Compose Plugin Settings is hitting Fail2ban on a SWAG reverse-proxy

ryecoaaron && votdev

This is making me nuts.

I use a SWAG reverse-proxy conf to access OMV via WAN.

All works great but on the last days, I've been getting banned on the WAN due to my SWAG internal IP beeing banned on the fail2ban from OMV.

After some test and trial, I figured out what is causing it but not how to sort it.

Whenever I go to the Services-> Compose-> Settings page, the fail2ban increases a count on the nginx-404 JAIL coming from the 172.21.0.5 (docker IP from SWAG).

Since I have a really low count value (3 on a 10 minute time), after a while, my Page goes 502.

Haven't yet, updated openmediavault-compose to 6.9.4and don't know if the same will keep happening.

Versions:

pi@panela:~ $ dpkg -l | grep omv
ii  openmediavault-omvextrasorg          6.3.1                            all          OMV-Extras.org Package Repositories for OpenMediaVault
pi@panela:~ $ dpkg -l | grep openm
ii  openmediavault                       6.4.8-1                          all          openmediavault - The open network attached storage solution
ii  openmediavault-compose               6.9                              all          OpenMediaVault compose plugin
ii  openmediavault-cputemp               6.1.3                            all          cpu temperature plugin for openmediavault
ii  openmediavault-fail2ban              6.0.3                            all          OpenMediaVault Fail2ban plugin
ii  openmediavault-flashmemory           6.2                              all          folder2ram plugin for openmediavault
ii  openmediavault-keyring               1.0.2-2                          all          GnuPG archive keys of the openmediavault archive
ii  openmediavault-nut                   6.0.5-1                          all          openmediavault Network UPS Tools (NUT) plugin
ii  openmediavault-omvextrasorg          6.3.1                            all          OMV-Extras.org Package Repositories for OpenMediaVault
ii  openmediavault-sharerootfs           6.0.2-1                          all          openmediavault share root filesystem plugin
ii  openmediavault-symlinks              6.0.4                            all          OpenMediaVault symlinks plugin
ii  openmediavault-wireguard             6.3.3                            all          openmediavault WireGuard plugin

If I go to any other page from the compose plugin, this doesn't happen.

Does this say something to you both on what is happening when going to the Settings page?

Thank for any input.

Quote from ryecoaaron

Have you tried ctrl-shift-R?

Yes, all the time,

Quote from ryecoaaron

Do you see anything in /var/log/nginx/error.log or /var/log/nginx/openmediavault-webgui_error.log when accessing the page?

Only this from access.log:

pi@panela:~ $ sudo tail /var/log/nginx/openmediavault-webgui_access.log
172.21.0.5 - - [10/Jul/2023:11:52:51 +0100] "POST /rpc.php HTTP/1.1" 200 533 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
172.21.0.5 - - [10/Jul/2023:11:52:53 +0100] "POST /rpc.php HTTP/1.1" 200 533 "https://>MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
172.21.0.5 - - [10/Jul/2023:11:52:57 +0100] "POST /rpc.php HTTP/1.1" 200 534 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
172.21.0.5 - - [10/Jul/2023:11:52:58 +0100] "POST /rpc.php HTTP/1.1" 200 534 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
172.21.0.5 - - [10/Jul/2023:11:53:01 +0100] "POST /rpc.php HTTP/1.1" 200 533 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
172.21.0.5 - - [10/Jul/2023:11:53:03 +0100] "POST /rpc.php HTTP/1.1" 200 530 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
172.21.0.5 - - [10/Jul/2023:11:53:07 +0100] "POST /rpc.php HTTP/1.1" 200 532 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
172.21.0.5 - - [10/Jul/2023:11:53:08 +0100] "POST /rpc.php HTTP/1.1" 200 531 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
172.21.0.5 - - [10/Jul/2023:11:53:12 +0100] "POST /rpc.php HTTP/1.1" 200 533 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
172.21.0.5 - - [10/Jul/2023:11:53:13 +0100] "POST /rpc.php HTTP/1.1" 200 520 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"

Quote from ryecoaaron

Do you see anything in the browser's F12 debugger?

Well, can you explain me better what to look for?

Quote from ryecoaaron

If you are using the default nginx-404 jail, it is only looking at /var/log/nginx*/*access*.log.

Yes, the default JAIL that is done from installation. Just activated it and changed some settings.

Quote from ryecoaaron

I would try deleting the older logs in that folder.

The logs just rotated yesterday.

I can (and will) bypass this by setting an exclusion on that IP.

Was just trying to figure out why this is happening in the last days/weeks.

I thought maybe something changed on the workbench that made it hitting several access in a short period of time.

