tommoulard / fail2ban Goto Github PK
View Code? Open in Web Editor NEWTraefik plugin on fail2ban middleware
License: MIT License
Traefik plugin on fail2ban middleware
License: MIT License
So, I added this plugin to Traefik 2.7 by adding this to traefik.toml:
[experimental.plugins.fail2ban]
moduleName = "github.com/tomMoulard/fail2ban"
version = "v0.7.1"
and this to the dynamic-conf.toml:
[http.middlewares.my-fail2ban]
[http.middlewares.my-fail2ban.plugin]
[http.middlewares.my-fail2ban.plugin.fail2ban]
[http.middlewares.my-fail2ban.plugin.fail2ban.rules]
bantime = "1h"
enabled = "true"
findtime = "1m"
maxretry = "60"
[http.middlewares.my-fail2ban.plugin.fail2ban.whitelist]
ip = "::1,127.0.0.1,172.19.0.0/16,172.17.0.0/16"
After restarting the Traefik container the following error is thrown in the Traefik console:
2023/10/18 11:46:59 traefik.go:80: command traefik error: github.com/tomMoulard/fail2ban: failed to import plugin code "github.com/tomMoulard/fail2ban": 1:21: import "github.com/tomMoulard/fail2ban" error: plugins-storage/sources/gop-3703202570/src/github.com/tomMoulard/fail2ban/fail2ban.go:17:2: import "github.com/tomMoulard/fail2ban/ipchecking" error: plugins-storage/sources/gop-3703202570/src/github.com/tomMoulard/fail2ban/ipchecking/ipChecking.go:7:2: import "net/netip" error: unable to find source related to: "net/netip"
This doesn't seem like something I misconfigured, but I could be mistaken. Any idea?
I think I'm dealing with a bug because I've checked all the settings and the plugin generally behaves as described. Unfortunately, my traffic is being blocked and I can't find a reason why.
I am using the latest plugin version (0.7.1) with the latest Traefik version (2.10.5). I use Docker as a provider.
For my tests I use the Traefik dashboard, which I have secured with Simle Auth. Additional brute forcing protection would be a welcome addition.
In my setup, I first tried to lock myself out by entering the wrong credentials: that worked straight away. Since then - I tested this two weeks ago - I have no longer been able to authenticate myself successfully. I am always blocked with the status '403'. What I have tried:
What I am missing is a way to check on the banned IP adresses. Is there a way to find out, what's happening?
Thanks!
Here is an excerpt from my traefik_dynamic.yaml (for completeness):
my-fail2ban:
plugin:
fail2ban:
rules:
bantime: "3h"
enabled: true
findtime: "10m"
maxretry: 4
whitelist:
ip:
- "::1"
- "127.0.0.1"
routers:
api:
rule: Host(`dashboard.mydomain.com`)
entrypoints:
- websecure
middlewares:
- simpleAuth
- my-fail2ban
service: api@internal
tls:
certResolver: lets-encrypt
It doesn't seem like anyone has actually used this.
http.Request
docs
// RemoteAddr allows HTTP servers and other software to record
// the network address that sent the request, usually for
// logging. This field is not filled in by ReadRequest and
// has no defined format. The HTTP server in this package
// sets RemoteAddr to an "IP:port" address before invoking a
// handler.
// This field is ignored by the HTTP client.
In my logs, I'm seeing:
Fail2Ban_config: 2020/12/29 02:28:13 restricted.go:51: Whitelisted: '192.168.1.1/32'
....
Fail2Ban: 2020/12/29 02:38:47 restricted.go:52: 192.168.1.1:49926 is in blacklist mode
A closer look at your IP parsing would indictate that you didn't read the ParseIP
docs
ParseIP parses s as an IP address, returning the result. The string s can be in IPv4 dotted decimal ("192.0.2.1"), IPv6 ("2001:db8::68"), or IPv4-mapped IPv6 ("::ffff:192.0.2.1") form. If s is not a valid textual representation of an IP address, ParseIP returns nil.
See how you have to net.SplitHostPort(s)
?
Your unit tests pass because you aren't using Request.RemoteAddr
strings with ports.
