Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Access logfile for Fail2ban #584
I have the same problem, examining the logs of
It turns out it's not only about
I've spent about 1.5 hours trying different solutions of blocking traffic to mailu containers without success. I'd appreciate it if someone has an idea how to.
In the meanwhile I ended up doing the following to combat those pesky hackers:
Personally I extract some strings from the docker logs and put everything in a log in a screen command.
After that I extract IPs and null routing using ip command like that
It's waiting to do better naturally, but with that I already have over 2000 banned IPs.
Hope this helps you
I found a useful post about the issue:
It turns out, that even if you configure fail2ban properly, there is still some issues with blocking attempts to brute force through the web UI, when running behind nginx proxy and docker. This is because the logs will look like this:
There original IP is lost because of the forwarding.
See above PR. I was annoyed I couldn't write something useful for the FAQ, so wrote an actual solution.
I'm looking into suitable regex for documentation, but that is not my field of sport. So help would be appreciated. The standard Nginx regex supplied by Fail2Ban don't catch the login fails for Mailu.
referenced this issue
Oct 16, 2018
Thanks for this!
I went from version 1.5 to master to get these options, then added the necessary modifications on env and docker-compose.yml.
If you wish I can provide the jail for the faq.
For my environment, I put the log to syslog, so in env:
For the jail, I've set blackhole route, but it's possible with iptable with:
Jail with maxretry to be adapted according to needs:
Action fail2ban: "action.d/route.conf"
Filter fail2ban: "filter.d/bad-auth.conf"
It may also be useful to adjust the bantime of the recidive jail to fine-tune the configuration.