search

sosandroid / docker-fail2ban-synology

Adaptation of @crazy-max docker fail2ban for Synology
MIT License
49 stars 6 forks source link

iptables-common not working #6

Open Aurel004 opened 1 year ago

Aurel004 commented 1 year ago

Hi,

After hours of debugging, I finally managed to make "DROP" default. To make it work, the file now needs to be named iptables.local and not iptables-common.local anymore

Thank you

LIvewire18 commented 1 year ago

Thank you SOOOO much! I spent hours trying to track down why the synology wasn't banning even though the rules were all there. This needs to be updated on the main page to save people the headache.

sosandroid commented 1 year ago

Added the file to make it easier

MilesTEG1 commented 1 year ago

Hello :) Thanks for this tip ! It permit to go from : image

To this (where my IP is masked) : image

But, even if the IP seems to be banned from Fail2ban, and appears in iptables, I can access from it to my services, like gitea or calibre-web.

I'm pretty sure that's a DSM update who break things... but when... ?

Before, IP were correctly banned, and from this IP, I can't access any services on my NAS.

Is there a way to correct this behavior ?

Hacker1245 commented 12 months ago

Same issue as the above poster on DSM 7.2-64570 Update 3. The IPs get set to drop in iptables, but I can still access stuff.

SergeySergeevitch commented 10 months ago

2023/11/21 22:03:09 stdout Server ready 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,486 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/vaultwarden.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,486 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/vaultwarden.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,486 fail2ban.configreader [1]: INFO Loading configs for filter.d/vaultwarden under /etc/fail2ban 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,485 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables.conf', '/etc/fail2ban/action.d/iptables.local', '/etc/fail2ban/action.d/iptables-allports.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,485 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables.local'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,484 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,484 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-allports.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,483 fail2ban.configreader [1]: INFO Loading configs for action.d/iptables-allports under /etc/fail2ban 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,483 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/vaultwarden-admin.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,483 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.local'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,481 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,481 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/vaultwarden-admin.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,481 fail2ban.configreader [1]: INFO Loading configs for filter.d/vaultwarden-admin under /etc/fail2ban 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,478 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/vaultwarden-admin.conf', '/etc/fail2ban/jail.d/vaultwarden.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,478 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.d/vaultwarden.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,478 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.d/vaultwarden-admin.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,478 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-overrides.local'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,477 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,477 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-debian.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,474 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,473 fail2ban.configreader [1]: INFO Loading configs for jail under /etc/fail2ban 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,470 fail2ban [1]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /data/fail2ban.log 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,470 fail2ban [1]: INFO Using socket file /var/run/fail2ban/fail2ban.sock 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,470 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,470 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,469 fail2ban.configreader [1]: INFO Loading configs for fail2ban under /etc/fail2ban 2023/11/21 22:03:09 stdout Add custom filter vaultwarden.conf... 2023/11/21 22:03:09 stdout WARNING: vaultwarden.conf already exists and will be overriden 2023/11/21 22:03:09 stdout Add custom filter vaultwarden-admin.conf... 2023/11/21 22:03:09 stdout WARNING: vaultwarden-admin.conf already exists and will be overriden 2023/11/21 22:03:09 stdout Checking for custom filters in /data/filter.d... 2023/11/21 22:03:09 stdout Add custom action iptables.local... 2023/11/21 22:03:09 stdout WARNING: iptables.local already exists and will be overriden 2023/11/21 22:03:09 stdout Add custom action iptables-common.local... 2023/11/21 22:03:09 stdout WARNING: iptables-common.local already exists and will be overriden 2023/11/21 22:03:09 stdout Checking for custom actions in /data/action.d... 2023/11/21 22:03:09 stdout Setting Fail2ban configuration... 2023/11/21 22:03:09 stdout Initializing files and folders... 2023/11/21 22:03:09 stdout WARNING: SSMTP_HOST must be defined if you want fail2ban to send emails 2023/11/21 22:03:09 stdout Setting SSMTP configuration...

ngthwi commented 4 months ago

Hello,

Thanks for your time and work. Can anyone confirm it still works with DSM 7.2?

I have copied iptables.local The IP is banned but I can still access the server...