Hello,
I manage the f2b config via docker labels:
Initialisation (command):
- --experimental.plugins.traefik-fail2ban-plugin.modulename=github.com/tomMoulard/fail2ban
- --experimental.plugins.traefik-fail2ban-plugin.version=v0.7.1
Label:
- "traefik.http.middlewares.fail2ban-plugin.plugin.traefik-fail2ban-plugin.enabled=true"
- "traefik.http.middlewares.fail2ban-plugin.plugin.traefik-fail2ban-plugin.bantime=3h"
- "traefik.http.middlewares.fail2ban-plugin.plugin.traefik-fail2ban-plugin.findtime=2m"
- "traefik.http.middlewares.fail2ban-plugin.plugin.traefik-fail2ban-plugin.maxretry=2"
- "traefik.http.routers.catch-all.middlewares=catch-all-ratelimit,catch-all-redirect,fail2ban-plugin,modsec-plugin"
But it looks like my settings are ignored, since the log is showing this:
10/23/2023 6:48:11 PM 2023/10/23 18:48:11 Bantime: 5m0s
10/23/2023 6:48:11 PM 2023/10/23 18:48:11 Findtime: 2m0s
10/23/2023 6:48:11 PM 2023/10/23 18:48:11 FailToBan Rules : '{Bantime:5m0s Findtime:2m0s URLRegexpAllow:[] URLRegexpBan:[] MaxRetry:0 Enabled:true}'
10/23/2023 6:48:11 PM 2023/10/23 18:48:11 Plugin: FailToBan is up and running
I double checked the example: https://github.com/tomMoulard/fail2ban/blob/main/docker-compose.yml
and the code, but couldn't find an issue with my config:
Line 43 in 2790061
I think its interesting, that it somehow managed to interpret the enabled flag, but not the other parameters, the case should be correct, as seen in the example and the sources.
Hello. Plugin's config reading fails with an error "not valid".
Traefik version 2.9.5
fail2ban version v0.6.6
http:
middlewares:
mw-fail2ban:
plugin:
fail2ban:
rules:
bantime: 1h
findtime: 1s
enabled: true
maxretry: 50
ports:
- 443
blacklist:
ip: []
whitelist:
ip:
- 192.168.1.0/24
$ docker-compose up traefik
Starting dup-traefik ... done
Attaching to dup-traefik
dup-traefik | time="2023-06-08T20:05:41+03:00" level=info msg="Configuration loaded from flags."
dup-traefik | IPChecking: 2023/06/08 20:05:42 restricted.go:51: &{%!e(string=CIDR address) %!e(string=║24║192.168.1.0/24)}
dup-traefik | IPChecking: 2023/06/08 20:05:42 restricted.go:51: Error: ║24║192.168.1.0/24 not valid
After looking through ipChecking.go
I can assume that the problem is around line 46 -- according to docs, net.ParseIP
does not expect a subnet in an input string, that's what net.ParseCIDR
is for.
The plugin was not imported into Traefik Plugin Catalog.
Cause:
failed to run the plugin with Yaegi: the load of the plugin takes too much time(10s), or an error, inside the plugin, occurs during the load: 1:21: import "github.com/tomMoulard/fail2ban" error: /tmp/traefik-plugin-gop3322109729/src/github.com/tomMoulard/fail2ban/fail2ban.go:18:2: import "github.com/tomMoulard/fail2ban/log" error: /tmp/traefik-plugin-gop3322109729/src/github.com/tomMoulard/fail2ban/log/log_debug.go:17:16: unknown field logger in struct literal
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
Ability to export metrics (number of banned ips, ...) like traefik.
Is there a way to ban using a failregex filter on an access log line?
I had fail2ban on my host protecting the docker proxy instance when i was using nginx-proxy. Here is the line from my custom filter
failregex = ^.*\s<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
EDIT:
Does this plugin only ban according to urlregexp and if I leave it blank it blocks all access?
The plugin was not imported into Traefik Pilot.
Cause:
unsupported plugin: the module name (github.com/tommoulard/fail2ban) doesn't contain the GitHub repository name (github.com/tomMoulard/fail2ban)
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
Hi, are there any plans to implement such feature using email/telegram/....? Thank you.
