l4rm4nd
commented
1 year ago First of all, you should never expose such administrative login portals to the Internet. Especially for selfhosted projects, those login areas were never meant to be exposed and are therefore not hardened (2FA, brute force protection, proper logging, etc.).
Nonetheless, if you want to protect the NPM login area too, the first question would be whether you proxy the login area via NPM or not. If you do, then there will be a proxy host access log for NPM itself so to speak too. Just monitor this access log with fail2ban. If there are multiple 401 error logs the threat actor should be banned. See https://github.com/l4rm4nd/F2BFilters/blob/main/data/filter.d/npm-general-forceful-browsing.conf
If you do not proxy the login area via NPM itself, then you will have to find the corresponding log file of NPM that logs such things like failed logins. I am not using NPM anymore so won't have a look by myself.
As soon as you obtain the location of this log file, bind mount it into the fail2ban container. Afterwards you would likely have to create a new fail2ban filter to define how failed login attempts look like.
As said, don't expose such mgmt interfaces and use strong passwords. Then you are good to go. NPM may have implemented a brute force protection for the login area by now.
How you can block Nginx Proxy Manager example "https nginx.site.com/login" failed authorization attempts? in proxy-host-1_access.log:
401 401 - POST https nginx.site.com "/api/tokens" [Client 111.111.111.111] [Length 51] [Gzip -] [Sent-to 192.168.2.190] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "https://nginx.site.com/login"