Here's fail2ban.log

2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- exec: { iptables -w -C f2b-bitwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-bitwarden || true; iptables -w -A f2b-bitwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-bitwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-bitwarden; }
done
2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- returned 4
2024-04-24 07:40:57,608 fail2ban.actions        [756]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'xxx.xxx.xxx.xxx', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fe721dce480>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fe721dcec00>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'

Thanks for your help.

Marsupoil76 commented 4 months ago

Hi all, Same history in Version: 7.2.1-69057 Update 5 on my Syno 2024/05/05 00:06:25 stdout 2024-05-05 00:06:25,320 fail2ban.filter [1]: INFO [vaultwarden-admin] Found 37.170.151.69 - 2024-05-05 00:06:25 2024/05/05 00:06:23 stdout 2024-05-05 00:06:23,678 fail2ban.actions [1]: ERROR Failed to execute ban jail 'vaultwarden-admin' action 'iptables-allports' info 'ActionInfo({'ip': '37.170.151.69', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f130e351d00>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f130e352480>})': Error starting action Jail('vaultwarden-admin')/iptables-allports: 'Script error' 2024/05/05 00:06:23 stdout 2024-05-05 00:06:23,678 fail2ban.utils [1]: ERROR 7f130e973770 -- returned 4 2024/05/05 00:06:23 stdout 2024-05-05 00:06:23,678 fail2ban.utils [1]: ERROR 7f130e973770 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'

vivoras commented 4 months ago

I have the same problem on DSM 7.2.1-69057 Update 5

2024-05-07 18:09:20,883 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-vaultwarden || true; iptables -w -A f2b-vaultwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; }
done
2024-05-07 18:09:20,884 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-07 18:09:20,884 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-07 18:09:20,884 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-07 18:09:20,884 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- returned 4
2024-05-07 18:09:20,884 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'XX.XX.XX.XX', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f0a12d85e40>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f0a12d865c0>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error'
ngthwi commented 4 months ago

Hello,

Thanks for your time and work. Can anyone confirm it still works with DSM 7.2?

I have copied iptables.local The IP is banned but I can still access the server...

Here's fail2ban.log

2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- exec: { iptables -w -C f2b-bitwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-bitwarden || true; iptables -w -A f2b-bitwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-bitwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-bitwarden; }
done
2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- returned 4
2024-04-24 07:40:57,608 fail2ban.actions        [756]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'xxx.xxx.xxx.xxx', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fe721dce480>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fe721dcec00>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'

Thanks for your help.

I finally got it to work. My mistake... I attempted to use the conf files on a swag fail2ban instance... I tried a dedicated container as described here and it works straight out of the box.

Marsupoil76 commented 4 months ago

soory for my ENG can you tel me more about your solution, my is hosted in a separed container( with NET-ADMIN and SYS-ADMIN) betwin Vaultwarden, F2B see Vaultwarden logs, and wen it see ip it try to ban but it cannot,

ngthwi commented 4 months ago

soory for my ENG can you tel me more about your solution, my is hosted in a separed container( with NET-ADMIN and SYS-ADMIN) betwin Vaultwarden, F2B see Vaultwarden logs, and wen it see ip it try to ban but it cannot,

Did you create a fail2ban container as described here? https://github.com/sosandroid/docker-fail2ban-synology#installation

vivoras commented 4 months ago

I have a separate container following the instructions at https://github.com/sosandroid/docker-fail2ban-synology#installation

The error is still the same...

2024-05-08 17:22:00,792 fail2ban.utils          [1]: ERROR   7f52298856b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-vaultwarden || true; iptables -w -A f2b-vaultwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; }
done
2024-05-08 17:22:00,792 fail2ban.utils          [1]: ERROR   7f52298856b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-08 17:22:00,792 fail2ban.utils          [1]: ERROR   7f52298856b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-08 17:22:00,793 fail2ban.utils          [1]: ERROR   7f52298856b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-08 17:22:00,793 fail2ban.utils          [1]: ERROR   7f52298856b0 -- returned 4
2024-05-08 17:22:00,793 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'XX.XX.XX.XX', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f522981de40>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f522981e5c0>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error'

Just in case, I have deleted the container completely and recreated it. The only thing I have done afterwards is delete the bitwarden.conf and bitwarden-admin.conf files from the jail.d and filter.d folders because I use vaultwarden

ngthwi commented 4 months ago

Have you put the file iptables.local in action.d?