Hello,
Are TCP or UDP entrypoints supported?
Thank you!
I couldn't find it in the documentation on how to read logs (in my case authelia logs) to block IP addresses.
What is the equivalent of jail.d, action.d and filter.d fail2ban
directories in this plugin?
I want to read authelia logs and block the IP addresses that fail to login for n
number of times. I think this is doable by running a dedicated fail2ban container, but I noticed this plugin and it looked like a better alternative.
Hello,
I'm trying to setup this plugin and I can't get it to work.
My environment is kubernetes (k3s), my traefik (ingress-controller) is working as expected before starting to play with fail2ban.
args:
- --providers.kubernetescrd
- --providers.kubernetescrd.namespaces=default,kube-system
- --providers.file
- --providers.file.filename=/fail2ban/rules-fail2ban.yaml
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.storjstoragenodetcp.address=:28967
- --entrypoints.syncthingsynctcp.address=:22000
- --entrypoints.syncthingsyncudp.address=:22000/udp
- --entrypoints.syncthingdiscoveryudp.address=:21027/udp
- --entrypoints.sambamds.address=:445
- --entrypoints.sambanbt.address=:139
- --entrypoints.sambandgmudp.address=:138/udp
- --entrypoints.sambannsudp.address=:137/udp
- --api.insecure
- --pilot.token=<HIDDEN>
- --experimental.plugins.fail2ban.modulename=github.com/tommoulard/fail2ban
- --experimental.plugins.fail2ban.version=v0.6.2
- --certificatesresolvers.le.acme.email=<HIDDEN>
- --certificatesresolvers.le.acme.storage=/cert/acme.json
- --certificatesResolvers.le.acme.httpChallenge.entryPoint=web
- --serverstransport.insecureskipverify=true
- --accesslog=true
- --accesslog.filepath=/logs/access.log
- --accesslog.bufferingsize=100
- --log.filePath=/logs/traefik.log
- --log.level=INFO
- --metrics=true
- --metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000
- --metrics.prometheus.addEntryPointsLabels=true
- --metrics.prometheus.addServicesLabels=true
my rules-fail2ban.yaml is still the default one:
http:
middlewares:
my-fail2ban:
plugin:
fail2ban:
blacklist:
ip: 192.168.0.0/24
rules:
action: ""
actionAbuseipdb: ""
backend: ""
banaction: ""
banactionAllports: ""
bantime: 3h
chain: ""
destemail: ""
enabled: "true"
fail2banAgent: ""
filter: ""
findtime: 10m
ignorecommand: ""
logencoding: UTF-8
maxretry: "4"
mode: ""
mta: ""
ports: 0:8000
protocol: ""
sender: ""
urlregexp: ""
usedns: ""
whitelist:
ip: ::1,127.0.0.1
once starting traefik i don't the see plugin loading:
time="2021-12-30T07:32:34Z" level=info msg="Traefik version 2.5.6 built on 2021-12-22T16:30:52Z"
time="2021-12-30T07:32:34Z" level=info msg="Stats collection is enabled."
time="2021-12-30T07:32:34Z" level=info msg="Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration."
