search

tomMoulard / fail2ban

Traefik plugin on fail2ban middleware
MIT License
191 stars 10 forks source link

difficulties to setup this plugin #49

Closed digrouz closed 9 months ago

digrouz commented 2 years ago

Hello,

I'm trying to setup this plugin and I can't get it to work.

My environment is kubernetes (k3s), my traefik (ingress-controller) is working as expected before starting to play with fail2ban.

   args:
   - --providers.kubernetescrd
   - --providers.kubernetescrd.namespaces=default,kube-system
   - --providers.file
   - --providers.file.filename=/fail2ban/rules-fail2ban.yaml
   - --entrypoints.web.address=:80
   - --entrypoints.websecure.address=:443
   - --entrypoints.storjstoragenodetcp.address=:28967
   - --entrypoints.syncthingsynctcp.address=:22000
   - --entrypoints.syncthingsyncudp.address=:22000/udp
   - --entrypoints.syncthingdiscoveryudp.address=:21027/udp
   - --entrypoints.sambamds.address=:445
   - --entrypoints.sambanbt.address=:139
   - --entrypoints.sambandgmudp.address=:138/udp
   - --entrypoints.sambannsudp.address=:137/udp
   - --api.insecure
   - --pilot.token=<HIDDEN>
   - --experimental.plugins.fail2ban.modulename=github.com/tommoulard/fail2ban
   - --experimental.plugins.fail2ban.version=v0.6.2
   - --certificatesresolvers.le.acme.email=<HIDDEN>
   - --certificatesresolvers.le.acme.storage=/cert/acme.json
   - --certificatesResolvers.le.acme.httpChallenge.entryPoint=web
   - --serverstransport.insecureskipverify=true
   - --accesslog=true
   - --accesslog.filepath=/logs/access.log
   - --accesslog.bufferingsize=100
   - --log.filePath=/logs/traefik.log
   - --log.level=INFO
   - --metrics=true
   - --metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000
   - --metrics.prometheus.addEntryPointsLabels=true
   - --metrics.prometheus.addServicesLabels=true

my rules-fail2ban.yaml is still the default one:

  http:
      middlewares:
          my-fail2ban:
              plugin:
                  fail2ban:
                      blacklist:
                          ip: 192.168.0.0/24
                      rules:
                          action: ""
                          actionAbuseipdb: ""
                          backend: ""
                          banaction: ""
                          banactionAllports: ""
                          bantime: 3h
                          chain: ""
                          destemail: ""
                          enabled: "true"
                          fail2banAgent: ""
                          filter: ""
                          findtime: 10m
                          ignorecommand: ""
                          logencoding: UTF-8
                          maxretry: "4"
                          mode: ""
                          mta: ""
                          ports: 0:8000
                          protocol: ""
                          sender: ""
                          urlregexp: ""
                          usedns: ""
                      whitelist:
                          ip: ::1,127.0.0.1

once starting traefik i don't the see plugin loading:

    time="2021-12-30T07:32:34Z" level=info msg="Traefik version 2.5.6 built on 2021-12-22T16:30:52Z"
    time="2021-12-30T07:32:34Z" level=info msg="Stats collection is enabled."
    time="2021-12-30T07:32:34Z" level=info msg="Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration."
    time="2021-12-30T07:32:34Z" level=info msg="Help us improve Traefik by leaving this feature on :)"
    time="2021-12-30T07:32:34Z" level=info msg="More details on: https://doc.traefik.io/traefik/contributing/data-collection/"
    time="2021-12-30T07:32:35Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
    time="2021-12-30T07:32:35Z" level=info msg="Starting provider *file.Provider {\"watch\":true,\"filename\":\"/fail2ban/rules-fail2ban.yaml\"}"
    time="2021-12-30T07:32:35Z" level=info msg="Starting provider *traefik.Provider {}"
    time="2021-12-30T07:32:35Z" level=info msg="Starting provider *crd.Provider {\"namespaces\":[\"default\",\"kube-system\"]}"
    time="2021-12-30T07:32:35Z" level=info msg="Starting provider *acme.ChallengeTLSALPN {\"Timeout\":4000000000}"
    time="2021-12-30T07:32:35Z" level=info msg="Starting provider *acme.Provider {\"email\":\"<HIDDEN>\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/cert/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"},\"ResolverName\":\"le\",\"store\":{},\"TLSChallengeProvider\":{\"Timeout\":4000000000},\"HTTPChallengeProvider\":{}}"
    time="2021-12-30T07:32:35Z" level=info msg="label selector is: \"\"" providerName=kubernetescrd
    time="2021-12-30T07:32:35Z" level=info msg="Creating in-cluster Provider client" providerName=kubernetescrd
    time="2021-12-30T07:32:35Z" level=info msg="Testing certificate renew..." providerName=le.acme

Is there anything obvious i'm missing ?

thomasLeclaire commented 2 years ago

plugins are experimental, and loading info is in DEBUG in traefik logs.

dberardo-com commented 1 year ago

i dont know if this can hellp, but in my case i could see this error in the log: level=error msg="Plugins are disabled because an error has occurred." error="mkdir plugins-storage: read-only file system"

which lead me to this: https://github.com/traefik/traefik-helm-chart/issues/282

basically experimental plugins have to be enabled globally within the helm chart in k8s: 

  experimental:
    plugins:
      enabled: true

now i see that the container is trying to download the plugins, but for some reason it does not reach the host:

evel=error msg="Plugins are disabled because an error has occurred." error="failed to download plugin github.com/tomMoulard/fail2ban: failed to call service: Get \"https://plugin.pilot.traefik.io/public/download/github.com/tomMoulard/fail2ban/v0.6.6\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"

but from a shell inside the container i can download the plugin without any trouble ... so i wonder why cant traefik download it ? can i increase the timeout ?

dberardo-com commented 1 year ago

also, i feel this point should be documented as well: The fail2ban plugin needs to be the first one on the plugin list of a router, in case the 401, or other "fail sources" are located in the middlewares after fail2ban itself

fradeve commented 9 months ago

@dberardo-com just wanted to say thanks, your posts above have helped me to get the plugin to work!

tomMoulard commented 9 months ago

Following @dberardo-com comment, I think that this issue could be related to Traefik itself and not to this plugin. Thus, I will close this issue.

If you think I am wrong, feel free to open a new issue documenting your use case !

fradeve commented 9 months ago

@tomMoulard maybe it could be made clearer in the documentation that the fail2ban logs will only be visible when the Traefik logs are set to DEBUG? (if my understanding of this comment is correct: https://github.com/tomMoulard/fail2ban/issues/49#issuecomment-1070885710)

I agree with your assessment, most of the issues described above are generic Traefik issues on how to get Traefik configured to run plugins.

tomMoulard commented 9 months ago

it could be made clearer in the documentation that the fail2ban logs will only be visible when the Traefik logs are set to DEBUG?

For sure, feel free to open a PR to improve the documentation !

fradeve commented 9 months ago

@dberardo-com I have opened this PR to add some more docs, following your feedback: https://github.com/tomMoulard/fail2ban/pull/74

dberardo-com commented 9 months ago

i believe that my original issue was due to a outdated version of traefik or so, but TBH i forgot.

however, well done with the PR !