linuxserver / fail2ban-confs Goto Github PK
View Code? Open in Web Editor NEWThese confs are pulled into our fail2ban image: https://github.com/linuxserver/docker-fail2ban
License: GNU General Public License v3.0
These confs are pulled into our fail2ban image: https://github.com/linuxserver/docker-fail2ban
License: GNU General Public License v3.0
Hi, I'm trying to set up Fail2ban on my server. I've plugged Caddy's logs into Fail2ban using the remotelogs
volume mapping and am trying to set up the jails so that Fail2ban will read Caddy's logs. However, I'm having a bit of trouble having Fail2ban read the jail configuration file.
The README states not to set up configuration files as .conf
s as they will be wiped between container restarts, so I copied the jail.d/nginx-bad-request.conf
to jail.d/caddy.local
. Then, in jail.local
, I've added the following lines:
[caddy]
enabled = true
chain = DOCKER-USER
action = %(known/action)s
However, when Fail2ban loads, the jail is not shown in fail2ban-client status
. What am I doing wrong here?
unRAID 6.11.5
If I'm doing something wrong, can the relevant portion be added to the README on how to properly add user-defined jail files in jail.d
and have it be loaded by jail.local
?
Hi,
I am trying to setup fail2ban with the Cloudflare-token action. I did some tests and I noticed that the action creates the firewall rules correctly when one or more IPs should be banned but it doesn't remove them when the ban is lifted.
I am also using the Opnsense rule and it works fine, so I assume this issue is only related to the Cloudflare token action.
As a side note, I've also noticed that Cloudflare is going to deprecate the firewall APIs in favour of the WAF custom rules.
Anyway this is my custom jail.local
file.. Is anyone experiencing the same issue? Thanks
[DEFAULT]
# "maxretry" is the number of failures before a host get banned.
maxretry = 1
bantime = 20s
# Apply additional actions to all bans with all jails
action = cloudflare-token[cfzone="ZONE", cftoken="TOKEN"]
gotify[url="URL"]
[emby-auth]
# Apply additional actions only to bans for the emby-auth jail
enabled = true
chain = INPUT
action = %(known/action)s
opnsense[alias="Fail2Ban", firewall="URL", key="KEY", secret="SECRET", allow_insecure=false]
Is it possible to create jail and rule for Dell Enterprise SONiC.
DES use an audit log file for failed/wrong authentication. Fail2Ban docker install as a TCPM allow to enforce security on the switch by preventing bruteforce login/password.
See my Pull Request
Hi, monitoring the Traefik log I have an example of a successful ban and a missed ban. I suspect the regex in the filter.d traefik-auth file is not catching the lines. The example log file lines are:
188.95.55.5 - 11111 [05/Nov/2022:22:36:54 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 295 "whoami-1@file" "-" 0ms
188.95.55.5 - 222222 [05/Nov/2022:22:36:59 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 297 "whoami-1@file" "-" 0ms
188.95.55.5 - 33333 [05/Nov/2022:22:37:04 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 298 "whoami-1@file" "-" 0ms
188.95.55.5 - - [05/Nov/2022:22:37:04 +0000] "GET / HTTP/2.0" 401 17 "-" "-" 299 "whoami-1@file" "-" 0ms
185.212.111.150 - - [05/Nov/2022:22:45:11 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 316 "webdav@file" "https://10.0.10.10/:5006" 15ms
185.212.111.150 - - [05/Nov/2022:22:45:28 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 317 "webdav@file" "https://10.0.10.10/:5006" 5510ms
185.212.111.150 - - [05/Nov/2022:22:45:42 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 318 "webdav@file" "https://10.0.10.10/:5006" 5291ms
185.212.111.150 - - [05/Nov/2022:22:45:53 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 320 "webdav@file" "https://10.0.10.10/:5006" 4070ms
185.212.111.150 - - [05/Nov/2022:22:45:57 +0000] "GET /home/test.txt HTTP/2.0" 401 381 "-" "-" 321 "webdav@file" "https://10.0.10.10/:5006" 6ms
In the above example the IP address 188.95.55.5 is caught and banned but 185.212.111.150 is not caught.
Running in docker under Ubuntu 22.04
jail.local:
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
destemail = [email protected]
sendername = Fail2ban
sender = [email protected]
mta = sendmail
bantime.increment = true
bantime.maxtime = 4w
bantime.factor = 24
bantime = 1h
findtime = 24h
maxretry = 3
action = %(action_mw)s
[traefik-auth]
enabled = true
chain = INPUT
2022-11-05 22:36:54,404 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:36:54
2022-11-05 22:36:59,622 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:36:59
2022-11-05 22:37:04,235 FFFF8140EB20 INFO [traefik-auth] Found 188.95.55.5 - 2022-11-05 22:37:04
2022-11-05 22:37:04,263 FFFF8130BB20 NOTIC [traefik-auth] Ban 188.95.55.5
N/A
Would it be possible to maybe upgate the regex to catch this test intrusion please?
I'm using this fail2ban Prometheus exporter which relies on the fail2ban socket, but the exporter log is filled with errors about not being able to find the socket file.
Note that the author of the exporter recommends mounting the folder, not the socket file directly.
Ubuntu Server 20.04
docker-compose.yaml:
version: "3.9"
networks:
metrix:
external: true
services:
fail2ban:
image: lscr.io/linuxserver/fail2ban:latest
container_name: fail2ban
restart: unless-stopped
environment:
- TZ=America/Los_Angeles
volumes:
- ./socket:/var/run/fail2ban
- ./config:/config
- /var/log:/var/log:ro
- /srv/emby/config/logs:/remotelogs/emby:ro
- /srv/bittorrent/nginx/log:/remotelogs/nginx:ro
- /srv/plex/config/Library/Application\ Support/Plex\ Media\ Server/Logs:/remotelogs/plex:ro
cap_add:
- NET_ADMIN
network_mode: "host"
f2b-exporter:
image: registry.gitlab.com/hectorjsmith/fail2ban-prometheus-exporter:latest
container_name: f2b-exporter
volumes:
- ./socket:/var/run/fail2ban:ro
ports:
- 9191:9191
depends_on:
- fail2ban
networks:
- metrix
I've tried to use a defined volume as well, but honestly, it doesn't seem that the fail2ban.sock file is located in /var/run/fail2ban at all in this image. If I run 'docker-compose exec fail2ban ls /var/run/fail2ban', I get an empty output.
Where is the fail2ban.sock file located in this image?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.