Beiträge von arjan

This works for me using Portainer, with qBittorrent restricted to a wireguard VPN for internet access:

version: "2.1"
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard
    container_name: qbittorrent_wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    ports:
      - 6881:6881 # qBittorrent TCP
      - 6881:6881/udp # qBittorrent UDP
      - 8080:8080 # qBittorrent WebUI
    environment:
      - PUID=1001 # non-root host uid
      - PGID=100
      - TZ=Europe/Amsterdam
      - PEERDNS=auto
    volumes:
      - /path/to/DockerConfig/wireguard_client:/config
      - /lib/modules:/lib/modules
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
    restart: unless-stopped

  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent
    container_name: qbittorrent
    environment:
      - PUID=1001 # non-root host uid
      - PGID=100
      - TZ=Europe/Amsterdam
      - WEBUI_PORT=8080
    volumes:
      - /path/to/DockerConfig/qbittorrent:/config
      - /path/to/StorageDisk:/downloads
    network_mode: service:wireguard
    restart: unless-stopped

It's probably a good idea to also add it somewhere where new users will see it early. Maybe under Features "Web based administration" --> "Web based administration (Desktop Environments not supported)".

Yes that works, thanks

This fixes the ssh-ddos jail, I'm not sure what it should be for the apache-404 filter. Maybe others aren't having this problem because they upgraded their system from an older version and inherited filters with an older name?

I didn't install ownCloud or proFTPd, so I did not enable those. I just enabled the webserver jails since OMV is running a webserver, but I see now it's not running Apache by default.

However that should still not result in failure to start the fail2ban service. If I were running Apache the configuration files would still be missing/misconfigured, just like the [sshd-ddos] filter.

I have config files in /etc/fail2ban/jail.d/ for all the jails in the OMV GUI. I see the problem for sshd-ddos is that it should use filter = sshd inside the section [sshd-ddos]. Instead the filter was also set to sshd-ddos. When I change it to sshd the service starts again.

I'd started with doing that actually. The system was also freshly installed from OMV 6.x so there shouldn't be any old configurations.

It looks like sshd.conf should contain an [ssh-ddos] section, but doesn't.

Yes, same errors as before. I notice there's many config files in /etc/fail2ban/filter.d/ but indeed no apache-404 or sshd-ddos:

ls /etc/fail2ban/filter.d/ | grep apache
apache-auth.conf
apache-badbots.conf
apache-botsearch.conf
apache-common.conf
apache-fakegooglebot.conf
apache-modsecurity.conf
apache-nohome.conf
apache-noscript.conf
apache-overflows.conf
apache-pass.conf
apache-shellshock.conf

ls /etc/fail2ban/filter.d/ | grep ssh
selinux-ssh.conf
sshd.conf

Thanks for looking into this!

This seems to have created config files:

Zitat

debian:

----------

ID: remove_default_fail2ban_config

Function: file.absent

Name: /etc/fail2ban/jail.d/defaults-debian.conf

Result: True

Comment: File /etc/fail2ban/jail.d/defaults-debian.conf is not present

Started: 19:13:55.359172

Duration: 0.806 ms

Changes:

----------

ID: configure_fail2ban

Function: file.managed

Name: /etc/fail2ban/jail.conf

Result: True

Comment: File /etc/fail2ban/jail.conf is in the correct state

Started: 19:13:55.360152

Duration: 52.52 ms

Changes:

----------

ID: remove_jail_conf_files

Function: module.run

Result: True

Comment: file.find: ['/etc/fail2ban/jail.d/openmediavault-36b96e6c-9187-4b93-b0c6-05c6d3e29dc3.conf', '/etc/fail2ban/jail.d/openmediavault-4e3a2d25-326c-4dc8-bc05-22f303a62b75.conf', '/etc/fail2ban/jail.d/openmediavault-59650e01-5e07-4076-9b15-ce352f4b4356.conf', '/etc/fail2ban/jail.d/openmediavault-5f2b2d25-726c-5dc8-ac05-79f303a62b35.conf', '/etc/fail2ban/jail.d/openmediavault-645ae684-0950-4fcf-92fc-eba1b88775b1.co

nf', '/etc/fail2ban/jail.d/openmediavault-6e3a7d25-326c-4dc8-bc05-63f303a62b21.conf.disabled', '/etc/fail2ban/jail.d/openmediavault-6e3a7d25-326c-4dc8-bc05-63f303a62b60.conf', '/etc/fail2ban/jail.d/openmediavault-7e9a7d35-326c-4dc8-bc05-35f308a62b78.conf.disabled']

Started: 19:13:55.413557

Duration: 2.054 ms

Changes:

----------

file.find:

