Closed Irv007 closed 4 years ago
Hi,
Why does (crazy-max-docker-)fail2ban block 0.0.0.3, if it sees access from xxx.40.3.173?
with best regards, I.
=================================================================================================================== conf-file from jail.d: =================================================================================================================== [DEFAULT] bantime = 1h destemail = xxxxx@xxxx.com sender = root@$(hostname -f) action = %(action_mwl)s [calweb-auth] enabled = true chain = DOCKER-USER port = http,https filter = calweb-auth logpath = /var/log/calibre-web.log =================================================================================================================== conf-file from filter.d: =================================================================================================================== [Definition] failregex = .*Login failed.*<HOST> ignoreregex = =================================================================================================================== john01@instance-2:~/yml$ docker logs fail2ban_c 2>&1|tail 2020-09-16 09:27:13,946 fail2ban.ipdns [1]: WARNING Determined IP using DNS Lookup: 3 = {'0.0.0.3'} 2020-09-16 09:27:13,947 fail2ban.filter [1]: INFO [calweb-auth] Found 0.0.0.3 - 2020-09-16 09:27:13 2020-09-16 09:27:18,997 fail2ban.ipdns [1]: WARNING Determined IP using DNS Lookup: 3 = {'0.0.0.3'} 2020-09-16 09:27:18,998 fail2ban.filter [1]: INFO [calweb-auth] Found 0.0.0.3 - 2020-09-16 09:27:18 2020-09-16 09:27:19,128 fail2ban.actions [1]: NOTICE [calweb-auth] Ban 0.0.0.3 2020-09-16 09:27:19,242 fail2ban.ipdns [1]: WARNING Determined IP using DNS Lookup: 3 = {'0.0.0.3'} 2020-09-16 09:27:19,243 fail2ban.filter [1]: INFO [calweb-auth] Found 0.0.0.3 - 2020-09-16 09:27:19 2020-09-16 09:27:23,461 fail2ban.ipdns [1]: WARNING Determined IP using DNS Lookup: 3 = {'0.0.0.3'} 2020-09-16 09:27:23,462 fail2ban.filter [1]: INFO [calweb-auth] Found 0.0.0.3 - 2020-09-16 09:27:23 2020-09-16 10:27:18,517 fail2ban.actions [1]: NOTICE [calweb-auth] Unban 0.0.0.3 john01@instance-2:~/yml$ =================================================================================================================== john01@instance-2:/var/log$ tail calibre-web.log [2020-09-16 09:03:32,490] INFO {cps.server:184} Performing shutdown of Calibre-Web [2020-09-16 09:04:05,286] INFO {cps:97} Starting Calibre Web... [2020-09-16 09:04:05,903] INFO {cps.server:156} Starting Tornado server on :8083 [2020-09-16 09:26:59,410] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173 [2020-09-16 09:27:05,108] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173 [2020-09-16 09:27:09,138] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173 [2020-09-16 09:27:13,570] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173 [2020-09-16 09:27:18,996] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173 [2020-09-16 09:27:19,241] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173 [2020-09-16 09:27:23,460] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173 john01@instance-2:/var/log$ =================================================================================================================== part from docker-compose.yml: =================================================================================================================== fail2ban_s: restart: always image: crazymax/fail2ban:latest container_name: fail2ban_c network_mode: "host" depends_on: - calweb_s cap_add: - NET_ADMIN - NET_RAW volumes: - "./data:/data" - "/var/log:/var/log:ro" env_file: - "./fail2ban.env" ================================================================================================= ```==================
Oh... wrong failregex. The following failregex does work.
failregex = .*Login failed.*: <HOST>
Hi,
Why does (crazy-max-docker-)fail2ban block 0.0.0.3, if it sees access from xxx.40.3.173?
with best regards, I.