time="2021-12-30T07:32:34Z" level=info msg="Help us improve Traefik by leaving this feature on :)"
time="2021-12-30T07:32:34Z" level=info msg="More details on: https://doc.traefik.io/traefik/contributing/data-collection/"
time="2021-12-30T07:32:35Z" level=info msg="Starting provider aggregator.ProviderAggregator {}"
time="2021-12-30T07:32:35Z" level=info msg="Starting provider *file.Provider {\"watch\":true,\"filename\":\"/fail2ban/rules-fail2ban.yaml\"}"
time="2021-12-30T07:32:35Z" level=info msg="Starting provider *traefik.Provider {}"
time="2021-12-30T07:32:35Z" level=info msg="Starting provider *crd.Provider {\"namespaces\":[\"default\",\"kube-system\"]}"
time="2021-12-30T07:32:35Z" level=info msg="Starting provider *acme.ChallengeTLSALPN {\"Timeout\":4000000000}"
time="2021-12-30T07:32:35Z" level=info msg="Starting provider *acme.Provider {\"email\":\"<HIDDEN>\",\"caServer\":\"https://acme-v02.api.letsencrypt.org/directory\",\"storage\":\"/cert/acme.json\",\"keyType\":\"RSA4096\",\"httpChallenge\":{\"entryPoint\":\"web\"},\"ResolverName\":\"le\",\"store\":{},\"TLSChallengeProvider\":{\"Timeout\":4000000000},\"HTTPChallengeProvider\":{}}"
time="2021-12-30T07:32:35Z" level=info msg="label selector is: \"\"" providerName=kubernetescrd
time="2021-12-30T07:32:35Z" level=info msg="Creating in-cluster Provider client" providerName=kubernetescrd
time="2021-12-30T07:32:35Z" level=info msg="Testing certificate renew..." providerName=le.acme
Is there anything obvious i'm missing ?
The plugin was not imported into Traefik Pilot.
Cause:
the import "github.com/tommoulard/fail2ban" must be related to the module name "github.com/tomMoulard/fail2ban"
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
The plugin was not imported into Traefik Pilot.
Cause:
unsupported plugin: the module name (github.com/tommoulard/fail2ban) doesn't contain the GitHub repository name (github.com/tomMoulard/fail2ban)
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
i get this error
time="2024-05-16T09:31:57Z" level=error msg="Stack: goroutine 731 [running]:\ngithub.com/traefik/traefik/v2/pkg/middlewares/recovery.recoverFunc({0x7efe049dbcd8, 0xc001c2c068}, 0xc000d01300)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/recovery/recovery.go:46 +0x225\npanic({0x3a23a40, 0xc00130ea00})\n\truntime/panic.go:884 +0x212\ngithub.com/traefik/yaegi/interp.runCfg.func1()\n\tgithub.com/traefik/[email protected]/interp/run.go:192 +0x148\npanic({0x3a23a40, 0xc00130ea00})\n\truntime/panic.go:884 +0x212\nreflect.Value.call({0x3aeac20?, 0xc00189b2c0?, 0x41057f?}, {0x47005d6, 0x4}, {0xc0013f8588, 0x1, 0x0?})\n\treflect/value.go:440 +0x1abf\nreflect.Value.Call({0x3aeac20?, 0xc00189b2c0?, 0x455292?}, {0xc0013f8588?, 0x469cee0?, 0x1?})\n\treflect/value.go:368 +0xbc\ngithub.com/traefik/yaegi/interp.call.func9.2({0xc0013f8588?, 0xc00189b2c0?, 0x5?})\n\tgithub.com/traefik/[email protected]/interp/run.go:1288 +0x3c\ngithub.com/traefik/yaegi/interp.call.func9(0xc0011222c0)\n\tgithub.com/traefik/[email protected]/interp/run.go:1303 +0x122f\ngithub.com/traefik/yaegi/interp.runCfg(0xc0015a58c0, 0xc0011222c0, 0x0?, 0x4589940?)\n\tgithub.com/traefik/[email protected]/interp/run.go:200 +0x29d\ngithub.com/traefik/yaegi/interp.genFunctionWrapper.func1.1({0xc00189b170, 0x2, 0x4?})\n\tgithub.com/traefik/[email protected]/interp/run.go:1002 +0x4a5\ngithub.com/traefik/yaegi/stdlib._net_http_Handler.ServeHTTP(...)