- /etc/fail2ban/jail.d/openmediavault-36b96e6c-9187-4b93-b0c6-05c6d3e29dc3.conf

- /etc/fail2ban/jail.d/openmediavault-4e3a2d25-326c-4dc8-bc05-22f303a62b75.conf

- /etc/fail2ban/jail.d/openmediavault-59650e01-5e07-4076-9b15-ce352f4b4356.conf

- /etc/fail2ban/jail.d/openmediavault-5f2b2d25-726c-5dc8-ac05-79f303a62b35.conf

- /etc/fail2ban/jail.d/openmediavault-645ae684-0950-4fcf-92fc-eba1b88775b1.conf

- /etc/fail2ban/jail.d/openmediavault-6e3a7d25-326c-4dc8-bc05-63f303a62b21.conf.disabled

- /etc/fail2ban/jail.d/openmediavault-6e3a7d25-326c-4dc8-bc05-63f303a62b60.conf

- /etc/fail2ban/jail.d/openmediavault-7e9a7d35-326c-4dc8-bc05-35f308a62b78.conf.disabled

----------

ID: configure_fail2ban_jail_36b96e6c-9187-4b93-b0c6-05c6d3e29dc3

Function: file.managed

Name: /etc/fail2ban/jail.d/openmediavault-36b96e6c-9187-4b93-b0c6-05c6d3e29dc3.conf

Result: True

Comment: File /etc/fail2ban/jail.d/openmediavault-36b96e6c-9187-4b93-b0c6-05c6d3e29dc3.conf updated

Started: 19:13:55.415822

Duration: 11.883 ms

Changes:

----------

diff:

New file

mode:

0644

----------

ID: configure_fail2ban_jail_59650e01-5e07-4076-9b15-ce352f4b4356

Function: file.managed

Name: /etc/fail2ban/jail.d/openmediavault-59650e01-5e07-4076-9b15-ce352f4b4356.conf

Result: True

Comment: File /etc/fail2ban/jail.d/openmediavault-59650e01-5e07-4076-9b15-ce352f4b4356.conf updated

Started: 19:13:55.427893

Duration: 7.621 ms

Changes:

----------

diff:

New file

mode:

0644

----------

ID: configure_fail2ban_jail_645ae684-0950-4fcf-92fc-eba1b88775b1

Function: file.managed

Name: /etc/fail2ban/jail.d/openmediavault-645ae684-0950-4fcf-92fc-eba1b88775b1.conf

Result: True

Comment: File /etc/fail2ban/jail.d/openmediavault-645ae684-0950-4fcf-92fc-eba1b88775b1.conf updated

Started: 19:13:55.435731

Duration: 7.62 ms

Changes:

----------

diff:

New file

mode:

0644

----------

ID: configure_fail2ban_jail_6e3a7d25-326c-4dc8-bc05-63f303a62b60

Function: file.managed

Name: /etc/fail2ban/jail.d/openmediavault-6e3a7d25-326c-4dc8-bc05-63f303a62b60.conf

Result: True

Comment: File /etc/fail2ban/jail.d/openmediavault-6e3a7d25-326c-4dc8-bc05-63f303a62b60.conf updated

Started: 19:13:55.443535

Duration: 7.808 ms

Changes:

----------

diff:

New file

mode:

0644

----------

ID: configure_fail2ban_jail_6e3a7d25-326c-4dc8-bc05-63f303a62b21

Function: file.managed

Name: /etc/fail2ban/jail.d/openmediavault-6e3a7d25-326c-4dc8-bc05-63f303a62b21.conf.disabled

Result: True

Comment: File /etc/fail2ban/jail.d/openmediavault-6e3a7d25-326c-4dc8-bc05-63f303a62b21.conf.disabled updated

Started: 19:13:55.451526

Duration: 7.654 ms

Changes:

----------

diff:

New file

mode:

0644

----------

ID: configure_fail2ban_jail_7e9a7d35-326c-4dc8-bc05-35f308a62b78

Function: file.managed

Name: /etc/fail2ban/jail.d/openmediavault-7e9a7d35-326c-4dc8-bc05-35f308a62b78.conf.disabled

Result: True

Comment: File /etc/fail2ban/jail.d/openmediavault-7e9a7d35-326c-4dc8-bc05-35f308a62b78.conf.disabled updated

Started: 19:13:55.459365

Duration: 7.61 ms

Changes:

----------

diff:

New file

mode:

0644

----------

ID: configure_fail2ban_jail_4e3a2d25-326c-4dc8-bc05-22f303a62b75

Function: file.managed

Name: /etc/fail2ban/jail.d/openmediavault-4e3a2d25-326c-4dc8-bc05-22f303a62b75.conf

Result: True

Comment: File /etc/fail2ban/jail.d/openmediavault-4e3a2d25-326c-4dc8-bc05-22f303a62b75.conf updated

