Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Properly configure Fail2Ban #2 #1727

Closed
2 tasks
yatadev opened this issue Jan 14, 2021 · 2 comments · Fixed by #1792
Closed
2 tasks

Properly configure Fail2Ban #2 #1727

yatadev opened this issue Jan 14, 2021 · 2 comments · Fixed by #1792
Labels
type/bug Bug. Not working as intended

Comments

@yatadev
Copy link

yatadev commented Jan 14, 2021

Old Related Issue

#1263

Environment & Versions

Environment

  • [ x] docker-compose
  • kubernetes
  • docker swarm

Versions

1.7

Description

https://github.com/Mailu/Mailu/blob/master/docs/faq.rst

The Documentation how to Properly configure Fail2Ban is outdated or it is not working correctly, it fails 2 ban.

Replication Steps

  • Setup Mailu 1.7 with docker-compose
  • Setup fail2ban with the mailu documentation
  • Fail2Ban will Ban Ips (if there is BF)
  • The banned Ips have still access to the Docker containers

Expected behaviour

  • Banned Ips should not have access.

Logs

IPTables

I currently use this rule -A DOCKER -s 45.0.0.0/8 -j DROP and it works fine.
If i use -A INPUT -s 45.0.0.0/8 -j DROP it does not work (i guess because of the DOCKER chain in the iptables)

I use exactly the Fail2Ban config the Docs provide (only the logfile path is different)

IpTables: (fail2ban is currently disabled)

```
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-440d9d944e4c -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-440d9d944e4c -j DOCKER
-A FORWARD -i br-440d9d944e4c ! -o br-440d9d944e4c -j ACCEPT
-A FORWARD -i br-440d9d944e4c -o br-440d9d944e4c -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-48d9b2bad38a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-48d9b2bad38a -j DOCKER
-A FORWARD -i br-48d9b2bad38a ! -o br-48d9b2bad38a -j ACCEPT
-A FORWARD -i br-48d9b2bad38a -o br-48d9b2bad38a -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p udp -m udp --dport 19132 -j ACCEPT
-A DOCKER -s 45.0.0.0/16 -j DROP
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 995 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 993 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 143 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 110 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.18.1.6/32 ! -i br-440d9d944e4c -o br-440d9d944e4c -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-440d9d944e4c ! -o br-440d9d944e4c -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-48d9b2bad38a ! -o br-48d9b2bad38a -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-440d9d944e4c -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-48d9b2bad38a -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
```

Fail2Ban log

/var/log/fail2ban.log:

```
[508]: INFO    [bad-auth] Found xx.xx.xx.xx - 2021-01-13 22:56:09
[508]: DEBUG   Total # of detected failures: 32. Current failures from 15 IPs (IP:count): xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
[508]: DEBUG   /var/log/syslog has been modified
[508]: NOTICE  [bad-auth] xxx.xxx.xxx.xxx already banned
```
@lub lub added the type/bug Bug. Not working as intended label Jan 29, 2021
@ronivay
Copy link
Contributor

ronivay commented Mar 15, 2021

Documented method works fine as long as fail2ban is started after docker. Issue here is that docker forces it's own rules on top of FORWARD chain and any existing rules gets pushed below those (ie. fail2ban rules in this case). Any docker restart for example will break existing fail2ban rules.

Workaround is to change mailu fail2ban configuration from FORWARD chain to DOCKER-USER chain. Docker evaluates any rules in this chain before jumping into other chains added by docker itself. This is also documented in https://docs.docker.com/network/iptables/

Only thing that needs to be taken into consideration with this method is that fail2ban should start after docker, otherwise that DOCKER-USER chain doesn't exist yet and fail2ban might fail. This can be achieved by adding an override configuration to fail2ban systemd service so that it waits for docker to start.

I can look into making a pull request to documentation about this.

@bonswouar
Copy link

Just wanted to share in case someone has the same problem than me
For some reason fail2ban blocked some of my containers IP (webmail and ssmtp), which was very annoying problem to pinpoint 😄
Might be worth it to add mailu subnet to the ignoreip list? At least that's what I did:

ignoreip = 127.0.0.1/8 ::1 192.168.203.0/24 ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type/bug Bug. Not working as intended
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants