I have created a fail2ban tutorial below to get you setup to 95% working order. It derails at the end as I ran into a problem and cannot solve it.
Tutorial:
fail2ban does not start automatically with swag. you need to goto console and type
fail2ban-client start
Next you need to edit your jail.local file to create a jail for a particular service. In my example I will do Guacamole. Enter the following text into jail.local file, located in your appdata/swag/fail2ban folder
Your logpath should be pointing to where your services log files are located. It this particular case, I am pointing to /appdata/ApacheGuacamole/log/tomcat9/catalina.out because that is where the log files for Guacamole are kept on my server (Dont forget to define your appdata path in the Swag Unraid Template)
Next you must create a filter file. Goto the appdata/swag/fail2ban/filter.d folder and create a new file. Now in this particular case, Guacamole already has a guacamole.conf, except It appears to be using formatting for an old version of guacamoles logs. This can be a problem using the prebuilt .conf files because all these apps are constantly updating and the log files for these apps sometimes change locations or text formatting. In this case, "nWARNING" is text that guacamole no longer uses when describing a failed login attempt in its logs. To make matters worse, every time you restart your swag container, these .conf files will be overwritten, so you cant make any changes to them. So to get around this, I'm going to create my own new .conf file. I'll call it guacamole_custom.conf. You'll also notice that I have "filter = guacamole_custom" in the jail.local file as shown above. This is to make sure my jail is pointing to the correct filter.
Now inside the guacamole_custom.conf file, we need to define the regex that will match the log file. This is basically reading the log files that guacamole produces, and matching the line for when a person enter incorrect credentials and then grabbing the ip. For this part its best to get help by googleing around for a fail2ban regex for your service that youre trying to set this up for. in Guacamoles case, as of Feburary 2021, The below code is confirmed to be working:
[Definition]
failregex = Authentication attempt from <HOST> for user "[^"]*" failed\.$
ignoreregex =
# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 2
datepattern = ^%%b %%d, %%ExY %%I:%%M:%%S %%p
^WARNING:()**
{^LN-BEG}
To be honest, you might not even need most of that, just the failregex line is important. Now when somebody makes a filed attempt to login, fail2ban will read guacamoles log file, and find the failed attempt. I can test the filter to make sure it works by typing this command
Running tests
=============
Use failregex filter file : guacamole_custom, basedir: /config/fail2ban
Use maxlines : 2
Use datepattern : Default Detectors
Use log file : /appdata/ApacheGuacamole/log/tomcat9/catalina.out
Use encoding : UTF-8
Results
=======
Failregex: 27 total
|- #) [# of hits] regular expression
| 1) [27] Authentication attempt from <HOST> for user "[^"]*" failed\.$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [468] {^LN-BEG}24hour:Minute:Second
| [25] ^WARNING:()**
`-
Lines: 1455 lines, 0 ignored, 27 matched, 1428 missed
[processed in 0.09 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 1428 lines
You can see its working, because it found 27 matches currently in the log file. So now restart Swag (Restarting fail2ban appears to fail, restart the entire swag docker). After the swag container is restarted, start fail2ban again from the swag console with
fail2ban-client start
Now I can check my jail status with this command
fail2ban-client status guacamole
Status for the jail: guacamole
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /appdata/ApacheGuacamole/log/tomcat9/catalina.out
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Now lets try logging in 5 times incorrectly and getting our IP banned. Now I get this
Status for the jail: guacamole
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /appdata/ApacheGuacamole/log/tomcat9/catalina.out
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: My_IP
This should be setup now. however I am afraid this is where this tutorial ends because at this point even tho the IP is banned, it will still have access if its using anything outside the swag container. The reason for this is because the fail2ban ACTION (as defined in the iptables-allports.conf) does not appear to be configured correctly to work within docker. Currently the IP is indeed added to the iptables within the swag container. You can see this by typing in the swag console:
I believe the problem is that Unraid doesnt see that f2b-guacamole chain. As typing "iptables -L" into the UNRAID console shows no such connection as seen below.
Chain INPUT (policy ACCEPT)
target prot opt source destination
LIBVIRT_INP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LIBVIRT_OUT all -- anywhere anywhere
I guess not a big deal if you want fail2ban working on any of the forwards you setup within swag, but wont help for any containers setup and routed to outside of swag.
Perhaps the Devs for this container can chime in here (or even update the container) to include the correct actions we need to pass the banned IP to root and out of the container?
I got the exact same results with my swag setup, fail2ban works and can log ips and add them in the iptables for the container, but are still not blocking the traffic for whatever reason, even if it is fully contained within swag. Example, I have a bitwarden filter, am able to see my IP logged into the jail, but can still access even though it is in the f2b-bitwarden iptable entry as DENY. It must have to do with what you said, dev input would be beneficial on this
[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)
in Docker Containers
Posted
I got the exact same results with my swag setup, fail2ban works and can log ips and add them in the iptables for the container, but are still not blocking the traffic for whatever reason, even if it is fully contained within swag. Example, I have a bitwarden filter, am able to see my IP logged into the jail, but can still access even though it is in the f2b-bitwarden iptable entry as DENY. It must have to do with what you said, dev input would be beneficial on this