Properly configure Fail2Ban #2

[yatadev]

Old Related Issue

#1263

Environment & Versions

Environment

• [ x] docker-compose
• kubernetes
• docker swarm

Versions

1.7

Description

https://github.com/Mailu/Mailu/blob/master/docs/faq.rst

The Documentation how to Properly configure Fail2Ban is outdated or it is not working correctly, it fails 2 ban.

Replication Steps

• Setup Mailu 1.7 with docker-compose
• Setup fail2ban with the mailu documentation
• Fail2Ban will Ban Ips (if there is BF)
• The banned Ips have still access to the Docker containers

Expected behaviour

• Banned Ips should not have access.

Logs

IPTables

I currently use this rule -A DOCKER -s 45.0.0.0/8 -j DROP and it works fine.
If i use -A INPUT -s 45.0.0.0/8 -j DROP it does not work (i guess because of the DOCKER chain in the iptables)

I use exactly the Fail2Ban config the Docs provide (only the logfile path is different)

IpTables: (fail2ban is currently disabled)

```
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-440d9d944e4c -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-440d9d944e4c -j DOCKER
-A FORWARD -i br-440d9d944e4c ! -o br-440d9d944e4c -j ACCEPT
-A FORWARD -i br-440d9d944e4c -o br-440d9d944e4c -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-48d9b2bad38a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-48d9b2bad38a -j DOCKER
-A FORWARD -i br-48d9b2bad38a ! -o br-48d9b2bad38a -j ACCEPT
-A FORWARD -i br-48d9b2bad38a -o br-48d9b2bad38a -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p udp -m udp --dport 19132 -j ACCEPT
-A DOCKER -s 45.0.0.0/16 -j DROP
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 995 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 993 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 143 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 110 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-440d9d944e4c ! -o br-440d9d944e4c -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-48d9b2bad38a ! -o br-48d9b2bad38a -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-440d9d944e4c -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-48d9b2bad38a -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
```

Fail2Ban log

/var/log/fail2ban.log:

```
[508]: INFO    [bad-auth] Found xx.xx.xx.xx - 2021-01-13 22:56:09
[508]: DEBUG   Total # of detected failures: 32. Current failures from 15 IPs (IP:count): xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
[508]: DEBUG   /var/log/syslog has been modified
[508]: NOTICE  [bad-auth] xxx.xxx.xxx.xxx already banned
```

[ronivay]

Documented method works fine as long as fail2ban is started after docker. Issue here is that docker forces it's own rules on top of FORWARD chain and any existing rules gets pushed below those (ie. fail2ban rules in this case). Any docker restart for example will break existing fail2ban rules.

Workaround is to change mailu fail2ban configuration from FORWARD chain to DOCKER-USER chain. Docker evaluates any rules in this chain before jumping into other chains added by docker itself. This is also documented in https://docs.docker.com/network/iptables/

Only thing that needs to be taken into consideration with this method is that fail2ban should start after docker, otherwise that DOCKER-USER chain doesn't exist yet and fail2ban might fail. This can be achieved by adding an override configuration to fail2ban systemd service so that it waits for docker to start.

I can look into making a pull request to documentation about this.

[bonswouar]

Just wanted to share in case someone has the same problem than me
For some reason fail2ban blocked some of my containers IP (webmail and ssmtp), which was very annoying problem to pinpoint 😄
Might be worth it to add mailu subnet to the ignoreip list? At least that's what I did:

ignoreip = 127.0.0.1/8 ::1 192.168.203.0/24 ...