned".

Expected behaviour

Ban the IP this is the fail2ban.log

Fail2ban docker not banning even if it says "already banned"

2023-10-26 08:28:39,507 fail2ban.filter         [1]: INFO    [hass-iptables] Found MYIP - 2023-10-26 08:28:39
2023-10-26 08:28:39,516 fail2ban.ipdns          [1]: WARNING Determined IP using DNS Lookup: hostname = {'MYIP'}
2023-10-26 08:28:39,530 fail2ban.filter         [1]: INFO    [hass-iptables] Found MYIP - 2023-10-26 08:28:39
2023-10-26 08:28:39,728 fail2ban.actions        [1]: WARNING [hass-iptables] MYIP already banned

Actual behaviour

no banned IP address when I run this command iptables -L

Steps to reproduce

just run fail2ban on docker...

Docker info

Client:
 Version:    24.0.5
 Context:    default
 Debug Mode: false

Server:
 Containers: 8
  Running: 8
  Paused: 0
  Stopped: 0
 Images: 8
 Server Version: 24.0.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 
 runc version: 
 init version: 
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.5.0-1005-raspi
 Operating System: Ubuntu 23.10
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 3.701GiB
 Name: smartstar
 ID: 2c849941-d07c-4c33-9d0d-7533c4b90ea8
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Docker Compose config

services:
  certbot:
    entrypoint: /bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h &
      wait $${!}; done;'
    image: certbot/certbot:latest
    volumes:
    - /opt/docker_ha/nginx/certbot/conf:/etc/letsencrypt:rw
    - /opt/docker_ha/nginx/certbot/www:/var/www/certbot:rw
  code-server:
    container_name: code-server
    environment:
      PGID: '1000'
      PUID: '1000'
      TZ: Etc/UTC
    image: lscr.io/linuxserver/code-server:latest
    network_mode: host
    restart: always
    volumes:
    - /opt/docker_ha/homeassistant/config:/config:rw
  fail2ban:
    cap_add:
    - NET_ADMIN
    - NET_RAW
    container_name: fail2ban
    environment:
      F2B_ACTION: '%(action_mwl)s'
      F2B_DB_PURGE_AGE: 1d
      F2B_DEST_EMAIL: mymail
      F2B_IPTABLES_CHAIN: FORWARD
      F2B_LOG_LEVEL: INFO
      F2B_LOG_TARGET: STDOUT
      F2B_MAX_RETRY: '3'
      F2B_SENDER: SENDER_EMAIL
      SSMTP_HOST: mysmtp server
      SSMTP_PASSWORD: mypwd
      SSMTP_PORT: '587'
      SSMTP_TLS: "YES"
      SSMTP_USER: myusername
      TZ: Europe/Rome
    image: crazymax/fail2ban:latest
    logging:
      driver: json-file
      options:
        max-file: '10'
        max-size: 5m
    network_mode: host
    restart: unless-stopped
    volumes:
    - /opt/docker_ha/fail2ban-data:/data:rw
    - /var/log:/var/log:ro
    - /var/lib/docker/containers:/container-logs:ro
  homeassistant:
    container_name: homeassistant
    image: ghcr.io/home-assistant/home-assistant:stable
    network_mode: host
    privileged: true
    restart: always
    volumes:
    - /opt/docker_ha/homeassistant/config:/config:rw
    - /etc/localtime:/etc/localtime:ro
  mosquitto:
    container_name: mosquitto
    image: eclipse-mosquitto
    ports:
    - published: 1883
      target: 1883
    restart: always
    volumes:
    - /opt/docker_ha/mosquitto:/mosquitto:rw
    - /opt/docker_ha/mosquitto/data:/mosquitto/data:rw
    - /opt/docker_ha/mosquitto/log:/mosquitto/log:rw
  nginx:
    image: nginx
    ports:
    - published: 80
      target: 80
    - published: 443
      target: 443
    - published: 8124
      target: 8124
    restart: always
    volumes:
    - /opt/docker_ha/nginx/nginx:/etc/nginx/conf.d:ro
    - /opt/docker_ha/nginx/wwwroot:/var/www/root:ro
    - /opt/docker_ha/nginx/certbot/conf:/etc/letsencrypt:ro
    - /opt/docker_ha/nginx/certbot/www:/var/www/certbot:ro
    - /opt/docker_ha/nginx:/restricted:ro
  nut-upsd:
    container_name: nut-upsd
    environment:
      API_PASSWORD: mypwd
      API_USER: admin
      DESCRIPTION: Cyberpower_PR1500ELCD
      DRIVER: usbhid-ups
      NAME: Cyberpower_PR1500ELCD
      PORT: /dev/bus/usb/001/003
    image: instantlinux/nut-upsd
    ports:
    - published: 3493
      target: 3493
    privileged: true
    restart: always
  portainer:
    container_name: portainer
    environment:
      TZ: Europe/Rome
    image: portainer/portainer-ce
    ports:
    - protocol: tcp
      published: 9000
      target: 9000
    restart: always
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock:rw
    - /opt/docker_ha/portainer:/data:rw
version: '3.0'

Logs

2023-10-26 08:28:39,507 fail2ban.filter         [1]: INFO    [hass-iptables] Found MYIP - 2023-10-26 08:28:39
2023-10-26 08:28:39,516 fail2ban.ipdns          [1]: WARNING Determined IP using DNS Lookup: hostname = {'MYIP'}
2023-10-26 08:28:39,530 fail2ban.filter         [1]: INFO    [hass-iptables] Found MYIP - 2023-10-26 08:28:39
2023-10-26 08:28:39,728 fail2ban.actions        [1]: WARNING [hass-iptables] MYIP already banned

### Additional info

```text
some rules are inserted in my iptables
iptables-legacy -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-HTTPS  tcp  --  anywhere             anywhere             tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-HTTPS (1 references)
target     prot opt source               destination         
REJECT     all  --  mob-myIP.net.vodafone.it  anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

but it still not block connection...

sblantipodi commented 8 months ago

I have seen that the ban rules are inserted in iptables-legacy and not in iptables. I can't use iptables-legacy as default since some other containers needs iptables nft.

does this image works with iptables-nft?

if yes, can I use both the REJECT rules from iptables nft and iptables legacy at the same time? if yes, why this line REJECT all -- mob-myIP.net.vodafone.it anywhere reject-with icmp-port-unreachable does not block my connection?

sblantipodi commented 8 months ago

I switched to iptables-legacy just to make a try... update-alternatives --config ip6tables update-alternatives --config iptables

rebooted the system.

iptables -L shows that the ip is correctly banned but I have no problem in accessing my site... 

Chain f2b-HASS (1 references)
target     prot opt source               destination         
REJECT     all  --  176.myip.0.0      anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere
sblantipodi commented 7 months ago

I solved by adding the DOCKER chain in the correct jail.