\n\tgithub.com/traefik/[email protected]/stdlib/go1_19_net_http.go:290\ngithub.com/traefik/traefik/v2/pkg/middlewares/headers.(*Header).ServeHTTP(0xc001aa9fc0, {0x7efe049dbcd8?, 0xc001c2c068}, 0xc000d01400)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/headers/header.go:64 +0x15d\ngithub.com/traefik/traefik/v2/pkg/middlewares/connectionheader.Remover.func1({0x7efe049dbcd8, 0xc001c2c068}, 0xc000d01400)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/connectionheader/connectionheader.go:34 +0x279\nnet/http.HandlerFunc.ServeHTTP(0x3493807?, {0x7efe049dbcd8?, 0xc001c2c068?}, 0x5269810?)\n\tnet/http/server.go:2109 +0x2f\ngithub.com/traefik/traefik/v2/pkg/middlewares/headers.(*headers).ServeHTTP(0x52bfbb0?, {0x7efe049dbcd8?, 0xc001c2c068?}, 0x5270640?)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/headers/headers.go:91 +0x2c\ngithub.com/traefik/traefik/v2/pkg/middlewares/tracing.(*Wrapper).ServeHTTP(0xc001ad5c50, {0x7efe049dbcd8, 0xc001c2c068}, 0xc000d01400)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/tracing/wrapper.go:57 +0x106\ngithub.com/traefik/traefik/v2/pkg/middlewares/accesslog.(*FieldHandler).ServeHTTP(0xc001ae2000, {0x7efe049dbcd8, 0xc001c2c068}, 0x3c35a80?)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/accesslog/field_middleware.go:31 +0x122\ngithub.com/gorilla/mux.(*Router).ServeHTTP(0xc0019c6de0, {0x7efe049dbcd8, 0xc001c2c068}, 0xc000d01300)\n\tgithub.com/gorilla/[email protected]/mux.go:141 +0x24c\ngithub.com/traefik/traefik/v2/pkg/middlewares/recovery.(*recovery).ServeHTTP(0x7dfaea0?, {0x7efe049dbcd8?, 0xc001c2c068?}, 0x3a1d640?)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/recovery/recovery.go:32 +0x82\ngithub.com/traefik/traefik/v2/pkg/middlewares/accesslog.(*FieldHandler).ServeHTTP(0xc001ae21c0, {0x7efe049dbcd8, 0xc001c2c068}, 0xc000e5d0e0?)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/accesslog/field_middleware.go:31 +0x122\ngithub.com/traefik/traefik/v2/pkg/middlewares/metrics.(*metricsMiddleware).ServeHTTP(0xc001accd80, {0x7efe049dbcd8?, 0xc001c2c068}, 0xc000d01300)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/metrics/metrics.go:146 +0x788\ngithub.com/traefik/traefik/v2/pkg/middlewares/capture.Wrap.func1({0x52b3450, 0xc001c2c060}, 0xc001b56dbd?)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/capture/capture.go:48 +0x7e\nnet/http.HandlerFunc.ServeHTTP(0xc000efe340?, {0x52b3450?, 0xc001c2c060?}, 0xc00140a400?)\n\tnet/http/server.go:2109 +0x2f\ngithub.com/traefik/traefik/v2/pkg/middlewares/snicheck.SNICheck.ServeHTTP({{0x529b220?, 0xc001b00048?}, 0xc001b15d70?}, {0x52b3450, 0xc001c2c060}, 0xc000d01100)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/snicheck/snicheck.go:49 +0x189\ngithub.com/traefik/traefik/v2/pkg/middlewares.(*HTTPHandlerSwitcher).ServeHTTP(0x4108c7?, {0x52b3450, 0xc001c2c060}, 0x5270701?)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/handler_switcher.go:23 +0x62\ngithub.com/traefik/traefik/v2/pkg/middlewares/requestdecorator.(*RequestDecorator).ServeHTTP(0xc000013df0, {0x52b3450, 0xc001c2c060}, 0xc000d01000, 0xc000bf4b80)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/requestdecorator/request_decorator.go:47 +0x30e\ngithub.com/traefik/traefik/v2/pkg/middlewares/requestdecorator.WrapHandler.func1.1({0x52b3450?, 0xc001c2c060?}, 0xc00189af90?)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/requestdecorator/request_decorator.go:89 +0x68\nnet/http.HandlerFunc.ServeHTTP(0xc000d05d60?, {0x52b3450?, 0xc001c2c060?