vivoras commented 4 months ago

Yes of course, I have not modified the action.d folder

This is the iptables.local file:

[Init]
blocktype = DROP
[Init?family=inet6]
blocktype = DROP
Marsupoil76 commented 4 months ago

Same Pb for me Docker in Privilegied and Host Network F2B Logs :

`

2024/05/08 20:03:55 stdout 2024-05-08 18:03:55,813 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 18:03:55
2024/05/08 20:03:54 stdout 2024-05-08 18:03:54,586 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 18:03:54
2024/05/08 20:03:54 stdout 2024-05-08 18:03:53,672 fail2ban.actions        [1]: WARNING [vaultwarden] 78.243.145.140 already banned
2024/05/08 20:03:53 stdout 2024-05-08 18:03:53,314 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 18:03:53
2024/05/08 20:03:51 stdout 2024-05-08 18:03:51,953 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 18:03:51
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': '78.243.145.140', 'family': 'inet4', 'fid': <function Actions.ActionInfo. at 0x7f868deade40>, 'raw-ticket': <function Actions.ActionInfo. at 0x7f868deae5c0>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error'
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.utils          [1]: ERROR   7f868df156b0 -- returned 4
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.utils          [1]: ERROR   7f868df156b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.utils          [1]: ERROR   7f868df156b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.utils          [1]: ERROR   7f868df156b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024/05/08 20:00:46 stdout done
2024/05/08 20:00:46 stdout { iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; }
2024/05/08 20:00:46 stdout for proto in $(echo 'tcp' | sed 's/,/ /g'); do
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,353 fail2ban.utils          [1]: ERROR   7f868df156b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-vaultwarden || true; iptables -w -A f2b-vaultwarden -j RETURN; }
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,332 fail2ban.actions        [1]: NOTICE  [vaultwarden] Ban 78.243.145.140
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,881 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:47
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,880 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:46
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,880 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:45
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,880 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:43
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,879 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:41
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,878 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:39
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,878 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for optional: [Errno -2] Name does not resolve
2024/05/08 20:00:43 stdout 2024-05-08 18:00:43,264 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for #: [Errno -2] Name does not resolve
2024/05/08 20:00:43 stdout Server ready

`

-----My action.d-----

[Init] blocktype = DROP [Init?family=inet6] blocktype = DROP -----My filter.d---- vaultwarden.conf

[INCLUDES] before = common.conf

[Definition] failregex = ^.Username or password is incorrect. Try again. IP: . Username:.$ ignoreregex = -----My jail.d----- vaultwarden.conf

[DEFAULT]

ignoreip = 172.16.0.0/12 192.168.10.0/16 10.6.0.0/8 # optional

Ban for 30 days

bantime = 2592000 findtime = 86400 maxretry = 4 banaction = iptables-allports ignoreself = false

[vaultwarden]

enabled = true port = 80,443,3012 # alternative: anyport filter = vaultwarden logpath = /logs/vaultwarden.log -------- My iptable.local --------- [Init] blocktype = DROP [Init?family=inet6] blocktype = DROP