Quote from ryecoaaron

Any error in the console part. It is usually pretty obvious if there is an error. If not, I really don't know what would being giving fail2ban issues. The Settings tab isn't doing anything out of the ordinary. I guess I will have to try setting up a system with fail2ban on it.

Don't really see anything out of the ordinary. Although I'm not that experienced on it.

Let me try to update the plugin and see if it still does the same.

If all comes to it, I'll just make the exclusion, to prevent beeing locked out.

Thank you for the inputs,

Quote from ryecoaaron

There would have to be a bug causing a 404 in the plugin.

The error that shows is a "502 bad Gateway" on the reverse-proxy. It's understandable since the internal IP is then, banned on the JAIL due to too many hits (as seen on the *.access.log every ~2seconds)

Is it the same as a 404?

What I'm been trying to change is some settings on the proxy.conf I created to see if it prevents that by adding some proxy headers:

#These are used on the Nextcloud proxy on SWAG
        proxy_hide_header Referrer-Policy;
        proxy_hide_header X-Content-Type-Options;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header X-XSS-Protection;

#OR
#These are from the qbittorrent proxy
        proxy_set_header Referer '';
        proxy_set_header Host $upstream_app:$upstream_port;
        proxy_set_header X-Forwarded-Host $host;

Quote from ryecoaaron

Did you see anything from sudo grep 404 /var/log/nginx*/*access*.log?

Yes:

pi@panela:~ $ sudo grep 404 /var/log/nginx*/*access*.log
/var/log/nginx/openmediavault-webgui_access.log:172.21.0.5 - - [10/Jul/2023:09:55:39 +0100] "POST /rpc.php HTTP/1.1" 200 404 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
/var/log/nginx/openmediavault-webgui_access.log:172.21.0.5 - - [10/Jul/2023:10:53:46 +0100] "POST /rpc.php HTTP/1.1" 200 404 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
/var/log/nginx/openmediavault-webgui_access.log:172.21.0.5 - - [10/Jul/2023:11:51:22 +0100] "POST /rpc.php HTTP/1.1" 200 404 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
/var/log/nginx/openmediavault-webgui_access.log:172.21.0.5 - - [10/Jul/2023:11:57:30 +0100] "POST /rpc.php HTTP/1.1" 200 404 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
/var/log/nginx/openmediavault-webgui_access.log:172.21.0.5 - - [10/Jul/2023:12:04:39 +0100] "POST /rpc.php HTTP/1.1" 200 404 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"
/var/log/nginx/openmediavault-webgui_access.log:172.21.0.5 - - [10/Jul/2023:12:04:47 +0100] "POST /rpc.php HTTP/1.1" 200 404 "https://<MYDOMAIN>.duckdns.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67"

For now, I added the IP to the "Ignore IP" setting of fail2ban.

Next week I'll be home and will make some more "wacky" tests to see if I sort this although it's just a minor issue.

When I log in via LAN IP (while WIREGUARDED) it doesn't happen but I have my LAN on the "Ignore IP list so, maybe if I remove it (the ignore list) it might also happen.

Will keep this updated.

Quote from ryecoaaron

Not sure why it only happens with the compose plugin though.

That's what got me going nuts.

And the funny thing is only on the "settings" sub-page.

All other pages don't make the counter increase, go figure

Quote from chente

Memory of other threads accessing your system remotely with Wireguard.

Why did you switch to swag to access the OMV interface?

I've always used SWAG to access via https.

Wireguard is a last resort, in case I get blocked or SWAG stops working.

Quote from chente

if someone finds your domain, the admin user could block you directly in OMV after several attempts, regardless of their IP.

You make a good point and I never thought about it.

But also that is covered, I can WIREGUARD the server and run omv-firstaid to reset the failed counter.

And even if it WIREGUARD fails, there's SSH portforward from WAN to LAN, in really last resort.

If that happens, all I need to do is change the proxy.conf to a complete new name for the subdomain, and the old https link stops working,

Quote from chente

Either way it would not expose the OMV interface to the internet directly.

That's what the fail2ban is there for and I have it really restricted (3 hits on a 10 minute period and it's IP banned)

Up until now, I only had 1 attempt (with several hits from a huge amount of different IPs from Russia, Singapore, China, Marrocco and more that I didn't inspect) via SSH (got the info from fail2ban a while ago) because I was using an AP on an Italian house that was probably already hacked.

It wasn't even on https JAIL, it was ssh JAIL.

As soon I saw that, I re-did my portforward and SSH port (never used defaults nor will) on the system and hits were gone.

How the port for SSH that I was using at the time was discovered, was a mistery to me.