Support guidelines

[X] I've read the support guidelines

I've found a bug and checked that ...

[x] ... the documentation does not mention anything about my problem
[x] ... there are no open or closed issues that are related to my problem

Description

Setup:

Traefik in docker with access log to /var/log/traefik/access.log in json format

services:
  traefik:
    image: traefik:latest
    container_name: traefik2
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - webproxy
    ports:
      - "80:80"
      - "443:443"
    hostname: traefik2
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      - ./data/config:/config:ro
      - /var/log/traefik:/var/log

api:
  dashboard: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    directory: /config
    watch: true

certificatesResolvers:
  http:
    acme:
      email: XXXXXXXX
      storage: acme.json
      httpChallenge:
        entryPoint: web
log:
  filePath: "/var/log/traefik.log"
  level: ERROR
accessLog:
  filePath: "/var/log/access.log"
  format: json

fail2ban in docker

jail.d/jail.local:


[DEFAULT]
bantime.increment = true
bantime.rndtime = 2048
bantime.multipliers = 1 5 30 60 300 720 1440 2880

[traefik-general-forceful-browsing] enabled = true filter = traefik-general-forceful-browsing

ignoreip = 127.0.0.0/8 192.168.10.0/16 logpath = /var/log/traefik/access.log

chain = DOCKER-USER action = action-ban-docker-forceful-browsing

maxretry = 15 findtime = 60 bantime = 600


- filter.d/traefik-general-forceful-browsing.conf

[INCLUDES]

[Definition]

fail regex based on traefik JSON access logs with enabled user agent logging

failregex = ^{"ClientAddr":".","ClientHost":"","ClientPort":".","ClientUsername":".","DownstreamContentSize":.,"DownstreamStatus":.,"Duration":.,"OriginContentSize":.,"OriginDuration":.,"OriginStatus":(405|404|403|402|401),"Overhead":.,"RequestAddr":".","RequestContentSize":.,"RequestCount":.,"RequestHost":".","RequestMethod":".","RequestPath":".","RequestPort":".","RequestProtocol":".","RequestScheme":".","RetryAttempts":.,."StartLocal":".","StartUTC":".","TLSCipher":".","TLSVersion":".","entryPointName":".","level":".","msg":".",("request_User-Agent":".",){0,1}?"time":".*"}$

custom date pattern for traefik JSON access logs

based on https://github.com/fail2ban/fail2ban/issues/2558#issuecomment-546738270

datepattern = "StartLocal"\s:\s"%%Y-%%m-%%d[T]%%H:%%M:%%S.%%f\d*(%%z)?",

ignore common errors like missing media files or JS/CSS/TXT/ICO stuff

ignoreregex = ^{"ClientAddr":".","ClientHost":"","ClientPort":".","ClientUsername":".","DownstreamContentSize":.,"DownstreamStatus":.,"Duration":.,"OriginContentSize":.,"OriginDuration":.,"OriginStatus":(405|404|403|402|401),"Overhead":.,"RequestAddr":".","RequestContentSize":.,"RequestCount":.,"RequestHost":".","RequestMethod":".","RequestPath":".(.png|.txt|.jpg|.ico|.js|.css|.ttf|.woff|.woff2)(/)?","RequestPort":".","RequestProtocol":".","RequestScheme":".","RetryAttempts":.,."StartLocal":".","StartUTC":".","TLSCipher":".","TLSVersion":".","entryPointName":".","level":".","msg":".",("request_User-Agent":".",){0,1}?"time":"."}$


- action.d/action-ban-docker-forceful-browsing.conf

[Definition]

actionban = iptables -I DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: ' -j DROP

actionunban = iptables -D DOCKER-USER -m string --algo bm --string 'X-Forwarded-For: ' -j DROP


### Expected behaviour

IP is banned after 15 404 attempts and is banned on mail domain (xxx.com) but also on subdomains (git.xxx.com, blog.xxx.com, etc)

### Actual behaviour

IP is blocked on main domain but not on any subdomains. Logs show bad IP on subdomains but access isn't blocked. 

### Steps to reproduce

1. Setup as described above.
2. Access either main domain or subdomain 15 times to get banned. 
3. Access main domain and see ban
4. access subdomain and see that IP isn't banned

### Docker info

```text
Client: Docker Engine - Community
 Version:    24.0.5
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.20.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 27
  Running: 18
  Paused: 0
  Stopped: 9
 Images: 160
 Server Version: 24.0.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
 Kernel Version: 5.10.103-v7l+
 Operating System: Raspbian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: armv7l
 CPUs: 4
 Total Memory: 3.326GiB
 Name: himalia
 ID: 4e93fb7f-268a-46cc-a223-edb2f65e2bfc
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Docker Compose config

name: fail2ban
services:
  fail2ban:
    cap_add:
    - NET_ADMIN
    - NET_RAW
    container_name: fail2ban
    environment:
      F2B_DB_PURGE_AGE: 14d
      F2B_LOG_LEVEL: INFO
      F2B_LOG_TARGET: STDOUT
      TZ: Europe/Paris
    image: crazymax/fail2ban:latest
    network_mode: host
    restart: unless-stopped
    volumes:
    - type: bind
      source: /var/log
      target: /var/log
      read_only: true
      bind:
        create_host_path: true
    - type: bind
      source: /home/pi/Docker/fail2ban/data
      target: /data
      bind:
        create_host_path: true

Logs

fail2ban  | 2023-12-30 20:33:22,897 fail2ban.filter         [1]: INFO    [traefik-general-forceful-browsing] Found <IP> - 2023-12-30 20:33:22
fail2ban  | 2023-12-30 20:33:22,898 fail2ban.observer       [1]: INFO    [traefik-general-forceful-browsing] Found <IP>, bad - 2023-12-30 20:33:22, 1 # -> 2.0

Additional info

No response

crazy-max / docker-fail2ban

Subdomain access not blocked #159