furian Posted April 5, 2024 Posted April 5, 2024 for a good while i had fail2ban working in a seperate docker with nginx proxy manager and authelia in seperate dockers. now suddenly (worked like a charm so i stopped checking the logs, stupid) it stopped working. in the fail2ban logs i can see that it is actually banning the ip, in the console of fail2ban i can also see this happening with iptables -nL. however it is no longer pushing the chain through to the unraid host and so it is not blocking the actual incoming connections.. here is my authelia jail.local Quote [authelia-auth] enabled = true logpath = %(remote_logs_path)s/authelia/authelia.log chain = DOCKER-USER action = iptables-multiport[name=HTTP, port="http,https,9091,4443,18443,8181,7818,8080,1880", protocol=tcp] ignoreip = 127.0.0.1/8 ::1 172.18.0.0/16 192.168.0.0/24 bantime = -1 findtime = 24h maxretry = 1 The docker is running with the network type Host btw. The below output is from inside the docker container: Quote fail2ban-client status Status |- Number of jail: 13 `- Jail list: authelia-auth, nextcloud-auth, nginx-418, nginx-bad-request, nginx-badbots, nginx-botsearch, nginx-deny, nginx-http-auth, nginx-limit-req, nginx-unauthorized, sabnzbd-auth, sonarr-auth, vaultwarden-auth Quote Status for the jail: authelia-auth |- Filter | |- Currently failed: 0 | |- Total failed: 3 | `- File list: /remotelogs/authelia/authelia.log `- Actions |- Currently banned: 645 |- Total banned: 645 Quote iptables -L # Warning: iptables-legacy tables present, use iptables-legacy to see them Chain INPUT (policy ACCEPT) target prot opt source destination f2b-HTTP tcp -- anywhere anywhere multiport dports http,https,9091,4443,18443,8181,7818,http-alt,1880 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-HTTP (1 references) target prot opt source destination REJECT all -- 45.128.232.213 anywhere reject-with icmp-port-unreachable REJECT all -- love.zonogicism.nl anywhere reject-with icmp-port-unreachable REJECT all -- 95.214.55.115 anywhere reject-with icmp-port-unreachable REJECT all -- 95.214.27.9 anywhere reject-with icmp-port-unreachable REJECT all -- ecs-94-74-90-173.compute.hwclouds-dns.com anywhere reject-with icmp-port-unreachable REJECT all -- ecs-94-74-88-143.compute.hwclouds-dns.com anywhere reject-with icmp-port-unreachable REJECT all -- ecs-94-74-74-175.compute.hwclouds-dns.com anywhere reject-with icmp-port-unreachable REJECT all -- ecs-94-74-120-130.compute.hwclouds-dns.com anywhere reject-with icmp-port-unreachable REJECT all -- 94.232.43.74 anywhere reject-with icmp-port-unreachable REJECT all -- 94.156.69.209 anywhere reject-with icmp-port-unreachable REJECT all -- 94.156.66.33 anywhere reject-with icmp-port-unreachable REJECT all -- cloud.census.shodan.io anywhere reject-with icmp-port-unreachable REJECT all -- 232.190.205.92.host.secureserver.net anywhere reject-with icmp-port-unreachable REJECT all -- 91.92.255.83 anywhere reject-with icmp-port-unreachable REJECT all -- 91.92.253.56 anywhere reject-with icmp-port-unreachable REJECT all -- 91.92.251.33 anywhere reject-with icmp-port-unreachable REJECT all -- 91.92.250.119 anywhere reject-with icmp-port-unreachable REJECT all -- 91.92.246.41 anywhere reject-with icmp-port-unreachable REJECT all -- 91.92.246.219 anywhere reject-with icmp-port-unreachable and in the log from fail2ban itself: Quote 2024-04-05 15:47:00,311 14BA6F7ECB38 INFO [nginx-bad-request] Found 45.128.232.213 - 2024-04-05 15:46:59 2024-04-05 15:47:00,808 14BA6F5E9B38 NOTIC [nginx-bad-request] Ban 45.128.232.213 2024-04-05 15:47:04,313 14BA6F7ECB38 INFO [nginx-bad-request] Found 45.128.232.213 - 2024-04-05 15:47:03 2024-04-05 15:47:04,819 14BA6F5E9B38 NOTIC [nginx-bad-request] 45.128.232.213 already banned 2024-04-05 15:47:15,518 14BA6F7ECB38 INFO [nginx-bad-request] Found 