Comments (13)
Hello !
We are looking on the problem !
It can take some time so please don't mind the lapse of time.
For what I can see in the source code, the ban should be released after the minute that you specified in the configuration.
When a ip is banned, it is banned on all the domain that are registered with fail2ban so trying to access localhost:8000/one or localhost:8000/two after being banned will only reset the banning time.
We are using a table of ip with the time of their first call and a number of try. If the number of try is more than the treshold, the ip is banned. If time of the call - time of first time of calls >= findtime, the ip is debanned and should be able to access the url.
We are going to make 2 releases in the upcoming weeks :
- more logs and loglevel (that will help us debug your case and upcoming ones)
- regexp (allow, block, filter)
Thoses releases will help to at least debug your problem and if the problem lie in regexp it could be resolved like that !
We'll back soon with more solution so wait for us 😉
Clement
from fail2ban.
Likely related to #23 (comment)
where I experience similar behavior in a different context, I'm getting banned no matter what my regexpurl
is set to, and it unbans after a minute, but then with any page reload, bans again.
from fail2ban.
Likely related to #23 (comment)
where I experience similar behavior in a different context, I'm getting banned no matter what my
regexpurl
is set to, and it unbans after a minute, but then with any page reload, bans again.
I agree that the ban should be lifted when bantime has passed so something is wrong, but isn't the nature of Fail2ban that a specific ip is blocked regardless of url it tries to access? My understanding is that a firewall (iptables and similar) is used and thereby blocking the ip specifically?
from fail2ban.
Looking forward to your updates.
Met me know if you need any debug information.
from fail2ban.
Hello,
We released two new versions of fail2ban : 0.6.1 & 0.6.2.
0.6.1 include an upgrade of regexp
0.6.2 add more logs
You can upgrade your version of fail2ban and check if you're still experiencing your problems, you'll have to change a bit your rules but everything is in the README.
Clement
from fail2ban.
How would this config look in my .toml file?
from fail2ban.
https://github.com/tomMoulard/fail2ban/blob/main/README.md#fail2ban
from fail2ban.
Ok.
Updated now but situation is still the same: fail2ban basically just banning when I access my site for no specific reason. 🤷🏼♂️
from fail2ban.
Can you produce a reproducible case ?
for no specific reason
Is not enough for me do to do something about it.
from fail2ban.
middlewares.toml
[http.middlewares.my-fail2ban]
[http.middlewares.my-fail2ban.plugin]
[http.middlewares.my-fail2ban.plugin.fail2ban]
logLevel= "INFO"
[http.middlewares.my-fail2ban.plugin.fail2ban.rules]
bantime= "10s"
enabled= true
findtime= "60m"
maxretry= 3
ports= "80:443"
[http.middlewares.my-fail2ban.plugin.fail2ban.whitelist]
ip = ["::1", "127.0.0.1", "192.168.1.0/24"]
Activation:
INFO: Fail2Ban: 2021/05/06 17:15:33 restricted.go:51: Whitelisted: '::1/128'
INFO: Fail2Ban: 2021/05/06 17:15:33 restricted.go:51: Whitelisted: '127.0.0.1/32'
