Jump to content

fail2ban not pushing CHAIN to unraid host


Recommended Posts

Posted

for a good while i had fail2ban working in a seperate docker with nginx proxy manager and authelia in seperate dockers.

 

now suddenly (worked like a charm so i stopped checking the logs, stupid) it stopped working.

in the fail2ban logs i can see that it is actually banning the ip, in the console of fail2ban i can also see this happening with iptables -nL.

 

however it is no longer pushing the chain through to the unraid host and so it is not blocking the actual incoming connections..

 

here is my authelia jail.local

Quote

[authelia-auth]

enabled  = true
logpath  = %(remote_logs_path)s/authelia/authelia.log
chain   = DOCKER-USER
action = iptables-multiport[name=HTTP, port="http,https,9091,4443,18443,8181,7818,8080,1880", protocol=tcp]
ignoreip    = 127.0.0.1/8 ::1
              172.18.0.0/16
              192.168.0.0/24
bantime = -1
findtime = 24h
maxretry = 1

 

The docker is running with the network type Host btw.

The below output is from inside the docker container:

Quote

fail2ban-client status
Status
|- Number of jail:      13
`- Jail list:   authelia-auth, nextcloud-auth, nginx-418, nginx-bad-request, nginx-badbots, nginx-botsearch, nginx-deny, nginx-http-auth, nginx-limit-req, nginx-unauthorized, sabnzbd-auth, sonarr-auth, vaultwarden-auth

Quote

Status for the jail: authelia-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     3
|  `- File list:        /remotelogs/authelia/authelia.log
`- Actions
   |- Currently banned: 645
   |- Total banned:     645

Quote

iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-HTTP   tcp  --  anywhere             anywhere             multiport dports http,https,9091,4443,18443,8181,7818,http-alt,1880

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-HTTP (1 references)
target     prot opt source               destination         
REJECT     all  --  45.128.232.213       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  love.zonogicism.nl   anywhere             reject-with icmp-port-unreachable
REJECT     all  --  95.214.55.115        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  95.214.27.9          anywhere             reject-with icmp-port-unreachable
REJECT     all  --  ecs-94-74-90-173.compute.hwclouds-dns.com  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  ecs-94-74-88-143.compute.hwclouds-dns.com  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  ecs-94-74-74-175.compute.hwclouds-dns.com  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  ecs-94-74-120-130.compute.hwclouds-dns.com  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  94.232.43.74         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  94.156.69.209        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  94.156.66.33         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  cloud.census.shodan.io  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  232.190.205.92.host.secureserver.net  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  91.92.255.83         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  91.92.253.56         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  91.92.251.33         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  91.92.250.119        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  91.92.246.41         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  91.92.246.219        anywhere             reject-with icmp-port-unreachable

 

and in the log from fail2ban itself:

Quote

 2024-04-05 15:47:00,311 14BA6F7ECB38 INFO  [nginx-bad-request] Found 45.128.232.213 - 2024-04-05 15:46:59

 2024-04-05 15:47:00,808 14BA6F5E9B38 NOTIC [nginx-bad-request] Ban 45.128.232.213

 2024-04-05 15:47:04,313 14BA6F7ECB38 INFO  [nginx-bad-request] Found 45.128.232.213 - 2024-04-05 15:47:03

 2024-04-05 15:47:04,819 14BA6F5E9B38 NOTIC [nginx-bad-request] 45.128.232.213 already banned

 2024-04-05 15:47:15,518 14BA6F7ECB38 INFO  [nginx-bad-request] Found 45.125.66.34 - 2024-04-05 15:47:15

 2024-04-05 15:47:16,030 14BA6F5E9B38 WARNI [nginx-bad-request] 45.125.66.34 already banned

 2024-04-05 15:47:31,522 14BA6F7ECB38 INFO  [nginx-bad-request] Found 45.128.232.213 - 2024-04-05 15:47:30

 2024-04-05 15:47:32,042 14BA6F5E9B38 NOTIC [nginx-bad-request] 45.128.232.213 already banned

 2024-04-05 17:42:38,197 14BA6F7ECB38 INFO  [nginx-bad-request] Found 80.75.212.75 - 2024-04-05 17:42:37

 2024-04-05 17:42:38,505 14BA6F5E9B38 WARNI [nginx-bad-request] 80.75.212.75 already banned

 2024-04-05 17:56:31,035 14BA7092CB38 INFO  [authelia-auth] Found 31.132.200.11 - 2024-04-05 17:56:31

 2024-04-05 17:56:31,296 14BA70725B38 WARNI [authelia-auth] 31.132.200.11 already banned

 

on the unraid host:

 

Quote

iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ts-input   0    --  0.0.0.0/0            0.0.0.0/0           
LIBVIRT_INP  0    --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  0    --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  0    --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     0    --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
ts-forward  0    --  0.0.0.0/0            0.0.0.0/0           
LIBVIRT_FWX  0    --  0.0.0.0/0            0.0.0.0/0           
LIBVIRT_FWI  0    --  0.0.0.0/0            0.0.0.0/0           
LIBVIRT_FWO  0    --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     0    --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
WIREGUARD  0    --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_OUT  0    --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     6    --  0.0.0.0/0            172.18.0.2           tcp dpt:3306
ACCEPT     6    --  0.0.0.0/0            172.17.0.3           tcp dpt:27017
ACCEPT     6    --  0.0.0.0/0            172.18.0.3           tcp dpt:80
ACCEPT     6    --  0.0.0.0/0            172.18.0.4           tcp dpt:6379
ACCEPT     6    --  0.0.0.0/0            172.17.0.4           tcp dpt:8181
ACCEPT     6    --  0.0.0.0/0            172.17.0.4           tcp dpt:8080
ACCEPT     6    --  0.0.0.0/0            172.17.0.4           tcp dpt:4443
ACCEPT     6    --  0.0.0.0/0            172.18.0.5           tcp dpt:9091
ACCEPT     6    --  0.0.0.0/0            172.18.0.6           tcp dpt:8080
ACCEPT     6    --  0.0.0.0/0            172.18.0.7           tcp dpt:9696
ACCEPT     6    --  0.0.0.0/0            172.18.0.8           tcp dpt:7878
ACCEPT     6    --  0.0.0.0/0            172.18.0.9           tcp dpt:8090
ACCEPT     6    --  0.0.0.0/0            172.18.0.9           tcp dpt:8080
ACCEPT     6    --  0.0.0.0/0            172.18.0.10          tcp dpt:9897
ACCEPT     6    --  0.0.0.0/0            172.18.0.10          tcp dpt:8989
ACCEPT     6    --  0.0.0.0/0            172.18.0.11          tcp dpt:8181
ACCEPT     6    --  0.0.0.0/0            172.18.0.12          tcp dpt:6767
ACCEPT     6    --  0.0.0.0/0            172.18.0.13          tcp dpt:8266
ACCEPT     6    --  0.0.0.0/0            172.18.0.13          tcp dpt:8265
ACCEPT     6    --  0.0.0.0/0            172.18.0.13          tcp dpt:8264
ACCEPT     6    --  0.0.0.0/0            172.18.0.14          tcp dpt:9897
ACCEPT     6    --  0.0.0.0/0            172.18.0.14          tcp dpt:8989
ACCEPT     6    --  0.0.0.0/0            172.18.0.15          tcp dpt:8500
ACCEPT     6    --  0.0.0.0/0            172.18.0.16          tcp dpt:9696
ACCEPT     6    --  0.0.0.0/0            172.18.0.17          tcp dpt:8191
ACCEPT     6    --  0.0.0.0/0            172.18.0.18          tcp dpt:5055
ACCEPT     6    --  0.0.0.0/0            172.17.0.5           tcp dpt:5454
ACCEPT     6    --  0.0.0.0/0            172.18.0.19          tcp dpt:8189
ACCEPT     6    --  0.0.0.0/0            172.18.0.19          tcp dpt:8182
ACCEPT     6    --  0.0.0.0/0            172.18.0.19          tcp dpt:8118
ACCEPT     6    --  0.0.0.0/0            172.18.0.19          tcp dpt:6881
ACCEPT     17   --  0.0.0.0/0            172.18.0.19          udp dpt:6881
ACCEPT     6    --  0.0.0.0/0            172.18.0.19          tcp dpt:2831
ACCEPT     6    --  0.0.0.0/0            172.18.0.19          tcp dpt:1080
ACCEPT     6    --  0.0.0.0/0            172.18.0.20          tcp dpt:8090
ACCEPT     6    --  0.0.0.0/0            172.18.0.20          tcp dpt:8080
ACCEPT     17   --  0.0.0.0/0            172.17.0.2           udp dpt:10001
ACCEPT     6    --  0.0.0.0/0            172.17.0.2           tcp dpt:8880
ACCEPT     6    --  0.0.0.0/0            172.17.0.2           tcp dpt:8843
ACCEPT     6    --  0.0.0.0/0            172.17.0.2           tcp dpt:8443
ACCEPT     6    --  0.0.0.0/0            172.17.0.2           tcp dpt:8080
ACCEPT     6    --  0.0.0.0/0            172.17.0.2           tcp dpt:6789
ACCEPT     17   --  0.0.0.0/0            172.17.0.2           udp dpt:5514
ACCEPT     17   --  0.0.0.0/0            172.17.0.2           udp dpt:3478
ACCEPT     17   --  0.0.0.0/0            172.17.0.2           udp dpt:1900
ACCEPT     6    --  0.0.0.0/0            172.18.0.21          tcp dpt:7878
ACCEPT     6    --  0.0.0.0/0            172.18.0.22          tcp dpt:9897
ACCEPT     6    --  0.0.0.0/0            172.18.0.22          tcp dpt:8989

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  0    --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  0    --  0.0.0.0/0            0.0.0.0/0           
RETURN     0    --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       0    --  0.0.0.0/0            0.0.0.0/0           
DROP       0    --  0.0.0.0/0            0.0.0.0/0           
RETURN     0    --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     0    --  0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_FWI (1 references)
target     prot opt source               destination         
ACCEPT     0    --  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
REJECT     0    --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
target     prot opt source               destination         
ACCEPT     0    --  192.168.122.0/24     0.0.0.0/0           
REJECT     0    --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
target     prot opt source               destination         
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_INP (1 references)
target     prot opt source               destination         
ACCEPT     17   --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     17   --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ACCEPT     6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain LIBVIRT_OUT (1 references)
target     prot opt source               destination         
ACCEPT     17   --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     17   --  0.0.0.0/0            0.0.0.0/0            udp dpt:68
ACCEPT     6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:68

Chain WIREGUARD (1 references)
target     prot opt source               destination         

Chain ts-forward (1 references)
target     prot opt source               destination         
MARK       0    --  0.0.0.0/0            0.0.0.0/0            MARK xset 0x40000/0xff0000
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            mark match 0x40000/0xff0000
DROP       0    --  100.64.0.0/10        0.0.0.0/0           
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           

Chain ts-input (1 references)
target     prot opt source               destination         
ACCEPT     0    --  100.85.90.34         0.0.0.0/0           
RETURN     0    --  100.115.92.0/23      0.0.0.0/0           
DROP       0    --  100.64.0.0/10        0.0.0.0/0           
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     17   --  0.0.0.0/0            0.0.0.0/0            udp dpt:54283

 

no matter what i try, im not able to get it running again :(

 

  • 2 weeks later...
  • 3 months later...
Posted
2 hours ago, pXius said:

@furian
Same issue.
Did you ever get it resolved? 

 

yeah i did. you need to change the DOCKER-USER to FORWARD

 

## Version 2022/08/06
# Fail2Ban jail configuration for authelia
# Works OOTB with defaults

[authelia-auth]

enabled  = true
port     = 0:65535
protocol = tcp
logpath  = %(remote_logs_path)s/authelia/authelia.log
#CHAIN = DOCKER-USER
CHAIN = FORWARD
action = iptables-multiport-log[name=authelia-auth, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
ignoreip    = 127.0.0.1/8 ::1
              172.18.0.0/16
              192.168.0.0/24
bantime = -1
findtime = 24h
maxretry = 1

  • Like 1
  • Upvote 2
Posted
20 hours ago, furian said:

 

yeah i did. you need to change the DOCKER-USER to FORWARD

 

## Version 2022/08/06
# Fail2Ban jail configuration for authelia
# Works OOTB with defaults

[authelia-auth]

enabled  = true
port     = 0:65535
protocol = tcp
logpath  = %(remote_logs_path)s/authelia/authelia.log
#CHAIN = DOCKER-USER
CHAIN = FORWARD
action = iptables-multiport-log[name=authelia-auth, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
ignoreip    = 127.0.0.1/8 ::1
              172.18.0.0/16
              192.168.0.0/24
bantime = -1
findtime = 24h
maxretry = 1

Thanks! Will give it a shot and report back.

  • Like 1
Posted
On 8/1/2024 at 9:40 AM, furian said:

 

yeah i did. you need to change the DOCKER-USER to FORWARD

 

## Version 2022/08/06
# Fail2Ban jail configuration for authelia
# Works OOTB with defaults

[authelia-auth]

enabled  = true
port     = 0:65535
protocol = tcp
logpath  = %(remote_logs_path)s/authelia/authelia.log
#CHAIN = DOCKER-USER
CHAIN = FORWARD
action = iptables-multiport-log[name=authelia-auth, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
ignoreip    = 127.0.0.1/8 ::1
              172.18.0.0/16
              192.168.0.0/24
bantime = -1
findtime = 24h
maxretry = 1

This worked for me after searching for the answer all day. I do notice however that even when it bans the IP, the rule never shows up in the IPTABLES display. Not sure why but as long as it works!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...