search

tomMoulard / fail2ban

Traefik plugin on fail2ban middleware
MIT License
205 stars 12 forks source link

Fail2ban Middleware does not recognise 200 status code #136

Open PS1TD opened 3 months ago

PS1TD commented 3 months ago

For some reason my setup does not recognize successful status codes and bans on the 11th request. I also don't see anything in the logs even though I have enabled DEBUG logging. Setup:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
    name: fail2ban
spec:
    plugin:
        fail2ban:
            logLevel: DEBUG
            rules:
                bantime: 30m
                enabled: "true"
                findtime: 10m
                maxretry: "10"
                statuscode: 400-499
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
    name: whoami-http
spec:
    entryPoints:
        - http
    routes:
        - match: Host(`redacted.com`) || Host(`www.redacted.com`)
          kind: Rule
          services:
              - name: whoami
                port: 80
          middlewares:
              - namespace: traefik
                name: fail2ban
jacksoncastilho commented 2 months ago

I had the same problem :(

arp-mbender commented 2 months ago

I think I'm seeing the same things myself. Is this plugin working? 🤔

tomMoulard commented 2 months ago

Hello all,

Thanks for your interest in this Traefik plugin !

I've released https://github.com/tomMoulard/fail2ban/releases/tag/v0.8.2 with an intensive logging approach. Can you try again your issue with the latest version and tell me if it's still relevant ?

Thanks !

arp-mbender commented 2 months ago

I'm immediately hit with an error when trying to load the latest version into Traefik:

2024-09-06T20:15:38Z INF Loading plugins... plugins=["GeoBlock","fail2ban"]
2024-09-06T20:15:39Z ERR plugins-storage/sources/gop-281385154/src/github.com/tomMoulard/fail2ban/pkg/data/data.go:14:9: panic: github.com/tomMoulard/fail2ban/pkg/data(...) module=github.com/tomMoulard/fail2ban plugin=plugin-fail2ban runtime=
panic: reflect.Set: value of type string is not assignable to type struct { Logger *stdlib.logLogger } [recovered]
    panic: reflect.Set: value of type string is not assignable to type struct { Logger *stdlib.logLogger }