Started: 19:13:55.467155

Duration: 7.672 ms

Changes:

----------

diff:

New file

mode:

0644

----------

ID: configure_fail2ban_jail_5f2b2d25-726c-5dc8-ac05-79f303a62b35

Function: file.managed

Name: /etc/fail2ban/jail.d/openmediavault-5f2b2d25-726c-5dc8-ac05-79f303a62b35.conf

Result: True

Comment: File /etc/fail2ban/jail.d/openmediavault-5f2b2d25-726c-5dc8-ac05-79f303a62b35.conf updated

Started: 19:13:55.475013

Duration: 7.871 ms

Changes:

----------

diff:

New file

mode:

0644

----------

ID: start_fail2ban_service

Function: service.running

Name: fail2ban

Result: True

Comment: Service fail2ban is already enabled, and is running

Started: 19:13:55.501982

Duration: 135.536 ms

Changes:

----------

fail2ban:

True

Summary for debian

-------------

Succeeded: 12 (changed=10)

Failed: 0

-------------

Total states run: 12

Total run time: 256.655 ms

Alles anzeigen

But, the comment "Service fail2ban is already enabled, and is running" is incorrect. When I hard-refresh to GUI it fail2ban is not running, and systemctl status fail2ban shows failure as before.

You're right, this shows config for all services:

Zitat

omv-showkey fail2ban
<fail2ban>
<enable>1</enable>
<ignoreip>127.0.0.1</ignoreip>
<findtime>604800</findtime>
<bantime>604800</bantime>
<maxretry>5</maxretry>
<destemail>me@example.com</destemail>
<action>action_mwl</action>
<jails>
<jail>
<uuid>36b96e6c-9187-4b93-b0c6-05c6d3e29dc3</uuid>
<enable>1</enable>
<name>ssh</name>
<port>ssh</port>
<maxretry>5</maxretry>
<bantime>-1</bantime>
<filter>sshd</filter>
<logpath>/var/log/auth.log</logpath>
</jail>
<jail>
<uuid>59650e01-5e07-4076-9b15-ce352f4b4356</uuid>
<enable>0</enable>
<name>ssh-ddos</name>
<port>ssh</port>
<maxretry>5</maxretry>
<bantime>-1</bantime>
<filter>sshd-ddos</filter>
<logpath>/var/log/auth.log</logpath>
</jail>
<jail>
<uuid>645ae684-0950-4fcf-92fc-eba1b88775b1</uuid>
<enable>0</enable>
<name>apache-noscript</name>
<port>httpd,httpds</port>
<maxretry>5</maxretry>
<bantime>-1</bantime>
<filter>apache-noscript</filter>
<logpath>/var/log/apache*/*error.log</logpath>
</jail>
<jail>
<uuid>6e3a7d25-326c-4dc8-bc05-63f303a62b60</uuid>
<enable>1</enable>
<name>apache-404</name>
<port>httpd,httpds</port>
<maxretry>5</maxretry>
<bantime>-1</bantime>
<filter>apache-404</filter>
<logpath>/var/log/apache*/*error.log</logpath>
</jail>
<jail>
<uuid>6e3a7d25-326c-4dc8-bc05-63f303a62b21</uuid>
<enable>0</enable>
<name>proftp</name>
<port>ftp,ftp-data,ftps,ftps-data</port>
<maxretry>3</maxretry>
<bantime>-1</bantime>
<filter>proftpd</filter>
<logpath>/var/log/proftpd/proftpd.log</logpath>
</jail>
<jail>
<uuid>7e9a7d35-326c-4dc8-bc05-35f308a62b78</uuid>
<enable>0</enable>
<name>owncloud</name>
<port>http,https,8443</port>
<maxretry>3</maxretry>
<bantime>-1</bantime>
<filter>owncloud</filter>
<logpath>/MyPath/owncloud.log</logpath>
</jail>
<jail>
<uuid>4e3a2d25-326c-4dc8-bc05-22f303a62b75</uuid>
<enable>1</enable>
<name>nginx-404</name>
<port>http,https</port>
<maxretry>5</maxretry>
<bantime>-1</bantime>
<filter>nginx-404</filter>
<logpath>/var/log/nginx*/*access*.log</logpath>
</jail>
<jail>
<uuid>5f2b2d25-726c-5dc8-ac05-79f303a62b35</uuid>
<enable>1</enable>
<name>omv-webgui</name>
<port>http,https</port>
<maxretry>5</maxretry>
<bantime>-1</bantime>
<filter>omv-webgui</filter>
<logpath>/var/log/auth.log</logpath>
</jail>
</jails>
</fail2ban>