45.125.66.34 - 2024-04-05 15:47:15 2024-04-05 15:47:16,030 14BA6F5E9B38 WARNI [nginx-bad-request] 45.125.66.34 already banned 2024-04-05 15:47:31,522 14BA6F7ECB38 INFO [nginx-bad-request] Found 45.128.232.213 - 2024-04-05 15:47:30 2024-04-05 15:47:32,042 14BA6F5E9B38 NOTIC [nginx-bad-request] 45.128.232.213 already banned 2024-04-05 17:42:38,197 14BA6F7ECB38 INFO [nginx-bad-request] Found 80.75.212.75 - 2024-04-05 17:42:37 2024-04-05 17:42:38,505 14BA6F5E9B38 WARNI [nginx-bad-request] 80.75.212.75 already banned 2024-04-05 17:56:31,035 14BA7092CB38 INFO [authelia-auth] Found 31.132.200.11 - 2024-04-05 17:56:31 2024-04-05 17:56:31,296 14BA70725B38 WARNI [authelia-auth] 31.132.200.11 already banned on the unraid host: Quote iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ts-input 0 -- 0.0.0.0/0 0.0.0.0/0 LIBVIRT_INP 0 -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER-USER 0 -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-1 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ts-forward 0 -- 0.0.0.0/0 0.0.0.0/0 LIBVIRT_FWX 0 -- 0.0.0.0/0 0.0.0.0/0 LIBVIRT_FWI 0 -- 0.0.0.0/0 0.0.0.0/0 LIBVIRT_FWO 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 WIREGUARD 0 -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination LIBVIRT_OUT 0 -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER (2 references) target prot opt source destination ACCEPT 6 -- 0.0.0.0/0 172.18.0.2 tcp dpt:3306 ACCEPT 6 -- 0.0.0.0/0 172.17.0.3 tcp dpt:27017 ACCEPT 6 -- 0.0.0.0/0 172.18.0.3 tcp dpt:80 ACCEPT 6 -- 0.0.0.0/0 172.18.0.4 tcp dpt:6379 ACCEPT 6 -- 0.0.0.0/0 172.17.0.4 tcp dpt:8181 ACCEPT 6 -- 0.0.0.0/0 172.17.0.4 tcp dpt:8080 ACCEPT 6 -- 0.0.0.0/0 172.17.0.4 tcp dpt:4443 ACCEPT 6 -- 0.0.0.0/0 172.18.0.5 tcp dpt:9091 ACCEPT 6 -- 0.0.0.0/0 172.18.0.6 tcp dpt:8080 ACCEPT 6 -- 0.0.0.0/0 172.18.0.7 tcp dpt:9696 ACCEPT 6 -- 0.0.0.0/0 172.18.0.8 tcp dpt:7878 ACCEPT 6 -- 0.0.0.0/0 172.18.0.9 tcp dpt:8090 ACCEPT 6 -- 0.0.0.0/0 172.18.0.9 tcp dpt:8080 ACCEPT 6 -- 0.0.0.0/0 172.18.0.10 tcp dpt:9897 ACCEPT 6 -- 0.0.0.0/0 172.18.0.10 tcp dpt:8989 ACCEPT 6 -- 0.0.0.0/0 172.18.0.11 tcp dpt:8181 ACCEPT 6 -- 0.0.0.0/0 172.18.0.12 tcp dpt:6767 ACCEPT 6 -- 0.0.0.0/0 172.18.0.13 tcp dpt:8266 ACCEPT 6 -- 0.0.0.0/0 172.18.0.13 tcp dpt:8265 ACCEPT 6 -- 0.0.0.0/0 172.18.0.13 tcp dpt:8264 ACCEPT 6 -- 0.0.0.0/0 172.18.0.14 tcp dpt:9897 ACCEPT 6 -- 0.0.0.0/0 172.18.0.14 tcp dpt:8989 ACCEPT 6 -- 0.0.0.0/0 172.18.0.15 tcp dpt:8500 ACCEPT 6 -- 0.0.0.0/0 172.18.0.16 tcp dpt:9696 ACCEPT 6 -- 0.0.0.0/0 172.18.0.17 tcp dpt:8191 ACCEPT 6 -- 0.0.0.0/0 172.18.0.18 tcp dpt:5055 ACCEPT 6 -- 0.0.0.0/0 172.17.0.5 tcp dpt:5454 ACCEPT 6 -- 0.0.0.0/0 172.18.0.19 tcp dpt:8189 ACCEPT 6 -- 0.0.0.0/0 172.18.0.19 tcp dpt:8182 ACCEPT 6 -- 0.0.0.0/0 172.18.0.19 tcp dpt:8118 ACCEPT 6 -- 0.0.0.0/0 172.18.0.19 tcp dpt:6881 ACCEPT 17 -- 0.0.0.0/0 172.18.0.19 udp dpt:6881 ACCEPT 6 -- 0.0.0.0/0 172.18.0.19 tcp dpt:2831 ACCEPT 6 -- 0.0.0.0/0 172.18.0.19 tcp dpt:1080 ACCEPT 6 -- 0.0.0.0/0 172.18.0.20 tcp dpt:8090 ACCEPT 6 -- 0.0.0.0/0 172.18.0.20 tcp dpt:8080 ACCEPT 17 -- 0.0.0.0/0 172.17.0.2 udp dpt:10001 ACCEPT 6 -- 0.0.0.0/0 172.17.0.2 tcp dpt:8880 ACCEPT 6 -- 0.0.0.0/0 172.17.0.2 tcp dpt:8843 ACCEPT 6 -- 0.0.0.0/0 172.17.0.2 tcp dpt:8443 ACCEPT 6 -- 0.0.0.0/0 172.17.0.2 tcp dpt:8080 ACCEPT 6 -- 0.0.0.0/0 172.17.0.2 tcp dpt:6789 ACCEPT 17 -- 0.0.0.0/0 172.17.0.2 udp dpt:5514 ACCEPT 17 -- 0.0.0.0/0 172.17.0.2 udp dpt:3478 ACCEPT 17 -- 0.0.0.0/0 172.17.0.2 udp dpt:1900 ACCEPT 6 -- 0.0.0.0/0 172.18.0.21 tcp dpt:7878 ACCEPT 6 -- 0.0.0.0/0 172.18.0.22 tcp dpt:9897 ACCEPT 6 -- 0.0.0.0/0 172.18.0.22 tcp dpt:8989 Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 0 -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-2 0 -- 0.0.0.0/0 0.0.0.0/0 RETURN 0 -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (2 