Fail2ban plugin in OMV and Nignx Proxy Manager and vaultwarden docker containers

darkopi · 23. Februar 2024

I have enabled Fail2ban plugin in OMV and Nignx Proxy Manager and vaultwarden in docker containers on same bridge network.

I want to ban ip if vaultwarden username or pass are wrong to many times from that ip.

I need help with this.

ryecoaaron · 23. Februar 2024

fail2ban has to be able to access log files. It can't access logs inside a docker container. If nginx proxy manager is running outside of docker, maybe you find a log for that but otherwise, the container itself will have to run fail2ban.

darkopi · 23. Februar 2024

Fail2ban can access logs from docker containers. I have permanently mounted volumes for my docker containers data.

ryecoaaron · 23. Februar 2024

Zitat von darkopi

Fail2ban can access logs from docker containers. I have permanently mounted volumes for my docker containers data.

Then you just need to create a new jail pointing at those logs.

darkopi · 23. Februar 2024

I did that for vaultwarden and fail2ban can ban ip but I can access vaultwarden from that banned ip.

ryecoaaron · 23. Februar 2024

Zitat von darkopi

I can access vaultwarden from that banned ip.

how would fail2ban ban an ip on effectively a different system? You have to have a proxy on the same ip as fail2ban to do that.

darkopi · 23. Februar 2024

My OMV is on same ip like my docker containers.

I use host network for most of my containers or bridge network if i need to change port/s

ryecoaaron · 23. Februar 2024

Zitat von darkopi

I use host network for most of my containers or bridge network if i need to change port/s

fail2ban works by creating iptables rules. docker is well known for creating its own regardless of what the host has rules for. I don't know how to get around this other than creating the proxy.

darkopi · 24. Februar 2024

How to do that?

chente · 24. Februar 2024

Zitat von darkopi

How to do that?

Maybe this will be useful for you.

Thema

NGINX Proxy Manager with fail2ban guide

OMV nginx-proxy-manager (referred to as NPM from here on) and fail2ban tutorial

This tutorial will assume that you know how to port forward in your router and that you have a DNS service configured to route incoming internet traffic to your internet connection based on your domain. It will also assume that you already have the OMV Compose plugin installed and are familiar with it's use. It is written as a simple and quick "how to", to get you started. Full documentation is available on the…

BernH

4. September 2023

darkopi · 24. Februar 2024

Thank you.

This really works.

Before I tried fail2ban on Vaultwarden, I also tried fail2ban on Nignx Proxy Manager, but without success.

I can't say I fully understand how this works, and what I tried with fail2ban and Nignx Proxy Manager didn't work.

As far as I can see, the only difference is actually in /absolute/path/to/persistent/appdata/fail2ban/action.d/iptables-nft.local.

It's a custom action that's not in the basic fail2ban installation, and I guess this allows the whole thing to work as it should.

I wonder if I can apply this action to other docker containers as well?

darkopi · 24. Februar 2024

I need one more thing...

How to setup email notification?

BernH · 24. Februar 2024

Zitat von darkopi

Thank you.
This really works.
Before I tried fail2ban on Vaultwarden, I also tried fail2ban on Nignx Proxy Manager, but without success.
I can't say I fully understand how this works, and what I tried with fail2ban and Nignx Proxy Manager didn't work.
As far as I can see, the only difference is actually in /absolute/path/to/persistent/appdata/fail2ban/action.d/iptables-nft.local.
It's a custom action that's not in the basic fail2ban installation, and I guess this allows the whole thing to work as it should.
I wonder if I can apply this action to other docker containers as well?

Alles anzeigen

I wrote that guide. It will apply to anything that nginxproxy manager logs as a failure to login, as it is the nginx proxy manager logs that it is watching. If failures exceed the thresholds set in the fail2ban configs it blocks the offending ip from accessing anything docker oriented, and since nginx proxy manager is the gateway to your services and is a docker container, the ip is blocked from nginx proxy manager. You can have it monitor other logs for specific containers if you like to have it only work on certain applications, but you would have to write a filter for those logs to parse the correct information and use an appropriate jail and action for each unique setup. The guide was intended as a "one size fits all" kind of configuration to allow people that want to use nginx proxy manager to add some additional security to the setup and mimic something close to what the swag reverse proxy container is doing.

I personally have 3 different filter/jail/action configuration running as I alluded to in the guide. One (the default in the guide) looks after short bans to hopefully make bots that are hammering on your system, stop because they fail to get a response, the next is a medium ban of 10 minutes using a higher fail count and timeframe that will hopefully look after manual attempts or bots that operate on a slower cycle, and the third is a long ban of 1 week that has an even higher failure count and timeframe to hopefully look after anything or anyone that starts hammering again after the short or medium bans.

Just remember that any additional configs or edits to the existing configs require a restart of the fail2ban container for them to become active.

As for email notifications, I didn't include those as it can become very annoying to get emails about bots getting banned on those short bans, but if you want to try to add notifications, there are guides to setting it up in the jail files, such as this one.

How to add email notifications to Fail2ban - technicalramblings.com

Jetzt mitmachen!