goroutine 1 [running]:
github.com/traefik/yaegi/interp.runCfg.func1()
    github.com/traefik/yaegi@v0.16.1/interp/run.go:226 +0x1ae
panic({0x4976d20?, 0xc0022411f0?})
    runtime/panic.go:770 +0x132
reflect.Value.assignTo({0x4976d20?, 0xc002240c10?, 0xc002240c10?}, {0x5a6e45b, 0xb}, 0xc0020b58c0, 0x0)
    reflect/value.go:3356 +0x299
reflect.Value.Set({0xc0020b58c0?, 0xc002272040?, 0xc002272030?}, {0x4976d20?, 0xc002240c10?, 0xc001e0a2f0?})
    reflect/value.go:2325 +0xe6
github.com/traefik/yaegi/interp.call.func9(0xc001dc9600)
    github.com/traefik/yaegi@v0.16.1/interp/run.go:1391 +0xbc5
github.com/traefik/yaegi/interp.runCfg(0xc002220f00, 0xc001dc9600, 0x1?, 0x1?)
    github.com/traefik/yaegi@v0.16.1/interp/run.go:234 +0x285
github.com/traefik/yaegi/interp.(*Interpreter).run(0xc001cd7d48, 0xc002261400, 0xc00231bb01?)
    github.com/traefik/yaegi@v0.16.1/interp/run.go:119 +0x395
github.com/traefik/yaegi/interp.(*Interpreter).importSrc(0xc001cd7d48, {0xc00231bb90, 0x28}, {0xc00231bb01, 0x27}, 0x1)
    github.com/traefik/yaegi@v0.16.1/interp/src.go:162 +0xf3b
github.com/traefik/yaegi/interp.(*Interpreter).gta.func1(0xc0021f5b80)
    github.com/traefik/yaegi@v0.16.1/interp/gta.go:273 +0xcdb
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021f5b80, 0xc00269c710, 0x0)
    github.com/traefik/yaegi@v0.16.1/interp/interp.go:282 +0x2e
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021f5540, 0xc00269c710, 0x0)
    github.com/traefik/yaegi@v0.16.1/interp/interp.go:286 +0x6b
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021f52c0, 0xc00269c710, 0x0)
    github.com/traefik/yaegi@v0.16.1/interp/interp.go:286 +0x6b
github.com/traefik/yaegi/interp.(*Interpreter).gta(0xc001cd7d48, 0xc0021f52c0, {0xc00231bb90, 0x28}, {0xc00231b741, 0x28}, {0xc001ca50e7, 0x5})
    github.com/traefik/yaegi@v0.16.1/interp/gta.go:20 +0x22b
github.com/traefik/yaegi/interp.(*Interpreter).importSrc(0xc001cd7d48, {0xc001da78e0, 0x1e}, {0xc00231b741, 0x28}, 0x1)
    github.com/traefik/yaegi@v0.16.1/interp/src.go:109 +0x925
github.com/traefik/yaegi/interp.(*Interpreter).gta.func1(0xc0021c1180)
    github.com/traefik/yaegi@v0.16.1/interp/gta.go:273 +0xcdb
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021c1180, 0xc00269d458, 0x0)
    github.com/traefik/yaegi@v0.16.1/interp/interp.go:282 +0x2e
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021c0140, 0xc00269d458, 0x0)
    github.com/traefik/yaegi@v0.16.1/interp/interp.go:286 +0x6b
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021b1e00, 0xc00269d458, 0x0)
    github.com/traefik/yaegi@v0.16.1/interp/interp.go:286 +0x6b
github.com/traefik/yaegi/interp.(*Interpreter).gta(0xc001cd7d48, 0xc0021b1e00, {0xc001da78e0, 0x1e}, {0xc001da7821, 0x1e}, {0xc001c912e8, 0x8})
    github.com/traefik/yaegi@v0.16.1/interp/gta.go:20 +0x22b
github.com/traefik/yaegi/interp.(*Interpreter).importSrc(0xc001cd7d48, {0xc001c90e88, 0x4}, {0xc001da7821, 0x1e}, 0x1)
    github.com/traefik/yaegi@v0.16.1/interp/src.go:109 +0x925
github.com/traefik/yaegi/interp.(*Interpreter).gta.func1(0xc0021b1b80)
    github.com/traefik/yaegi@v0.16.1/interp/gta.go:273 +0xcdb
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021b1b80, 0xc00269e1a0, 0x0)
    github.com/traefik/yaegi@v0.16.1/interp/interp.go:282 +0x2e
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021b1a40, 0xc00269e1a0, 0x0)
    github.com/traefik/yaegi@v0.16.1/interp/interp.go:286 +0x6b
github.com/traefik/yaegi/interp.(*node).Walk(0xc0021b17c0, 0xc00269e1a0, 0x0)
    github.com/traefik/yaegi@v0.16.1/interp/interp.go:286 +0x6b
github.com/traefik/yaegi/interp.(*Interpreter).gta(0xc001cd7d48, 0xc0021b17c0, {0xc001c90e88, 0x4}, {0xc001c90e88, 0x4}, {0xc001c90e88, 0x4})
    github.com/traefik/yaegi@v0.16.1/interp/gta.go:20 +0x22b
github.com/traefik/yaegi/interp.(*Interpreter).gtaRetry(0xc001cd7d48, {0xc00269e388?, 0xc0016854a0?, 0xc00269e2c8?}, {0xc001c90e88, 0x4}, {0xc001c90e88, 0x4})
    github.com/traefik/yaegi@v0.16.1/interp/gta.go:395 +0x158
github.com/traefik/yaegi/interp.(*Interpreter).CompileAST(0xc001cd7d48, {0x698b9a0?, 0xc0016854a0?})
    github.com/traefik/yaegi@v0.16.1/interp/program.go:92 +0x11f
github.com/traefik/yaegi/interp.(*Interpreter).compileSrc(0xc001cd7d48, {0xc00231b680?, 0x1?}, {0x0?, 0xc00231b680?}, 0xa0?)
    github.com/traefik/yaegi@v0.16.1/interp/program.go:64 +0xaa
github.com/traefik/yaegi/interp.(*Interpreter).eval(0xc001cd7d48, {0xc00231b680?, 0xc00269e8c8?}, {0x0?, 0x1?}, 0x0?)
    github.com/traefik/yaegi@v0.16.1/interp/interp.go:554 +0x25
github.com/traefik/yaegi/interp.(*Interpreter).Eval(...)
    github.com/traefik/yaegi@v0.16.1/interp/interp.go:496
github.com/traefik/traefik/v3/pkg/plugins.newInterpreter({0x69bd0c0, 0xc001f5f8c0}, {0xc001c753e0, 0x25}, {0xc001da6a00, 0x1e})
    github.com/traefik/traefik/v3/pkg/plugins/middlewareyaegi.go:140 +0x589
github.com/traefik/traefik/v3/pkg/plugins.newMiddlewareBuilder({0x69bd0c0?, 0xc001f5f8c0?}, {0xc001c753e0?, 0x1?}, 0xc001b0f9e0, {0xc001c806e0?, 0x69bcfe0?}, {{0x0, 0x0, 0x0}, ...})
    github.com/traefik/traefik/v3/pkg/plugins/builder.go:142 +0x16f
github.com/traefik/traefik/v3/pkg/plugins.NewBuilder(0xc001c47310, 0xc001c77710, 0xc002590270)
    github.com/traefik/traefik/v3/pkg/plugins/builder.go:55 +0x6d5
main.createPluginBuilder(0xc001a434a0?)
    github.com/traefik/traefik/v3/cmd/traefik/plugins.go:18 +0x2b
main.setupServer(0xc001b0e120)
    github.com/traefik/traefik/v3/cmd/traefik/traefik.go:238 +0xa86
main.runCmd(0xc001b0e120)
    github.com/traefik/traefik/v3/cmd/traefik/traefik.go:117 +0x2b4
main.main.func1({0xc001957bc0?, 0xc0001d2080?, 0x10?})
    github.com/traefik/traefik/v3/cmd/traefik/traefik.go:65 +0x19
github.com/traefik/paerser/cli.run(0xc0018f3200, {0xc0001d2080, 0x0?, 0x0})
    github.com/traefik/paerser@v0.2.0/cli/commands.go:133 +0x243
github.com/traefik/paerser/cli.execute(0xc0018f3200, {0xc0001d2080, 0x2, 0x2}, 0x28?)
    github.com/traefik/paerser@v0.2.0/cli/commands.go:76 +0x6cf
github.com/traefik/paerser/cli.Execute(...)
    github.com/traefik/paerser@v0.2.0/cli/commands.go:51
main.main()
    github.com/traefik/traefik/v3/cmd/traefik/traefik.go:81 +0x554

