search

szaimen / aio-fail2ban

GNU Affero General Public License v3.0
1 stars 0 forks source link

I have added fail2ban as a community container to my nextcloud AIO. During testing, **I see that IPs get blocked, but only from the master container.** I can just keep guessing passwords at the nextcloud login without issue, and can login just fine with the correct info. #26

Open szaimen opened 1 day ago

szaimen commented 1 day ago 
          I have added fail2ban as a community container to my nextcloud AIO. During testing, **I see that IPs get blocked, but only from the master container.** I can just keep guessing passwords at the nextcloud login without issue, and can login just fine with the correct info.

I am using nextcloud AIO behind an apache reverse proxy. The client IP is recognized from inside the nextcloud webinterface just fine.

fail2ban log:

2024-11-22T20:10:11.379376349Z 2024-11-22 21:10:11,379 fail2ban.server         [12]: INFO    --------------------------------------------------
2024-11-22T20:10:11.379666223Z 2024-11-22 21:10:11,379 fail2ban.server         [12]: INFO    Starting Fail2ban v1.1.0
2024-11-22T20:10:11.380578628Z 2024-11-22 21:10:11,380 fail2ban.observer       [12]: INFO    Observer start...
2024-11-22T20:10:11.395192173Z 2024-11-22 21:10:11,394 fail2ban.database       [12]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2024-11-22T20:10:11.407968178Z 2024-11-22 21:10:11,407 fail2ban.database       [12]: WARNING New database created. Version '4'
2024-11-22T20:10:11.408259380Z 2024-11-22 21:10:11,408 fail2ban.jail           [12]: INFO    Creating new jail 'nextcloud'
2024-11-22T20:10:11.414099826Z 2024-11-22 21:10:11,413 fail2ban.jail           [12]: INFO    Jail 'nextcloud' uses poller {}
2024-11-22T20:10:11.414294872Z 2024-11-22 21:10:11,414 fail2ban.jail           [12]: INFO    Initiated 'polling' backend
2024-11-22T20:10:11.416727590Z 2024-11-22 21:10:11,416 fail2ban.datedetector   [12]: INFO      date pattern `',?\\s*"time"\\s*:\\s*"%Y-%m-%d[T ]%H:%M:%S(%z)?"'`: `,?\s*"time"\s*:\s*"Year-Month-Day[T ]24hour:Minute:Second(Zone offset)?"`
2024-11-22T20:10:11.416843085Z 2024-11-22 21:10:11,416 fail2ban.filter         [12]: INFO      maxRetry: 3
2024-11-22T20:10:11.417032460Z 2024-11-22 21:10:11,416 fail2ban.filter         [12]: INFO      findtime: 14400
2024-11-22T20:10:11.417288052Z 2024-11-22 21:10:11,417 fail2ban.actions        [12]: INFO      banTime: 14400
2024-11-22T20:10:11.417369059Z 2024-11-22 21:10:11,417 fail2ban.filter         [12]: INFO      encoding: UTF-8
2024-11-22T20:10:11.421007863Z 2024-11-22 21:10:11,420 fail2ban.filter         [12]: INFO    Added logfile: '/nextcloud/data/nextcloud.log' (pos = 0, hash = 72e53a11a43ddf0bb3d766b3883653053cff6e65)
2024-11-22T20:10:11.423502372Z 2024-11-22 21:10:11,423 fail2ban.jail           [12]: INFO    Jail 'nextcloud' started
2024-11-22T20:10:11.423992314Z Server ready
2024-11-22T20:32:04.873109466Z 2024-11-22 21:32:04,840 fail2ban.filter         [12]: INFO    [nextcloud] Found 111.222.333.13 - 2024-11-22 21:32:04
2024-11-22T20:32:09.483015370Z 2024-11-22 21:32:09,482 fail2ban.filter         [12]: INFO    [nextcloud] Found 111.222.333.13 - 2024-11-22 21:32:09
2024-11-22T20:32:13.485801807Z 2024-11-22 21:32:13,485 fail2ban.filter         [12]: INFO    [nextcloud] Found 111.222.333.13 - 2024-11-22 21:32:13
2024-11-22T20:32:13.971251534Z 2024-11-22 21:32:13,970 fail2ban.actions        [12]: NOTICE  [nextcloud] Ban 111.222.333.13
2024-11-22T20:32:17.692825256Z 2024-11-22 21:32:17,692 fail2ban.filter         [12]: INFO    [nextcloud] Found 111.222.333.13 - 2024-11-22 21:32:17
2024-11-22T20:36:59.044171081Z 2024-11-22 21:36:59,043 fail2ban.filter         [12]: INFO    [nextcloud] Found 111.222.333.139 - 2024-11-22 21:36:58
2024-11-22T20:37:02.246849071Z 2024-11-22 21:37:02,246 fail2ban.filter         [12]: INFO    [nextcloud] Found 111.222.333.139 - 2024-11-22 21:37:01
2024-11-22T20:37:04.849862002Z 2024-11-22 21:37:04,849 fail2ban.filter         [12]: INFO    [nextcloud] Found 111.222.333.139 - 2024-11-22 21:37:04
2024-11-22T20:37:04.868373335Z 2024-11-22 21:37:04,867 fail2ban.actions        [12]: NOTICE  [nextcloud] Ban 111.222.333.139
2024-11-22T20:37:08.852814146Z 2024-11-22 21:37:08,852 fail2ban.filter         [12]: INFO    [nextcloud] Found 111.222.333.139 - 2024-11-22 21:37:08
2024-11-22T20:37:14.856506223Z 2024-11-22 21:37:14,856 fail2ban.filter         [12]: INFO    [nextcloud] Found 111.222.333.139 - 2024-11-22 21:37:14