INFO: Fail2Ban: 2021/05/06 17:15:33 restricted.go:51: Whitelisted: '192.168.1.0/24'
INFO: Fail2Ban: 2021/05/06 17:15:33 restricted.go:51: Bantime: 10s
INFO: Fail2Ban: 2021/05/06 17:15:33 restricted.go:51: Findtime: 1h0m0s
INFO: Fail2Ban: 2021/05/06 17:15:33 restricted.go:51: Ports range from 80 to 443
INFO: Fail2Ban: 2021/05/06 17:15:33 restricted.go:51: FailToBan Rules : '{Xbantime:10s Xfindtime:1h0m0s XurlregexpAllow:[] XurlregexpBan:[] Xmaxretry:3 Xenabled:true Xports:[80 443]}'
INFO: Fail2Ban: 2021/05/06 17:15:33 restricted.go:52: Plugin: FailToBan is up and running
Debug log:
DEBUG: Fail2Ban: 2021/05/06 17:19:21 restricted.go:51: New request: &{GET / HTTP/1.1 1 1 map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Encoding:[gzip] Accept-Language:[en-us] Cdn-Loop:[cloudflare] Cf-Connecting-Ip:[2a02:2121:30c:fc3f:ad2e:cbcb:b8f3:d799] Cf-Ipcountry:[NO] Cf-Ray:[64b32fb7b9d60b6b-AMS] Cf-Request-Id:[09e3dc26d400000b6bf11bb000000001] Cf-Visitor:[{"scheme":"https"}] Connection:[Keep-Alive] Cookie:[authelia_session=vpjQsqHJtyMZtqUYWKpTQfeHuGrXrGpq; __cfduid=d4bcb3ac6988160f0689ba91f129051061620310071] User-Agent:[Mozilla/5.0 (iPhone; CPU iPhone OS 14_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Mobile/15E148 Safari/604.1] X-Forwarded-For:[2a02:2121:30c:fc3f:ad2e:cbcb:b8f3:d799] X-Forwarded-Host:[<mysite>] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[a4aa097bf2e3] X-Real-Ip:[141.101.105.91]] 0xc001606600 <nil> 0 [] false <mysite> map[] map[] <nil> map[] 141.101.105.91:24982 / 0xc00140a000 <nil> <nil> 0xc000f06300}
DEBUG: Fail2Ban: 2021/05/06 17:19:21 restricted.go:52: 141.101.105.91 is no longer banned
DEBUG: Fail2Ban: 2021/05/06 17:19:21 restricted.go:51: New request: &{GET /web/index.html HTTP/1.1 1 1 map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Encoding:[gzip] Accept-Language:[en-us] Cdn-Loop:[cloudflare] Cf-Connecting-Ip:[2a02:2121:30c:fc3f:ad2e:cbcb:b8f3:d799] Cf-Ipcountry:[NO] Cf-Ray:[64b32fb8bbad0b6b-AMS] Cf-Request-Id:[09e3dc277100000b6b140f6000000001] Cf-Visitor:[{"scheme":"https"}] Connection:[Keep-Alive] Cookie:[authelia_session=vpjQsqHJtyMZtqUYWKpTQfeHuGrXrGpq; __cfduid=d4bcb3ac6988160f0689ba91f129051061620310071] Referer:[https:// <mysite>/] User-Agent:[Mozilla/5.0 (iPhone; CPU iPhone OS 14_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Mobile/15E148 Safari/604.1] X-Forwarded-For:[2a02:2121:30c:fc3f:ad2e:cbcb:b8f3:d799] X-Forwarded-Host:[ <mysite>] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[a4aa097bf2e3] X-Real-Ip:[141.101.105.91]] 0xc000ce44b0 <nil> 0 [] false <mysite> map[] map[] <nil> map[] 141.101.105.91:36900 /web/index.html 0xc00064ea50 <nil> <nil> 0xc000ecb9b0}
DEBUG: Fail2Ban: 2021/05/06 17:19:21 restricted.go:51: welcome back 141.101.105.91 for the 2 time