Alles anzeigen

I installed the fail2ban plugin, enabled some of the default jails, and enabled the service. However the service doesn't start:

systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sat 2022-02-26 17:12:54 CET; 6min ago
       Docs: man:fail2ban(1)
    Process: 2396217 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
    Process: 2396218 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255/EXCEPTION)
   Main PID: 2396218 (code=exited, status=255/EXCEPTION)

If I run the start command manually I can see the problem:

/usr/bin/fail2ban-server -xf start
2022-02-26 17:13:41,660 fail2ban.configreader   [2397030]: ERROR   Found no accessible config files for 'filter.d/sshd-ddos' under /etc/fail2ban
2022-02-26 17:13:41,661 fail2ban.jailreader     [2397030]: ERROR   Unable to read the filter 'sshd-ddos'
2022-02-26 17:13:41,661 fail2ban.jailsreader    [2397030]: ERROR   Errors in jail 'ssh-ddos'. Skipping...
2022-02-26 17:13:41,669 fail2ban.configreader   [2397030]: ERROR   Found no accessible config files for 'filter.d/apache-404' under /etc/fail2ban
2022-02-26 17:13:41,669 fail2ban.jailreader     [2397030]: ERROR   Unable to read the filter 'apache-404'
2022-02-26 17:13:41,669 fail2ban.jailsreader    [2397030]: ERROR   Errors in jail 'apache-404'. Skipping...
2022-02-26 17:13:41,675 fail2ban                [2397030]: ERROR   Failed during configuration: Have not found any log file for apache-noscript jail
2022-02-26 17:13:41,678 fail2ban                [2397030]: ERROR   Async configuration of server failed

I find various proposed solutions for these issues for fail2ban in general, but it seems like the configuration should be managed by openmediavault-fail2ban. So manually tweaking this seems to go against the recommended practice for OMV.

I can disable the ssh-ddos and apache-noscript jails and then the service does start, but it seems they should have configuration by default as well. How to fix?

Ah excellent, thanks. But how do I limit the wireguard server to not access anything else? (I want to provide access only to some Docker containers, not to the LAN or other services on the NAS).

I've set up wireguard via Docker in server mode which works great. I can use ALLOWEDIPS=192.168.178.0/24 to only provide access to the LAN without routing other internet traffic.

But how could I setup a (second) wireguard server that only provides access to some Docker containers running on the OMV NAS, without providing access to the LAN?

You can just install extra Debian packages via apt, as long as they don't interfere with OMV, right? I'm currently considering doing that rather than going with Docker (just for PostgreSQL).

Uninstalling Docker+Portainer from the OMV UI, but then also deleting and recreating the entire Docker folder before reinstalling seems to have worked. This time the Portainer installation did work.

I'm trying to set up Docker for the first time, following the guide. When I get to installing Portainer (step 4), it fails however with this message:

Zitat

Docker storage :: /srv/dev-disk-by-uuid-c289a88e-31dc-4146-a254-1927f3a7b2c7/Docker

Agent port:: 8000

Web port:: 9000

Yacht port:: 8001

ee:: 0

image:: portainer/portainer-ce

arch :: amd64

option :: portainer

state :: install

extras :: 6.0.7

DNS OK.

No portainer containers or images to remove.

Pulling and starting portainer/portainer-ce ...

d0672f9c4f33178e79766e07b9941366c1ecb40b386dea76c433ba25b143a945

Something went wrong trying to pull and start portainer ...

Alles anzeigen

I found an old thread with the same message, but nothing there seems to apply:

- My DNS is working fine (indicated above and confirmed with ping from cli).

- I'd never installed/used Docker before on this machine, nothing else is using port 8000.

I've tried removing/reinstalling/restarting both Docker and Portainer, no luck. Ideas?

Zitat

The discovery order is not guaranteed to be repeatable

Right, that's why I wondered if it would be possible for the device names to instead be assigned based on hardcoded disk ids/paths via udev rules so they would become stable (since the names are used in the interface). But I guess that's not important (or even possible, he). Using symlinks sounds good.

I checked the layout of the /dev/disk/by-path/ ids further and they are indeed stable, I was just confused because the first bays were counting down ata-6 to ata-1 from left to right, then the last two were on another pci slot counting upwards.

Is there any way to configure OpenMediaVault to use persistent disk device names? I've seen that OMV deliberately uses by-id for its configuration. Would it be possible to add custom udev rules to hardcode specific disk ids to /dev/{sda,sdb}, etc.?

I'm also wondering if there's a way to map the physical drive bay to a device name (bay1 = /dev/sda, bay2 = /dev/sdb, etc.). I installed OMV on a QNAP NAS, and I noticed the QTS interface was aware of the physical bay location, so presumably there is a way to do this in Linux. I thought it might be done via /dev/disk/by-path/, but looking at the ids I see there, they don't seem to follow the physical drive bay location either.