Open MetaBliss opened 3 years ago
Hi,
This looks like your reverse proxy is not providing the real IP.
Regards
I am running your fail2ban on a synology but I am running into an issue where IPs are being reported as banned but it has no effect on, I can still log in with the correct password after the IP is banned.
Here is an example:
today at 4:31:19 PM 2021-07-22 16:31:19,883 fail2ban.filter [1]: INFO [bitwarden] Found 209.202.237.103 - 2021-07-22 16:31:19 today at 4:31:20 PM 2021-07-22 16:31:20,993 fail2ban.filter [1]: INFO [bitwarden] Found 209.202.237.103 - 2021-07-22 16:31:20 today at 4:31:22 PM 2021-07-22 16:31:22,166 fail2ban.filter [1]: INFO [bitwarden] Found 209.202.237.103 - 2021-07-22 16:31:22 today at 4:31:23 PM 2021-07-22 16:31:23,388 fail2ban.filter [1]: INFO [bitwarden] Found 209.202.237.103 - 2021-07-22 16:31:23 today at 4:31:23 PM 2021-07-22 16:31:23,467 fail2ban.actions [1]: NOTICE [bitwarden] Ban 209.202.237.103 today at 4:31:24 PM 2021-07-22 16:31:24,994 fail2ban.filter [1]: INFO [bitwarden] Found 209.202.237.103 - 2021-07-22 16:31:24
This is all being run behind a reverse proxy container (swag).
What is interesting is non-container apps (such as SSH) are being properly banned but anything behind a docker container is not.
My docker-compose is:
version: "3.5" services: fail2ban: image: crazymax/fail2ban:latest container_name: fail2ban network_mode: host cap_add:
My jail.d/bitwarden.conf compose is:
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24
bantime = 2592000 findtime = 86400 maxretry = 4 backend = auto action = iptables-allports[name=bitwarden]
[bitwarden]
enabled = true port = http,8081,https filter = bitwarden logpath = /vaultwarden/vaultwarden.log chain = DOCKER-USER
Any insight would be greatly appreciated
@Davo1624 It works for me using the FORWARD
chain instead of DOCKER-USER
chain.
Hi,
I recently installed this Fail2Ban container and got it working on my Synology NAS. However, I am having an issue with Fail2Ban not recognizing and banning the real IP.
My current setup is that I am hosting my bitwarden instance using a domain name (bitw.domainname.com) and I have it behind Nginx Reverse Proxy Manager (NPM). With Fail2Ban set up properly to my bitwarden instance, I tested many fake passwords. The logs show that the IP was banned but it was my reverse proxy IP, not my device's real IP. And I was still able to keep entering fake passwords into my bitwarden instance. So Fail2Ban wasn't actually banning anything.
Is there some kind of incompatibility of f2b with containers behind NPM reverse proxy? For reference, Fail2ban was installed as 'host' on my NAS and NPM is installed as a docker bridge container.
Below is a snippet of my Bitwarden log.
2021-05-29 18:04:12,362 fail2ban.filter [1]: INFO [bitwarden] Found 192.168.16.1 - 2021-05-29 18:04:12 2021-05-29 18:04:13,966 fail2ban.filter [1]: INFO [bitwarden] Found 192.168.16.1 - 2021-05-29 18:04:13 2021-05-29 18:04:14,668 fail2ban.filter [1]: INFO [bitwarden] Found 192.168.16.1 - 2021-05-29 18:04:14 2021-05-29 18:04:15,405 fail2ban.actions [1]: WARNING [bitwarden] 192.168.16.1 already banned 2021-05-29 18:04:15,812 fail2ban.filter [1]: INFO [bitwarden] Found 192.168.16.1 - 2021-05-29 18:04:15 2021-05-29 18:04:16,917 fail2ban.filter [1]: INFO [bitwarden] Found 192.168.16.1 - 2021-05-29 18:04:16 2021-05-29 18:04:18,521 fail2ban.filter [1]: INFO [bitwarden] Found 192.168.16.1 - 2021-05-29 18:04:18 2021-05-29 18:04:18,617 fail2ban.actions [1]: WARNING [bitwarden] 192.168.16.1 already banned
So it looks like Fail2Ban is banning IP: 192.168.16.1 which is my NPM reverse proxy address.
Could you please share insights of what the problem could be?