DEBUG: Fail2Ban: 2021/05/06 17:19:22 restricted.go:51: New request: &{GET /web/translations/en.json HTTP/1.1 1 1 map[Accept:[application/json, text/javascript, */*; q=0.01] Accept-Encoding:[gzip] Accept-Language:[en-us] Cdn-Loop:[cloudflare] Cf-Connecting-Ip:[2a02:2121:30c:fc3f:ad2e:cbcb:b8f3:d799] Cf-Ipcountry:[NO] Cf-Ray:[64b32fba5e720b6b-AMS] Cf-Request-Id:[09e3dc287800000b6bc7971000000001] Cf-Visitor:[{"scheme":"https"}] Connection:[Keep-Alive] Cookie:[authelia_session=vpjQsqHJtyMZtqUYWKpTQfeHuGrXrGpq; __cfduid=d4bcb3ac6988160f0689ba91f129051061620310071] Referer:[https:// <mysite>/web/index.html] User-Agent:[Mozilla/5.0 (iPhone; CPU iPhone OS 14_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Mobile/15E148 Safari/604.1] X-Forwarded-For:[2a02:2121:30c:fc3f:ad2e:cbcb:b8f3:d799] X-Forwarded-Host:[ <mysite>] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[a4aa097bf2e3] X-Real-Ip:[141.101.105.91] X-Requested-With:[XMLHttpRequest]] 0xc00194e618 <nil> 0 [] false <mysite> map[] map[] <nil> map[] 141.101.105.91:45168 /web/translations/en.json 0xc0017e4000 <nil> <nil> 0xc000546e10}
DEBUG: Fail2Ban: 2021/05/06 17:19:22 restricted.go:52: 141.101.105.91 is now banned temporarily
DEBUG: Fail2Ban: 2021/05/06 17:19:22 restricted.go:51: New request: &{GET /media/providers?X-Plex-Product=Plex%20Web&X-Plex-Version=4.54.5&X-Plex-Client-Identifier=a3c11yljb5j8p0g74iucl5ww&X-Plex-Platform=Safari&X-Plex-Platform-Version=605.1&X-Plex-Sync-Version=2&X-Plex-Features=external-media%2Cindirect-media&X-Plex-Model=bundled&X-Plex-Device=iOS&X-Plex-Device-Name=Safari&X-Plex-Device-Screen-Resolution=980x1669%2C390x844&X-Plex-Token=52sp_sdeytDjRKtTf66q&X-Plex-Language=en HTTP/1.1 1 1 map[Accept:[application/json] Accept-Encoding:[gzip] Accept-Language:[en] Cdn-Loop:[cloudflare] Cf-Connecting-Ip:[2a02:2121:30c:fc3f:ad2e:cbcb:b8f3:d799] Cf-Ipcountry:[NO] Cf-Ray:[64b32fbc5a2b0b6b-AMS] Cf-Request-Id:[09e3dc29ba00000b6bd7892000000001] Cf-Visitor:[{"scheme":"https"}] Connection:[Keep-Alive] Cookie:[authelia_session=vpjQsqHJtyMZtqUYWKpTQfeHuGrXrGpq; __cfduid=d4bcb3ac6988160f0689ba91f129051061620310071] Referer:[https:// <mysite>/web/index.html] User-Agent:[Mozilla/5.0 (iPhone; CPU iPhone OS 14_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Mobile/15E148 Safari/604.1] X-Forwarded-For:[2a02:2121:30c:fc3f:ad2e:cbcb:b8f3:d799] X-Forwarded-Host:[ <mysite>] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[a4aa097bf2e3] X-Real-Ip:[141.101.105.91] X-Requested-With:[XMLHttpRequest]] 0xc0016070c8 <nil> 0 [] false <mysite> map[] map[] <nil> map[] 141.101.105.91:36900 /media/providers?X-Plex-Product=Plex%20Web&X-Plex-Version=4.54.5&X-Plex-Client-Identifier=a3c11yljb5j8p0g74iucl5ww&X-Plex-Platform=Safari&X-Plex-Platform-Version=605.1&X-Plex-Sync-Version=2&X-Plex-Features=external-media%2Cindirect-media&X-Plex-Model=bundled&X-Plex-Device=iOS&X-Plex-Device-Name=Safari&X-Plex-Device-Screen-Resolution=980x1669%2C390x844&X-Plex-Token=52sp_sdeytDjRKtTf66q&X-Plex-Language=en 0xc00064ea50 <nil> <nil> 0xc000f07650}
DEBUG: Fail2Ban: 2021/05/06 17:19:22 restricted.go:51: 141.101.105.91 is still banned since 2021-05-06T17:19:22+02:00, 4 request
