You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Documentation how to Properly configure Fail2Ban is outdated or it is not working correctly, it fails 2 ban.
Replication Steps
Setup Mailu 1.7 with docker-compose
Setup fail2ban with the mailu documentation
Fail2Ban will Ban Ips (if there is BF)
The banned Ips have still access to the Docker containers
Expected behaviour
Banned Ips should not have access.
Logs
IPTables
I currently use this rule -A DOCKER -s 45.0.0.0/8 -j DROP and it works fine.
If i use -A INPUT -s 45.0.0.0/8 -j DROP it does not work (i guess because of the DOCKER chain in the iptables)
I use exactly the Fail2Ban config the Docs provide (only the logfile path is different)
```[508]: INFO [bad-auth] Found xx.xx.xx.xx - 2021-01-13 22:56:09[508]: DEBUG Total # of detected failures: 32. Current failures from 15 IPs (IP:count): xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx[508]: DEBUG /var/log/syslog has been modified[508]: NOTICE [bad-auth] xxx.xxx.xxx.xxx already banned```
The text was updated successfully, but these errors were encountered:
Documented method works fine as long as fail2ban is started after docker. Issue here is that docker forces it's own rules on top of FORWARD chain and any existing rules gets pushed below those (ie. fail2ban rules in this case). Any docker restart for example will break existing fail2ban rules.
Workaround is to change mailu fail2ban configuration from FORWARD chain to DOCKER-USER chain. Docker evaluates any rules in this chain before jumping into other chains added by docker itself. This is also documented in https://docs.docker.com/network/iptables/
Only thing that needs to be taken into consideration with this method is that fail2ban should start after docker, otherwise that DOCKER-USER chain doesn't exist yet and fail2ban might fail. This can be achieved by adding an override configuration to fail2ban systemd service so that it waits for docker to start.
I can look into making a pull request to documentation about this.
Just wanted to share in case someone has the same problem than me
For some reason fail2ban blocked some of my containers IP (webmail and ssmtp), which was very annoying problem to pinpoint 😄
Might be worth it to add mailu subnet to the ignoreip list? At least that's what I did:
Old Related Issue
#1263
Environment & Versions
Environment
Versions
1.7
Description
https://github.com/Mailu/Mailu/blob/master/docs/faq.rst
The Documentation how to Properly configure Fail2Ban is outdated or it is not working correctly, it fails 2 ban.
Replication Steps
Expected behaviour
Logs
IPTables
I currently use this rule -A DOCKER -s 45.0.0.0/8 -j DROP and it works fine.
If i use -A INPUT -s 45.0.0.0/8 -j DROP it does not work (i guess because of the DOCKER chain in the iptables)
I use exactly the Fail2Ban config the Docs provide (only the logfile path is different)
IpTables: (fail2ban is currently disabled)
Fail2Ban log
/var/log/fail2ban.log:
The text was updated successfully, but these errors were encountered: