sosandroid / docker-fail2ban-synology Goto Github PK

Adaptation of @crazy-max docker fail2ban for Synology

License: MIT License

docker-fail2ban-synology's Introduction

Docker Fail2ban for Synology NAS

A docker-compose ready package to run Fail2ban on Synology NAS. This setup is made to manage the Synology's DSM contraints and protect another container : Bitwarden_RS. However, adding your own actions, filters and jails allows use for other purposes.

The goal is to keep the Synology NAS system untouched to be upgrade-proof. This the reason why we did not try to modify the system and improve the embedded banIP. The best deal has to be able to adapt the embedded iptables.

Despite this has been made to run on Synology NAS, this should run on other systems with / without minor adaptations.

Documentation

Crazy-Max/Docker-Fail2ban

Solved issues on Synology

The main issues on Synology are the following:

The embedded ban IP system cannot work on running Docker containers by design
REJECT blocktype is not supported and must be switched to DROP
Modifying DSM system is not upgrade-proof

Pre-requisite

A Docker compatible Synology NAS
An up and running Docker package
A SSH client

Conventions

As convention, we will use as example the following

Folder used : /volumeX/docker/ to be personnalized to your DSM setup

Installation

Download this repo
Unzip and review docker-compose_fail2ban.yml settings
Copy this repo content to /volumeX/docker/

This is almost done. The file action.d/iptables-common.local switch the REJECT blocktype by DROP

Setup

To finish the setup, you need to add your filters and jails. The provided ones relies on a bitwarden_rs instance and looks for the bitwarden.log file. If not available, you'll have an error at startup.

Ready for a first run : docker-compose -f docker-compose_fail2ban.yml up

If everything goes well, the prompt will let you know the container is started and wait until a ctrl + C is triggered to stop it. Have a look in log file and test your filters and rules. A usefull command to unban IP after testing :

sudo docker exec -t fail2ban fail2ban-client set bitwarden unbanip XX.XX.XX.XX

Shutdown the servers issuing a ctrl + C in the terminal

Startup and Maintenance

Startup

Once setup is finished, you're ready to launch your "production" server. Review all the settings and environment variables in the .yml file. Test it using the same docker-compose -f docker-compose_fail2ban.yml up as previously. If everything goes well, stop them and run as detached with the following command.

`docker-compose -f docker-compose_fail2ban.yml up -d`

Maintenance

Upgrade on a regular basis the servers as they continue to evolve on a daily/weekly basis. Run from a terminal the following commands, as root, from time to time.

cd /volumeX/docker/
docker-compose -f docker-compose_fail2ban.yml down
docker-compose -f docker-compose_fail2ban.yml pull
docker-compose -f docker-compose_fail2ban.yml up -d

In order to keep a clean system, from time to time, use this tutoriel.

Use with Bitwarden_RS

This setup has been made for Bitwarden_RS proxied runing as Docker container on Synology NAS

Collaboration

Feel free to propose any optimization through pull requests

docker-fail2ban-synology's People

Contributors

Stargazers

Watchers

Forkers

unlimitedcookies mada199122 robertdigital emiliannicu fbdb nillebor kingchl

docker-fail2ban-synology's Issues

using synology built-in reverse proxy

thankyou for this guide. it has help me a lot.
I need help blocking external access though synology reverse proxy.
I have tested the blocking ability by removing the Ignore IPs and it is working.
I see that my WAN IP is being blocked but I am still able to access the container I have setup.
What should I do?

fail2ban | WARNING: no logs are available with the 'db' log driver

I am getting the above error message when I run docker-compose -f docker-compose_fail2ban.yml up

fail2ban | WARNING: no logs are available with the 'db' log driver

Any tips in this regards?

Thanks,

Gerrit Kuilder

iptables-common not working

Hi,

After hours of debugging, I finally managed to make "DROP" default.
To make it work, the file now needs to be named iptables.local and not iptables-common.local anymore

Thank you

Banned but not blocking...

Hi, I could really use your help.
NGINX Proxy Manager reports the correct IP address, but I can still access the page.
So I've tested with VPN and banned my IP address manually, checking iptables shows the following:
admin@DS1621:~$ sudo iptables -S | grep f2b -N f2b-authelia -N f2b-nginx-proxy-manager -A INPUT -p tcp -j f2b-nginx-proxy-manager -A INPUT -p tcp -j f2b-authelia -A f2b-authelia -s 213.152.188.22/32 -j DROP -A f2b-authelia -j RETURN -A f2b-nginx-proxy-manager -s 213.152.188.22/32 -j DROP -A f2b-nginx-proxy-manager -j RETURN
If I change the jail.d action to
action = iptables-allports[name=nginx-proxy-manager,chain="DOCKER-USER"] then, obviously, INPUT changes to DOCKER-USER, but no success either. Same goes for FORWARD.

NGINX Proxy Manager, Authelia, Fail2ban are all in containers.
NGINX Proxy Manager is on default bridge network. Authelia has it's own bridge network. fail2ban is set to host.

Fail2Ban is installed properly but not correctly banning the IP

Hi,

I recently installed this Fail2Ban container and got it working on my Synology NAS. However, I am having an issue with Fail2Ban not recognizing and banning the real IP.

My current setup is that I am hosting my bitwarden instance using a domain name (bitw.domainname.com) and I have it behind Nginx Reverse Proxy Manager (NPM). With Fail2Ban set up properly to my bitwarden instance, I tested many fake passwords. The logs show that the IP was banned but it was my reverse proxy IP, not my device's real IP. And I was still able to keep entering fake passwords into my bitwarden instance. So Fail2Ban wasn't actually banning anything.

Is there some kind of incompatibility of f2b with containers behind NPM reverse proxy? For reference, Fail2ban was installed as 'host' on my NAS and NPM is installed as a docker bridge container.

Below is a snippet of my Bitwarden log.

2021-05-29 18:04:12,362 fail2ban.filter [1]: INFO [bitwarden] Found 192.168.16.1 - 2021-05-29 18:04:12
2021-05-29 18:04:13,966 fail2ban.filter [1]: INFO [bitwarden] Found 192.168.16.1 - 2021-05-29 18:04:13
2021-05-29 18:04:14,668 fail2ban.filter [1]: INFO [bitwarden] Found 192.168.16.1 - 2021-05-29 18:04:14
2021-05-29 18:04:15,405 fail2ban.actions [1]: WARNING [bitwarden] 192.168.16.1 already banned
2021-05-29 18:04:15,812 fail2ban.filter [1]: INFO [bitwarden] Found 192.168.16.1 - 2021-05-29 18:04:15
2021-05-29 18:04:16,917 fail2ban.filter [1]: INFO [bitwarden] Found 192.168.16.1 - 2021-05-29 18:04:16
2021-05-29 18:04:18,521 fail2ban.filter [1]: INFO [bitwarden] Found 192.168.16.1 - 2021-05-29 18:04:18
2021-05-29 18:04:18,617 fail2ban.actions [1]: WARNING [bitwarden] 192.168.16.1 already banned

So it looks like Fail2Ban is banning IP: 192.168.16.1 which is my NPM reverse proxy address.

Could you please share insights of what the problem could be?