Hi, I'm trying to set up Fail2ban on my server. I've plugged Caddy's logs into Fail2ban using the remotelogs volume mapping and am trying to set up the jails so that Fail2ban will read Caddy's logs. However, I'm having a bit of trouble having Fail2ban read the jail configuration file.

The README states not to set up configuration files as .confs as they will be wiped between container restarts, so I copied the jail.d/nginx-bad-request.conf to jail.d/caddy.local. Then, in jail.local, I've added the following lines:

[caddy]
enabled = true
chain = DOCKER-USER
action  = %(known/action)s

However, when Fail2ban loads, the jail is not shown in fail2ban-client status. What am I doing wrong here?

unRAID 6.11.5

If I'm doing something wrong, can the relevant portion be added to the README on how to properly add user-defined jail files in jail.d and have it be loaded by jail.local?

Hi,
I am trying to setup fail2ban with the Cloudflare-token action. I did some tests and I noticed that the action creates the firewall rules correctly when one or more IPs should be banned but it doesn't remove them when the ban is lifted.
I am also using the Opnsense rule and it works fine, so I assume this issue is only related to the Cloudflare token action.

As a side note, I've also noticed that Cloudflare is going to deprecate the firewall APIs in favour of the WAF custom rules.

Anyway this is my custom jail.local file.. Is anyone experiencing the same issue? Thanks

[DEFAULT]
# "maxretry" is the number of failures before a host get banned.
maxretry = 1
bantime = 20s

# Apply additional actions to all bans with all jails
action  = cloudflare-token[cfzone="ZONE", cftoken="TOKEN"]
          gotify[url="URL"]

[emby-auth]
# Apply additional actions only to bans for the emby-auth jail
enabled = true
chain   = INPUT
action  = %(known/action)s
          opnsense[alias="Fail2Ban", firewall="URL", key="KEY", secret="SECRET", allow_insecure=false]

Is it possible to create jail and rule for Dell Enterprise SONiC.

DES use an audit log file for failed/wrong authentication. Fail2Ban docker install as a TCPM allow to enforce security on the switch by preventing bruteforce login/password.

See my Pull Request

Hi, monitoring the Traefik log I have an example of a successful ban and a missed ban. I suspect the regex in the filter.d traefik-auth file is not catching the lines. The example log file lines are:

188.95.55.5 - 11111 [05/Nov/2022:22:36:54 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 295 "whoami-1@file" "-" 0ms
188.95.55.5 - 222222 [05/Nov/2022:22:36:59 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 297 "whoami-1@file" "-" 0ms
188.95.55.5 - 33333 [05/Nov/2022:22:37:04 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 298 "whoami-1@file" "-" 0ms
188.95.55.5 - - [05/Nov/2022:22:37:04 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 299 "whoami-1@file" "-" 0ms
185.212.111.150 - - [05/Nov/2022:22:45:11 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 316 "webdav@file" "https://10.0.10.10/:5006" 15ms
185.212.111.150 - - [05/Nov/2022:22:45:28 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 317 "webdav@file" "https://10.0.10.10/:5006" 5510ms
185.212.111.150 - - [05/Nov/2022:22:45:42 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 318 "webdav@file" "https://10.0.10.10/:5006" 5291ms
185.212.111.150 - - [05/Nov/2022:22:45:53 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 320 "webdav@file" "https://10.0.10.10/:5006" 4070ms
185.212.111.150 - - [05/Nov/2022:22:45:57 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 321 "webdav@file" "https://10.0.10.10/:5006" 6ms

In the above example the IP address 188.95.55.5 is caught and banned but 185.212.111.150 is not caught.

Running in docker under Ubuntu 22.04

jail.local:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

destemail = [email protected]
sendername = Fail2ban
sender = [email protected]
mta = sendmail

bantime.increment = true
bantime.maxtime = 4w
bantime.factor = 24
bantime = 1h
findtime = 24h
maxretry = 3

action = %(action_mw)s

[traefik-auth]
enabled = true
chain = INPUT

Log file output

2022-11-05 22:36:54,404 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:36:54
2022-11-05 22:36:59,622 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:36:59
2022-11-05 22:37:04,235 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:37:04
2022-11-05 22:37:04,263 FFFF8130BB20 NOTIC [traefik-auth] Ban 188.95.55.5

N/A

Would it be possible to maybe upgate the regex to catch this test intrusion please?

Thanks, team linuxserver.io

Please add configuration files for Caddy! It's a really good web server that I use to reverse proxy to services, but there aren't any filter or jail configuration files for it yet.

Thanks, team linuxserver.io

I'm using this fail2ban Prometheus exporter which relies on the fail2ban socket, but the exporter log is filled with errors about not being able to find the socket file.

Note that the author of the exporter recommends mounting the folder, not the socket file directly.

Ubuntu Server 20.04

docker-compose.yaml:

version: "3.9"
networks:
  metrix:
    external: true

services:
  fail2ban:
    image: lscr.io/linuxserver/fail2ban:latest
    container_name: fail2ban
    restart: unless-stopped
    environment:
      - TZ=America/Los_Angeles
    volumes:
      - ./socket:/var/run/fail2ban
      - ./config:/config
      - /var/log:/var/log:ro
      - /srv/emby/config/logs:/remotelogs/emby:ro
      - /srv/bittorrent/nginx/log:/remotelogs/nginx:ro
      - /srv/plex/config/Library/Application\ Support/Plex\ Media\ Server/Logs:/remotelogs/plex:ro
    cap_add:
      - NET_ADMIN
    network_mode: "host"

  f2b-exporter:
    image: registry.gitlab.com/hectorjsmith/fail2ban-prometheus-exporter:latest
    container_name: f2b-exporter
    volumes:
      - ./socket:/var/run/fail2ban:ro
    ports:
      - 9191:9191
    depends_on:
      - fail2ban
    networks:
      - metrix

I've tried to use a defined volume as well, but honestly, it doesn't seem that the fail2ban.sock file is located in /var/run/fail2ban at all in this image. If I run 'docker-compose exec fail2ban ls /var/run/fail2ban', I get an empty output.

Where is the fail2ban.sock file located in this image?

Thanks, team linuxserver.io