Fail2ban plugin in OMV and Nignx Proxy Manager and vaultwarden docker containers

  • I have enabled Fail2ban plugin in OMV and Nignx Proxy Manager and vaultwarden in docker containers on same bridge network.

    I want to ban ip if vaultwarden username or pass are wrong to many times from that ip.

    I need help with this.

    • Official Post

    fail2ban has to be able to access log files. It can't access logs inside a docker container. If nginx proxy manager is running outside of docker, maybe you find a log for that but otherwise, the container itself will have to run fail2ban.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Official Post

    Fail2ban can access logs from docker containers. I have permanently mounted volumes for my docker containers data.

    Then you just need to create a new jail pointing at those logs.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Official Post

    I can access vaultwarden from that banned ip.

    how would fail2ban ban an ip on effectively a different system? You have to have a proxy on the same ip as fail2ban to do that.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Official Post

    I use host network for most of my containers or bridge network if i need to change port/s

    fail2ban works by creating iptables rules. docker is well known for creating its own regardless of what the host has rules for. I don't know how to get around this other than creating the proxy.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Official Post

    How to do that?

    Maybe this will be useful for you.

  • Thank you.

    This really works.

    Before I tried fail2ban on Vaultwarden, I also tried fail2ban on Nignx Proxy Manager, but without success.

    I can't say I fully understand how this works, and what I tried with fail2ban and Nignx Proxy Manager didn't work.

    As far as I can see, the only difference is actually in /absolute/path/to/persistent/appdata/fail2ban/action.d/iptables-nft.local.

    It's a custom action that's not in the basic fail2ban installation, and I guess this allows the whole thing to work as it should.

    I wonder if I can apply this action to other docker containers as well?

  • I wrote that guide. It will apply to anything that nginxproxy manager logs as a failure to login, as it is the nginx proxy manager logs that it is watching. If failures exceed the thresholds set in the fail2ban configs it blocks the offending ip from accessing anything docker oriented, and since nginx proxy manager is the gateway to your services and is a docker container, the ip is blocked from nginx proxy manager. You can have it monitor other logs for specific containers if you like to have it only work on certain applications, but you would have to write a filter for those logs to parse the correct information and use an appropriate jail and action for each unique setup. The guide was intended as a "one size fits all" kind of configuration to allow people that want to use nginx proxy manager to add some additional security to the setup and mimic something close to what the swag reverse proxy container is doing.


    I personally have 3 different filter/jail/action configuration running as I alluded to in the guide. One (the default in the guide) looks after short bans to hopefully make bots that are hammering on your system, stop because they fail to get a response, the next is a medium ban of 10 minutes using a higher fail count and timeframe that will hopefully look after manual attempts or bots that operate on a slower cycle, and the third is a long ban of 1 week that has an even higher failure count and timeframe to hopefully look after anything or anyone that starts hammering again after the short or medium bans.


    Just remember that any additional configs or edits to the existing configs require a restart of the fail2ban container for them to become active.


    As for email notifications, I didn't include those as it can become very annoying to get emails about bots getting banned on those short bans, but if you want to try to add notifications, there are guides to setting it up in the jail files, such as this one.

    How to add email notifications to Fail2ban - technicalramblings.com

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!