Originally posted by @Silun in https://github.com/szaimen/aio-fail2ban/issues/9#issuecomment-2494770469

szaimen commented 1 day ago

@Silun and apache listens on port 443?

Silun commented 1 day ago

The outside apache listens on 80/443, does SSL Termination and forwards HTTP requests to port 11000 on the AIO-apache-container. After fail2ban bans an IP, the mastercontainer can't be reached (timeout) but the nextcloud interface is not impacted in any way from what I can tell.

szaimen commented 1 day ago

Hm... I wonder if you would need a different chain then? https://github.com/szaimen/aio-fail2ban/blob/fd05c5942a9023e232c037703d853f0b4c38f3ef/start.sh#L38

Honestly I am not too familiar with fail2ban regarding this and could need a little help on solving this

szaimen commented 1 day ago

Usually these ports should be blocked: https://github.com/szaimen/aio-fail2ban/blob/fd05c5942a9023e232c037703d853f0b4c38f3ef/start.sh#L30

Silun commented 1 day ago

If it were working as it should, then access to the whole server should be blocked on those ports? Or just access to all docker containers?

szaimen commented 1 day ago

If it were working as it should, then access to the whole server should be blocked on those ports? Or just access to all docker containers?

I think in best case to the whole server on these ports - at least that was the idea...

Silun commented 1 day ago

I checked iptables -S and I can see the f2b rules:

-A DOCKER-USER -p udp -j f2b-nextcloud
-A DOCKER-USER -p tcp -j f2b-nextcloud
-A DOCKER-USER -j RETURN
-A f2b-nextcloud -s 111.222.333.6/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-nextcloud -s 111.222.333.139/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-nextcloud -s 111.222.333.13/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-nextcloud -j RETURN

Those are located at the very end. At the start of the list, I have those rules:

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Is this just a case of the server firewall having its rules earlier in the processing order, thus granting access before the f2b block rules are evaluated at the end?

szaimen commented 1 day ago

Thanks for debugging this a bit! :)

Is this just a case of the server firewall having its rules earlier in the processing order, thus granting access before the f2b block rules are evaluated at the end?

Honestly I dont know :/

Silun commented 1 day ago

It seems that docker can be quite finnicky with the chains, changing up their order of processing. That would all make sense in context. Thank you :)

szaimen commented 1 day ago

So does it work or not? :) And if not can we do something about it?

Silun commented 1 day ago

It is not working for me. I believe this is the situation:

Apache listens on 443, and forwards to AIO-apache via 127.0.0.1:11000 as suggested in the AIO setup instructions. Port 8080 gets directly forwarded to the master container, without proxy.

I believe this is what is going on:

  1. The request for the NC webinterface reaches the server at 443, which apache proxies to loopback on 127.0.0.1:11000.
  2. Because the outside proxy is not inside of docker, the block rule never gets processed at this stage.
  3. The AIO-apache listens on 127.0.0.1 and sees all incoming IPs as 127.0.0.1, and reads the origin IP from the header of the request.
  4. Traffic now (hopefully) goes through the iptables rules, including the f2b block rules.
  5. Because the actual IP traffic is now from 127.0.0.1, it does not get picked up by the block rules.
  6. Any traffic directly to port 8080 gets blocked because it never takes the detour via loopback.

If the f2b block rules work for you, what is your setup? Do you have the AIO-apache listening on 443 directly?

Addendum:

I am not quite sure if f2b should be blocking system-wide. I believe if you want aio-f2b to block system-wide, it should use a chain like INPUT (or PREROUTING?), which gets processed before any traffic goes into docker. If the chain in which f2b does the blocking is DOCKER-USER it will only be applied after traffic enters the realm of docker, which for a reverse proxy setup is too late, because at that point the source IP will have changed to 127.0.0.1 already.

I am not sure whether that should be fixed or merely hinted at in the container description. Because after all, it is the admin who actively circumvents the blocking - like I did - unknowingly. So maybe pointing out that it won't block when NC is reverse proxied via loopback is more sensible?

Edit: I understand that f2b is expected to ban offenders. On the other hand, I would expect docker stuff to stay inside docker, so it is counterintuitive for me that an AIO-f2b container would block system-wide. But that is just me and my intuition. Just saying this to explain my thoughts above.