traefik.yml has just this for the plugin loading:

experimental:
  plugins:
    GeoBlock:
      moduleName: "github.com/PascalMinder/geoblock"
      version: "v0.2.8"
    fail2ban:
      moduleName: "github.com/tomMoulard/fail2ban"
      version: "v0.8.2"
tomMoulard commented 2 months ago

indeed, my bad, I've released https://github.com/tomMoulard/fail2ban/tree/v0.8.3 that should fix this particular panic issue.

arp-mbender commented 2 months ago

indeed, my bad, I've released https://github.com/tomMoulard/fail2ban/tree/v0.8.3 that should fix this particular panic issue.

This new version loads fine, but doesn't log anything beyond the initial first message.

2024/09/07 10:02:33 Plugin: FailToBan is up and running

The middleware configuration I've got is:

http:
  middlewares:
    fail2ban:
      plugin:
        fail2ban:
          logLevel: DEBUG
#          allowlist:
#            ip: 10.150.0.0/16
#         denylist:
#           ip: 192.168.0.0/24
          rules:
            bantime: 5m
            enabled: true
            findtime: 30s
            maxretry: 5
            statuscode: "400,401,403-499"

And much like with the initial case described by @PS1TD, this version blocks connectivity after just opening a loading screen, as if 200s were 400s...

tomMoulard commented 2 months ago

Did you enable traefik DEBUG log level ? If so, have you the following log ?