}, 0x9?)\n\tnet/http/server.go:2109 +0x2f\ngithub.com/traefik/traefik/v2/pkg/middlewares/forwardedheaders.(*XForwarded).ServeHTTP(0xc000d05d60, {0x52b3450, 0xc001c2c060}, 0xc000d01000)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/forwardedheaders/forwarded_header.go:192 +0xca\nnet/http.AllowQuerySemicolons.func1({0x52b3450, 0xc001c2c060}, 0xc000d01000)\n\tnet/http/server.go:2974 +0x223\nnet/http.HandlerFunc.ServeHTTP(0x0?, {0x52b3450?, 0xc001c2c060?}, 0xc00141fb80?)\n\tnet/http/server.go:2109 +0x2f\nnet/http.serverHandler.ServeHTTP({0x280?}, {0x52b3450, 0xc001c2c060}, 0xc000d01000)\n\tnet/http/server.go:2947 +0x30c\nnet/http.initALPNRequest.ServeHTTP({{0x52bfbb0?, 0xc0016520f0?}, 0xc001cd4380?, {0xc000fb8870?}}, {0x52b3450, 0xc001c2c060}, 0xc000d01000)\n\tnet/http/server.go:3556 +0x245\ngolang.org/x/net/http2.(*serverConn).runHandler(0x52ad438?, 0x7e2de50?, 0x0?, 0x0?)\n\tgolang.org/x/[email protected]/http2/server.go:2305 +0x83\ncreated by golang.org/x/net/http2.(*serverConn).processHeaders\n\tgolang.org/x/[email protected]/http2/server.go:2018 +0x64a\n" middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2024-05-16T09:31:57Z" level=error msg="plugins-storage/sources/gop-714367021/src/github.com/tomMoulard/fail2ban/fail2ban.go:218:2: panic" plugin=plugin-fail2ban module=github.com/tomMoulard/fail2ban
The plugin was not imported into Traefik Pilot.
Cause:
failed to run with Yaegi: plugin: failed to create a new plugin instance: open tests/test-ipfile.txt: no such file or directory
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
or does it work only for Enterprise versions of Traefik?
Is installation procedure the same?
Hello, I discovered your plugin today ! This is how i have configured it :
command:
- "--experimental.plugins.fail2ban.modulename=github.com/tommoulard/fail2ban"
- "--experimental.plugins.fail2ban.version=v0.6.0"
labels:
- "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.enabled=true"
- "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.maxretry=4"
- "traefik.http.middlewares.fail2ban.plugin.fail2ban.rules.bantime=1h"
My goal is to block the access of a service if there are for example 4 logins fails.
Actually it does not works, i can repeat many login errors without problem. ( i restarted for sure )
I think that there is something that i don't have understand.
I don't made any changes on my service (application) side. I should do something ??
I can see my middleware in traefik -> fail2ban@docker
Thanks for help :)
The plugin was not imported into Traefik Plugin Catalog.
Cause:
failed to get the latest tag: invalid tag: v0.1 (this tag must be removed, see https://semver.org)
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
Wouldn't it make more sense if the ban would trigger based on all requests that aren't http 200-299?
Then we could set a much lower limit and thus lowering the number of attempts a hacker has before banning them.
(If i read the code correctly it just count's the number of requests)
As noted in this discussion, fail2ban currently only uses the request's IP for banning. This makes it impossible to properly ban IPs when behind a proxy, like Cloudflare.
A configuration option to pull the IP from a request header or other source would be ideal.
I seem to have an issue where fail2ban reactives a previous ban on an ip when the same ip tries to access the site after ban expires.