DEBUG: Fail2Ban: 2021/05/06 17:19:22 restricted.go:51: New request: &{GET /media/providers?X-Plex-Product=Plex%20Web&X-Plex-Version=4.54.5&X-Plex-Client-Identifier=a3c11yljb5j8p0g74iucl5ww&X-Plex-Platform=Safari&X-Plex-Platform-Version=605.1&X-Plex-Sync-Version=2&X-Plex-Features=external-media%2Cindirect-media&X-Plex-Model=bundled&X-Plex-Device=iOS&X-Plex-Device-Name=Safari&X-Plex-Device-Screen-Resolution=980x1669%2C390x844&X-Plex-Language=en HTTP/1.1 1 1 map[Accept:[application/json] Accept-Encoding:[gzip] Accept-Language:[en] Cdn-Loop:[cloudflare] Cf-Connecting-Ip:[2a02:2121:30c:fc3f:ad2e:cbcb:b8f3:d799] Cf-Ipcountry:[NO] Cf-Ray:[64b32fbc6a4a0b6b-AMS] Cf-Request-Id:[09e3dc29c400000b6b16068000000001] Cf-Visitor:[{"scheme":"https"}] Connection:[Keep-Alive] Cookie:[authelia_session=vpjQsqHJtyMZtqUYWKpTQfeHuGrXrGpq; __cfduid=d4bcb3ac6988160f0689ba91f129051061620310071] Referer:[https:// <mysite>/web/index.html] User-Agent:[Mozilla/5.0 (iPhone; CPU iPhone OS 14_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Mobile/15E148 Safari/604.1] X-Forwarded-For:[2a02:2121:30c:fc3f:ad2e:cbcb:b8f3:d799] X-Forwarded-Host:[ <mysite>] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[a4aa097bf2e3] X-Real-Ip:[141.101.105.91] X-Requested-With:[XMLHttpRequest]] 0xc0008b40d8 <nil> 0 [] false <mysite> map[] map[] <nil> map[] 141.101.105.91:38766 /media/providers?X-Plex-Product=Plex%20Web&X-Plex-Version=4.54.5&X-Plex-Client-Identifier=a3c11yljb5j8p0g74iucl5ww&X-Plex-Platform=Safari&X-Plex-Platform-Version=605.1&X-Plex-Sync-Version=2&X-Plex-Features=external-media%2Cindirect-media&X-Plex-Model=bundled&X-Plex-Device=iOS&X-Plex-Device-Name=Safari&X-Plex-Device-Screen-Resolution=980x1669%2C390x844&X-Plex-Language=en 0xc00064ec60 <nil> <nil> 0xc000f062a0}
DEBUG: Fail2Ban: 2021/05/06 17:19:22 restricted.go:51: 141.101.105.91 is still banned since 2021-05-06T17:19:22+02:00, 5 request
from fail2ban.
141.101.105.91
is not in ["::1", "127.0.0.1", "192.168.1.0/24"]
, so it works as expected
from fail2ban.
Does that mean that the implementation of the fail2ban module is to ban all ip's not whitelisted? Because that is not what I expected based on my experience with it's namesake program.
from fail2ban.
Here's the doc on how regexp works.
Feel free to open a pr that could enhance either the doc or the regexp (and the plugin) behaviour.
I will close this issue as it seems that you are asking us to build your configuration. But don't hesitate to ask your issue about it on the Traefik community forum.
from fail2ban.
Related Issues (20)
- panic in the usage of plugin HOT 2
- [Traefik Pilot] Traefik Plugin Analyzer has detected a problem.
- [Traefik Pilot] Traefik Plugin Analyzer has detected a problem.
- Dashboard preview/admin console of current state HOT 1
- Export metrics HOT 1
- Pages load slowly when plugin enabled HOT 4
- Traefik proxy | Can this plugin be installed for free?
- Websocket causes a deadlock until its closed? HOT 4
- Only ban if the response is non 2##? HOT 10
- Whitelisting by subnet does not work HOT 4
- [Traefik Plugin Catalog] Plugin Analyzer has detected a problem.
- [Traefik Plugin Catalog] Plugin Analyzer has detected a problem.
- [Traefik Plugin Catalog] Plugin Analyzer has detected a problem.
- [Traefik Plugin Catalog] Plugin Analyzer has detected a problem.
- Banning based on forwarded IP HOT 4
- Error running plugin: unable to find source related to: "net/netip"` HOT 3
- Config from Labels is not extracted HOT 5
- Traefik 3 beta 4 : failed to import plugin code HOT 5
- All traffic banned HOT 6
- Trademark Infringement HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fail2ban.