DBG github.com/traefik/traefik/v3/pkg/plugins/plugins.go:30 > Loading of plugin: fail2ban: github.com/tomMoulard/fail2ban@v0.8.3
arp-mbender commented 2 months ago

Good point. I failed to notice this bit from the documentation: Please note that Fail2ban logs will only be visible when Traefik's log level is set to DEBUG

After setting this I'm... well, I'm getting a bit overly swarmed with logs now.

But I think I've managed to isolate a fragment of fail2ban, from startup to this middelware blocking me from accessing a login page (i.e. I've not yet provided any credentials, valid or invalid). While this should not matter, I'm attempting to access "Home Assistant", to which I've got the credentials cached (i.e. there should be no 400s at all).

Note: I've removed all routing information from the logs as other services are being frequently accessed and add a lot of noise, and I've stripped a module=github.com/tomMoulard/fail2ban plugin=plugin-fail2ban runtime= suffix from fail2ban logs. Finally I've had to remove fail2ban "Write: buf:" rows, as they are VERY long and break the limits of posting on GitHub. If those are required I'll find some other ways to share them.

2024-09-07T15:59:52Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=websecure middlewareName=fail2ban@file routerName=haos@file

2024-09-07T15:59:54Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"fail2ban":{"plugin":{"fail2ban":{"logLevel":"DEBUG","rules":{"bantime":"5m","enabled":"true","findtime":"30s","maxretry":"5","statuscode":"400,401,403-499"}}}}..."

2024/09/07 16:00:12 Plugin: FailToBan is up and running

2024/09/07 16:00:14 Plugin: FailToBan is up and running

2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url / not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > welcome "10.152.4.15" 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > status handler 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 

2024-09-07T16:00:22Z DBG fmt/print.go:225 > Write header: code: 200 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > catcher: {XheaderMap:map[Content-Encoding:[deflate] Content-Length:[2297] Content-Type:[text/html; charset=utf-8] Date:[Sat, 07 Sep 2024 16:00:29 GMT] Referrer-Policy:[no-referrer] Server:[] X-Content-Type-Options:[nosniff] X-Frame-Options:[SAMEORIGIN]] Xcode:200 XhttpCodeRanges:[[400 400] [401 401] [403 499]] XcaughtFilteredCode:false XresponseWriter:0xc00220eae0 XheadersSent:true Xbytes:[] XallowedRequest:false} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /frontend_latest/core.ydYtuXnHVAs.js not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > welcome back "10.152.4.15" for the 2 time 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > status handler 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 

2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /frontend_latest/app.okM55PX7yEE.js not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > welcome back "10.152.4.15" for the 3 time 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > status handler 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 

2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /static/images/ohf-badge.svg not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > welcome back "10.152.4.15" for the 4 time 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > status handler 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 