Environment:
middelwares.toml
[http.middlewares.my-fail2ban]
[http.middlewares.my-fail2ban.plugin]
[http.middlewares.my-fail2ban.plugin.fail2ban]
[http.middlewares.my-fail2ban.plugin.fail2ban.blacklist]
ip = [""]
[http.middlewares.my-fail2ban.plugin.fail2ban.rules]
action = ""
actionAbuseipdb = ""
backend = ""
banaction = ""
banactionAllports = ""
bantime = "1m"
chain = ""
destemail = ""
enabled = true
fail2banAgent = ""
filter = ""
findtime = "1m"
ignorecommand = ""
logencoding = "UTF-8"
maxretry = 4
mode = ""
mta = ""
ports = "0:8000"
protocol = ""
sender = ""
urlregexp = ""
usedns = ""
[http.middlewares.my-fail2ban.plugin.fail2ban.whitelist]
ip = ["::1", "127.0.0.1", "192.168.1.0/24", "172.16.1.0/16"]
static config:
- --pilot.token=<redacted>
- --experimental.plugins.fail2ban.modulename=github.com/tommoulard/fail2ban
- --experimental.plugins.fail2ban.version=v0.6.0
service config:
- "traefik.http.routers.authelia-rtr.middlewares=my-fail2ban@file,chain-no-auth@file"
Traefik log after restart:
Fail2Ban_config: 2021/04/05 08:57:45 restricted.go:51: Whitelisted: '::1/128'
Fail2Ban_config: 2021/04/05 08:57:45 restricted.go:51: Whitelisted: '127.0.0.1/32'
Fail2Ban_config: 2021/04/05 08:57:45 restricted.go:51: Whitelisted: '192.168.1.0/24'
Fail2Ban_config: 2021/04/05 08:57:45 restricted.go:51: Whitelisted: '172.16.0.0/16'
Fail2Ban_config: 2021/04/05 08:57:45 restricted.go:51: Bantime: 1m0s
Fail2Ban_config: 2021/04/05 08:57:45 restricted.go:51: Findtime: 1m0s
Fail2Ban_config: 2021/04/05 08:57:45 restricted.go:51: Ports range from 0 to 8000
Fail2Ban_config: 2021/04/05 08:57:45 restricted.go:51: FailToBan Rules : '{Xbantime:1m0s Xfindtime:1m0s Xurlregexp:[] Xmaxretry:4 Xenabled:true Xports:[0 8000]}'
Fail2Ban: 2021/04/05 08:57:45 restricted.go:52: Plugin: FailToBan is up and running
Triggering ban:
Fail2Ban: 2021/04/05 09:03:17 restricted.go:52: <external client ip> is in blacklist mode
Fail2Ban: 2021/04/05 09:03:21 restricted.go:52: <external client ip> is in blacklist mode
Fail2Ban: 2021/04/05 09:03:25 restricted.go:52: <external client ip> is in blacklist mode
Then waiting until bantime expires:
1 Fail2Ban: 2021/04/05 09:05:20 restricted.go:52: <external client ip> is now back in whitelist mode
2 Fail2Ban: 2021/04/05 09:05:33 restricted.go:52: <external client ip> is in blacklist mode
3 Fail2Ban: 2021/04/05 09:05:54 restricted.go:52: <external client ip> is in blacklist mode
When accessing Authelia after bantime expires (line 1) fail2ban correctly notifies that ip is back in whitelist mode. However, a new request (line 2) puts the client back in fail2ban mode. This does not seem right and I wonder where I have blundered in my setup?
The plugin was not imported into Traefik Pilot.
Cause:
failed to run with Yaegi: plugin: failed to create a new plugin instance: open file1.txt: no such file or directory
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
Good afternoon,
The asset used as the logo for this project on the Traefik community page, hosted here is a registered UK trademark with registration number UK00003584429.
Please remove our trademarked asset from this project.
The plugin was not imported into Traefik Plugin Catalog.
Cause:
failed to get the latest tag: invalid tag: v0.1 (this tag must be removed, see https://semver.org)
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
The plugin was not imported into Traefik Pilot.
Cause:
failed to run with Yaegi: plugin: failed to create a new plugin instance: open file1.txt: no such file or directory
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
Doesn't seem to work with last Traefik 3 (beta4):
traefik.yml
experimental:
plugins:
fail2ban:
moduleName: github.com/tomMoulard/fail2ban
version: v0.7.1
middleware
fail2ban:
plugin:
fail2ban:
blacklist:
ip:
- 51.15.34.47
- 45.142.182.119
- 164.68.124.86
Logs
{"level":"error","error":"github.com/tomMoulard/fail2ban: failed to import plugin code \"github.com/tomMoulard/fail2ban\": 1:21: import \"github.com/tomMoulard/fail2ban\" error: plugins-storage/sources/gop-3425862140/src/github.com/tomMoulard/fail2ban/fail2ban.go:18:2: import \"github.com/tomMoulard/fail2ban/log\" error: plugins-storage/sources/gop-3425862140/src/github.com/tomMoulard/fail2ban/log/log_debug.go:17:16: unknown field logger in struct literal","time":"2023-11-01T20:40:03+01:00","message":"Plugins are disabled because an error has occurred."}
Can I add more details needed to review ?