references) target prot opt source destination DROP 0 -- 0.0.0.0/0 0.0.0.0/0 DROP 0 -- 0.0.0.0/0 0.0.0.0/0 RETURN 0 -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) target prot opt source destination RETURN 0 -- 0.0.0.0/0 0.0.0.0/0 Chain LIBVIRT_FWI (1 references) target prot opt source destination ACCEPT 0 -- 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain LIBVIRT_FWO (1 references) target prot opt source destination ACCEPT 0 -- 192.168.122.0/24 0.0.0.0/0 REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain LIBVIRT_FWX (1 references) target prot opt source destination ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 Chain LIBVIRT_INP (1 references) target prot opt source destination ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 Chain LIBVIRT_OUT (1 references) target prot opt source destination ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:68 Chain WIREGUARD (1 references) target prot opt source destination Chain ts-forward (1 references) target prot opt source destination MARK 0 -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x40000/0xff0000 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 mark match 0x40000/0xff0000 DROP 0 -- 100.64.0.0/10 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 Chain ts-input (1 references) target prot opt source destination ACCEPT 0 -- 100.85.90.34 0.0.0.0/0 RETURN 0 -- 100.115.92.0/23 0.0.0.0/0 DROP 0 -- 100.64.0.0/10 0.0.0.0/0 ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:54283 no matter what i try, im not able to get it running again Quote
pXius Posted August 1, 2024 Posted August 1, 2024 @furian Same issue. Did you ever get it resolved? Quote
furian Posted August 1, 2024 Author Posted August 1, 2024 2 hours ago, pXius said: @furian Same issue. Did you ever get it resolved? yeah i did. you need to change the DOCKER-USER to FORWARD ## Version 2022/08/06 # Fail2Ban jail configuration for authelia # Works OOTB with defaults [authelia-auth] enabled = true port = 0:65535 protocol = tcp logpath = %(remote_logs_path)s/authelia/authelia.log #CHAIN = DOCKER-USER CHAIN = FORWARD action = iptables-multiport-log[name=authelia-auth, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] ignoreip = 127.0.0.1/8 ::1 172.18.0.0/16 192.168.0.0/24 bantime = -1 findtime = 24h maxretry = 1 1 2 Quote
pXius Posted August 2, 2024 Posted August 2, 2024 20 hours ago, furian said: yeah i did. you need to change the DOCKER-USER to FORWARD ## Version 2022/08/06 # Fail2Ban jail configuration for authelia # Works OOTB with defaults [authelia-auth] enabled = true port = 0:65535 protocol = tcp logpath = %(remote_logs_path)s/authelia/authelia.log #CHAIN = DOCKER-USER CHAIN = FORWARD action = iptables-multiport-log[name=authelia-auth, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] ignoreip = 127.0.0.1/8 ::1 172.18.0.0/16 192.168.0.0/24 bantime = -1 findtime = 24h maxretry = 1 Thanks! Will give it a shot and report back. 1 Quote
jcouch93 Posted August 7, 2024 Posted August 7, 2024 On 8/1/2024 at 9:40 AM, furian said: yeah i did. you need to change the DOCKER-USER to FORWARD ## Version 2022/08/06 # Fail2Ban jail configuration for authelia # Works OOTB with defaults [authelia-auth] enabled = true port = 0:65535 protocol = tcp logpath = %(remote_logs_path)s/authelia/authelia.log #CHAIN = DOCKER-USER CHAIN = FORWARD action = iptables-multiport-log[name=authelia-auth, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] ignoreip = 127.0.0.1/8 ::1 172.18.0.0/16 192.168.0.0/24 bantime = -1 findtime = 24h maxretry = 1 This worked for me after searching for the answer all day. I do notice however that even when it bans the IP, the rule never shows up in the IPTABLES display. Not sure why but as long as it works! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.