2024-09-07T16:00:22Z DBG fmt/print.go:225 > Write header: code: 200 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /static/fonts/roboto/Roboto-Regular.woff2 not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > "10.152.4.15" is banned for 5>=5 request 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /static/fonts/roboto/Roboto-Medium.woff2 not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /hacsfiles/iconset.js not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > "10.152.4.15" is still banned since "2024-09-07T16:00:22Z", 6 request 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > "10.152.4.15" is still banned since "2024-09-07T16:00:22Z", 7 request 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > catcher: {XheaderMap:map[Accept-Ranges:[bytes] Cache-Control:[public, max-age=2678400] Content-Encoding:[br] Content-Length:[15482] Content-Type:[text/javascript] Date:[Sat, 07 Sep 2024 16:00:29 GMT] Etag:["17eefe1f5dc34c00-3c7a"] Last-Modified:[Sun, 25 Aug 2024 14:11:58 GMT] Referrer-Policy:[no-referrer] Server:[] Vary:[Accept-Encoding] X-Content-Type-Options:[nosniff] X-Frame-Options:[SAMEORIGIN]] Xcode:200 XhttpCodeRanges:[[400 400] [401 401] [403 499]] XcaughtFilteredCode:false XresponseWriter:0xc001d61900 XheadersSent:true Xbytes:[] XallowedRequest:false} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > Write header: code: 200 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > Write header: code: 200 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > catcher: {XheaderMap:map[Accept-Ranges:[bytes] Cache-Control:[public, max-age=2678400] Content-Encoding:[gzip] Content-Length:[3522] Content-Type:[image/svg+xml] Date:[Sat, 07 Sep 2024 16:00:29 GMT] Etag:["17eefe1f5dc34c00-dc2"] Last-Modified:[Sun, 25 Aug 2024 14:11:58 GMT] Referrer-Policy:[no-referrer] Server:[] Vary:[Accept-Encoding] X-Content-Type-Options:[nosniff] X-Frame-Options:[SAMEORIGIN]] Xcode:200 XhttpCodeRanges:[[400 400] [401 401] [403 499]] XcaughtFilteredCode:false XresponseWriter:0xc00220f4a0 XheadersSent:true Xbytes:[] XallowedRequest:false} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > catcher: {XheaderMap:map[Accept-Ranges:[bytes] Cache-Control:[public, max-age=2678400] Content-Encoding:[br] Content-Length:[74998] Content-Type:[text/javascript] Date:[Sat, 07 Sep 2024 16:00:29 GMT] Etag:["17eefe1f5dc34c00-124f6"] Last-Modified:[Sun, 25 Aug 2024 14:11:58 GMT] Referrer-Policy:[no-referrer] Server:[] Vary:[Accept-Encoding] X-Content-Type-Options:[nosniff] X-Frame-Options:[SAMEORIGIN]] Xcode:200 XhttpCodeRanges:[[400 400] [401 401] [403 499]] XcaughtFilteredCode:false XresponseWriter:0xc002130c40 XheadersSent:true Xbytes:[] XallowedRequest:false} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is denied 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > IP 10.152.4.15 not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > data: &{RemoteIP:10.152.4.15} 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > url /auth/token not is allowed 
2024-09-07T16:00:22Z DBG fmt/print.go:225 > "10.152.4.15" is still banned since "2024-09-07T16:00:22Z", 8 request

Like @PS1TD I'm not using any urlregexps in the configuration, nor any denylist nor allowlist. I.e. I'm just interested in filtering based on status codes.

SeTh1032 commented 1 month ago

Hi, I just stumbled upon the same problem and think that the issue is here: https://github.com/tomMoulard/fail2ban/blob/6b3824f01a31135e9f1e9fd1cdb56a4b62eb4c86/fail2ban.go#L143

The f2b-handler is called in the chain before the status-code-handler and thus fail2bans EVERY request (see also here: https://github.com/tomMoulard/fail2ban/blob/6b3824f01a31135e9f1e9fd1cdb56a4b62eb4c86/pkg/chain/chain.go#L84 )

I think that f2bHandler.New(f2b), should not be in the handler-chain at all for this to work...

tomMoulard commented 1 month ago

Indeed I could try reversing the order in the chain but I doupt I will work as you intend.

For you last part, removing the handler will remove it's ability to catch status codes. But indeed, it will count twice the request in the handler.

SeTh1032 commented 1 month ago

The status-code handler internally calls the f2b if a proper status-code is detected. Why call the f2b-handler "naked" (without any preconditions) in the chain at all? It then counts every request against the "maxRetry", even "legal" ones with a 200 response-code.

SeTh1032 commented 1 month ago

I'd think that inside the chain one would need a handler that continues blocking, if an IP is already on the ban-list, but that does not blindly increase ip.count towards maxRetries. Increasing the counter for an IP may only happen if a precondition for a "failed"-request is met (like inside the URLRegexBan or the http-status-handler).

(I'm not able to write Go-code myself, otherwise I'd create a merge-request)

Weav3r commented 1 month ago

Experiencing the same problem requests get banned after maxretry attempts regardless of the status code (#153

TomasMonkevic commented 1 week ago

Have the same issue here with Fail2Ban v0.8.3 and Traefik v3.1.6