Hi I'm not 100% sure as I'm a total noob when it comes to go.
But if I read the code correctly, the lock is not released until a http connection is done sending it's content?
This works great for normal requests, but when you have a websocket it can stay open for a long long time and cause all other requests to stall until its done? (in my case that's until I close my browser)
Hey everyone,
I already reached out to the traefik community forum but couldn't find any help so far (post).
I'm trying to set up the fail2ban plugin and it works with my containous/whoami
test container without a urlregexp
rule.
I want to secure my Wordpress container by setting a urlregexp
rule for the login page /wp-login.php
. But it seems that no matter which rule I configure, fail2ban does not filter for the login page but takes all requests to the site for its calculations. This leads to access restrictions relatively fast on all Wordpress pages. My attempts so far (docker-compose
of my Wordpress container):
labels:
[ ... ]
- "traefik.http.middlewares.my-fail2ban.plugin.fail2ban.rules.enabled=true"
- "traefik.http.middlewares.my-fail2ban.plugin.fail2ban.rules.bantime=5m"
- "traefik.http.middlewares.my-fail2ban.plugin.fail2ban.rules.findtime=1m"
- "traefik.http.middlewares.my-fail2ban.plugin.fail2ban.rules.maxretry=5"
- "traefik.http.middlewares.my-fail2ban.plugin.fail2ban.rules.ports=0:8000"
# with and without \`
- "traefik.http.middlewares.my-fail2ban.plugin.fail2ban.rules.urlregexp=`.*\/wp-login.php.*`"
- "traefik.http.middlewares.my-fail2ban.plugin.fail2ban.rules.urlregexp=.*\/wp-login.php.*"
- "traefik.http.middlewares.my-fail2ban.plugin.fail2ban.rules.urlregexp=.*\/wp\-login\.php.*" # throws compose parsing error
- "traefik.http.routers.wordpress.middlewares=my-fail2ban@docker"
[ ... ]
Is my regex not correct? Or am I mistaken what the urlregexp
rule should do?
Thanks in advance
The plugin was not imported into Traefik Pilot.
Cause:
failed to get readme: failed to get readme: GET https://api.github.com/repos/tomMoulard/fail2ban/readme?ref=v0.6.2: 502 []
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
Do not know whether it is possible with plugins, but add a dashboard preview of all banned IPs with the ability to unban, possibly whitelist/blacklist them (this would require a separate db file probably), ...
The ipchecking
package should manage IPv6, you might wanna use net go package
The plugin was not imported into Traefik Pilot.
Cause:
unsupported plugin: the module name (github.com/tommoulard/fail2ban) doesn't contain the GitHub repository name (github.com/tomMoulard/fail2ban)
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
Hi all,
I've searched for a while and it seems there's no description on the Internet or in README about how people ban or unban the IP addresses manually once it got banned via this middleware. I used this function sometimes when some allies got banned by accident or the fillter is just too strict.
My plan is using this middleware in my Kubernetes cluster with Traefik Ingress. Is there any way to do it? It'd be so helpful rather than only waiting it timed out.
e.g.
The way I use it via Ubuntu standalone:
fail2ban-client set [RULE-NAME] ban/ubanip [IP]
The plugin was not imported into Traefik Plugin Catalog.
Cause:
failed to get the latest tag: invalid tag: v0.1 (this tag must be removed, see https://semver.org)
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
Hi,
Thanks for creating this project, it looks very useful.
Is it possible to add rules for response codes instead of URL paths? E.G for 401 / 403 response from upstream server?
Thanks
We would like to create more tests for the plugin.
The test are to be done in the CI folder. here
We are working with travis and shell script.
Any new tech can be used.
Traefik crashes repeatedly after enabling fail2ban in our prod environment.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.