Docker with env : NET-ADMIN and NET-RAW - F2B Log : `

2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': '78.243.145.140', 'family': 'inet4', 'fid':  at 0x7ff9b648de40>, 'raw-ticket':  at 0x7ff9b648e5c0>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error' -- | -- | -- 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- returned 4 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument' 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument' 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument' 2024/05/08 20:27:28 | stdout | done 2024/05/08 20:27:28 | stdout | { iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } \|\| { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; } 2024/05/08 20:27:28 | stdout | for proto in $(echo 'tcp' \| sed 's/,/ /g'); do 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,961 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } \|\| { iptables -w -N f2b-vaultwarden \|\| true; iptables -w -A f2b-vaultwarden -j RETURN; } 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,945 fail2ban.actions        [1]: NOTICE  [vaultwarden] Restore Ban 78.243.145.140 2024/05/08 20:27:28 | stdout | Server ready 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,858 fail2ban.jail           [1]: INFO    Jail 'vaultwarden' started 2024/05/08 20:27:27 | stdout | 2024-05-08 18:27:27,857 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for optional: [Errno -2] Name does not resolve 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,349 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for #: [Errno -2] Name does not resolve 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,342 fail2ban.jail           [1]: INFO    Jail 'vaultwarden-admin' started 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,339 fail2ban.filter         [1]: INFO    Added logfile: '/logs/vaultwarden.log' (pos = 36395, hash = 3b7aacdf09134cd8aa20a589568f117a3bb79908) 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,339 fail2ban.filter         [1]: INFO      encoding: UTF-8 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,339 fail2ban.actions        [1]: INFO      banTime: 2592000 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,339 fail2ban.filter         [1]: INFO      findtime: 86400 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,338 fail2ban.filter         [1]: INFO      maxRetry: 4 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,337 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,336 fail2ban.jail           [1]: INFO    Jail 'vaultwarden' uses pyinotify {} 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,336 fail2ban.jail           [1]: INFO    Creating new jail 'vaultwarden' 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,336 fail2ban.filter         [1]: INFO    Added logfile: '/logs/vaultwarden.log' (pos = 36395, hash = 3b7aacdf09134cd8aa20a589568f117a3bb79908) 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,335 fail2ban.filter         [1]: INFO      encoding: UTF-8 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,335 fail2ban.actions        [1]: INFO      banTime: 2592000 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,335 fail2ban.filter         [1]: INFO      findtime: 86400 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,335 fail2ban.filter         [1]: INFO      maxRetry: 4 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,330 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,329 fail2ban.jail           [1]: INFO    Jail 'vaultwarden-admin' uses pyinotify {} 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,322 fail2ban.jail           [1]: INFO    Creating new jail 'vaultwarden-admin' 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,321 fail2ban.database       [1]: INFO    Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3' 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,313 fail2ban.observer       [1]: INFO    Observer start... 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,312 fail2ban.server         [1]: INFO    Starting Fail2ban v1.1.0

`

ngthwi commented 4 months ago

I have the issue now as well. I updated the container and image: crazymax/fail2ban:latest is currently 1.1.0 If I revert back my docker compose to image: crazymax/fail2ban:1.0.2, it's working again.

Marsupoil76 commented 4 months ago

I have the issue now as well. I updated the container and image: crazymax/fail2ban:latest is currently 1.1.0 If I revert back my docker compose to image: crazymax/fail2ban:1.0.2, it's working again.

Dude !!!! you'r sooo true.. Works !!! .

ngthwi commented 4 months ago

I've opened an issue in crazy-max/docker-fail2ban

vivoras commented 4 months ago

@ngthwi You're the best! Thank you so much!!!

ngthwi commented 4 months ago

It's fixed, you can therefore pull image: crazymax/fail2ban:latest again

sosandroid commented 4 months ago

Thank you for this follow up

fbdb commented 3 months ago

Hello,

For a long time, I was not using the crazy-max/docker-fail2ban image as instructed by this repo, but instead I was using swag. But this repository and its hacks helped me to configure swag's fail2ban to make it work with my synology, so thank you for that.

Unfortunately, recently I upgraded my swag container to the latest image (which hadn't been upgraded for a while), and since then, I get the same error.

Can anyone confirm it still works with DSM 7.2?

I'm still on DSM 7.1 (I know, shame on me, I should upgrade), so I don't think it's related to a new DSM upgrade.

I tried however to recreate my swag container with an older image (2.8.0, which is 4 month old), but strangely, the error is still there.

Furthermore, I tried as well to create a whole new separated fail2ban container, as advised by this repo and in this issue's comments: f2b successfully detects the login attempts, and "bans", however I'm not really banned, as shown in those logs, I can still connect:

2024-05-22 22:34:05,294 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:05
2024-05-22 22:34:08,659 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:08
2024-05-22 22:34:09,530 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:09
2024-05-22 22:34:10,233 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:10
2024-05-22 22:34:10,642 fail2ban.actions        [1]: NOTICE  [vaultwarden] Ban 149.102.245.141
2024-05-22 22:34:10,939 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:17

I tried with the crazy-max/docker-fail2ban:latest image and with the crazy-max/docker-fail2ban:1.0.2 image as well, but both don't "really ban" the IPs.

I'm not sure what I did wrong. The only thing that I changed is to only keep the vaultwarden.conf file in the filter.d/ folder, and same for the folder jail.d/ (only vaultwarden.conf was kept).

Any ideas ?

Techal62 commented 2 days ago

Hello, I have the same problem, have you finally found a solution?