[Request] Add Fail2Ban

[lordraiden]

Please consider fail2ban
https://www.fail2ban.org/wiki/index.php/Main_Page

and a 2 step verification method
https://www.authelia.com/ 
https://github.com/clems4ever/authelia

BTW your software is being a total sucess here https://forums.unraid.net/topic/76460-support-djoss-nginx-proxy-manager/

[vrelk]

I agree on the fail2ban, I can see 2fa being good if it is going to be externally available.
Big thing if you implement f2b, make sure it will pay attention to the forwarded-for IP. That way you don't end up blocking cloudflare.

I switched away from that docker container actually simply because it wasn't up-to-date enough for me. I needed the latest features such as the ability to forward HTTPS enabled sites.

[jc21]

@lordraiden Thanks for the heads up, makes sense why so many issues being logged in the last 2 weeks! F2B is definitely a good improvement to be considered.

@vrelk Upstream SSL hosts support is done, in the next version I'll release today. Is that the only thing you needed that the docker version couldn't do?

[vrelk]

@jc21 I guess I should have specified that I was referring to the docker container linked in the first post (unRAID). It is a few months out of date. My switch was from the jlesage fork to yours.

[maximberezin97]

Would be great to have fail2ban built in like the linuxserver/letsencrypt Docker container!

[ghost]

Would also love to see fail2ban, or in the meantime, if anyone has been able to get it working manually and can share their setup/script

[Elmardus]

Is there a (manual) way to use Nginx-proxy-manager reverse proxies in combination with Authelia 2FA? I love the proxy manager's interface and ease of use, and would like to use it together with a authentication service.

[jsternadel]

+1 for both fail2ban and 2fa support. I would rank fail2ban as a primary concern and 2fa as a nice to have. With both of those features added i think this solution would be ready for smb production environments.

[WesSec]

Some update on fail2ban, since I don't see this happening anytime soon, I created a fail2ban filter myself. Create a file called "nginx-docker" in /etc/fail2ban/filder.d with the following contents

[INCLUDES]  

[Definition]  

failregex = ^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
            ^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$

This will jail all requests that return a 4xx/3xx code on the main ip or a 400 on the specified hosts in the docker (no 300 here because of redirects used to force HTTPS)

enable the jail in the jail.local file:

[nginx-docker]
enabled = true
logpath = <docker-config-location>/nginx-proxy-manager/data/logs/default_host.log
          <docker-config-location>/nginx-proxy-manager/data/logs/proxy_host-*.log
maxretry = 3
bantime  = 360
findtime = 60

The only issue is that docker sort of bypasses all iptables entries, fail2ban makes the entry but those are ignored by docker, resulting in having the correct rule in iptables or ufw, but not actually blocking the IP. Maybe someone in here has a solution for this.

[dariusateik]

wessel145 - I have played with the same problem ( docker ip block ) few days :) finally I have working solution;

1. in /etc/docker/daemon.json - you need to add option "iptables": true
2. you need to be sure docker create chain in iptables DOCKER-USER
3. for fail2ban ( docker port ) use SINGLE PORT ONLY - custom action.d/customaction.conf
   --ctorigdstport !!! mine looks like this and it works
   customaction.conf
   [INCLUDES]
   before = iptables-common.conf
   [Definition]
   actionstart = -N f2b-
   -A f2b- -j
   -I DOCKER-USER -p -m conntrack --ctorigdstport --ctdir ORIGINAL -j f2b-

actionstop = -D DOCKER-USER -p -m conntrack --ctorigdstport --ctdir ORIGINAL -j f2b-

-X f2b-
actioncheck = -n -L DOCKER-USER | grep -q 'f2b-[ \t]'
actionban = -I f2b- 1 -s -j
actionunban = -D f2b- -s -j
[Init]

4. in your jail add action
   [nginx-docker]
   enabled = true
   logpath = /nginx-proxy-manager/data/logs/default_host.log
   /nginx-proxy-manager/data/logs/proxy_host-*.log

banaction = customaction

maxretry = 3
bantime = 360
findtime = 60

NOTE: for docker to ban port need to use single port and option iptables -m conntrack --ctorigdstport --ctdir ORIGINAL

[dariusateik]

my personal opinion nginx-proxy-manager should be ONLY nginx-proxy-manager ; as with docker concept fail2ban and etc, etc, you can have as separate containers; better to have one good nginx-proxy-manager without mixing; jc21/nginx-proxy-manager made nice job. ! thanks

[WesSec]

@dariusateik i do not agree on that since the letsencrypt docker container also comes with fail2ban, 'all reverse proxy traffic' will go through this container and is therefore a good place to handle fail2ban.

[jsternadel]

@dariusateik the other side of docker containers is to make deployment easy. Currently fail2ban doesn't play so well sitting in the host OS and working with a container. Setting up fail2ban is also a bit more advanced then firing up the nginx-proxy-manager container and using a UI to easily configure subdomains. Having f2b inside the npm container and pre-configured, similiar to the linuxio container, gives end users without experience in building jails and filters an extra layer of security. And those of us with that experience can easily tweak f2b to our liking. If you are using volumes and backing them up nightly you can easily move your npm container or rebuild it if necessary. I want to try out this container in a production environment but am hesitant to do so without f2b baked in. In production I need to have security, back ups, and disaster recovery.

[dariusateik]

@dariusateik the other side of docker containers is to make deployment easy. Currently fail2ban doesn't play so well sitting in the host OS and working with a container. Setting up fail2ban is also a bit more advanced then firing up the nginx-proxy-manager container and using a UI to easily configure subdomains. Having f2b inside the npm container and pre-configured, similiar to the linuxio container, gives end users without experience in building jails and filters an extra layer of security. And those of us with that experience can easily tweak f2b to our liking. If you are using volumes and backing them up nightly you can easily move your npm container or rebuild it if necessary. I want to try out this container in a production environment but am hesitant to do so without f2b baked in. In production I need to have security, back ups, and disaster recovery.

it is always - we could find many "yes" and many "no" ; there is no one answer... If npm will have it - why not; but i am using crazymax/fail2ban for this; more complexing docker, more possible mistakes; configs, etc; how will be or f2b integrated - should decide jc21

[jc21]

Personally I don't understand the fascination with f2b. There's talk about security, but I've worked for multi million dollar companies with massive amounts of sensitive customer data, used by government agencies and never once have we been hacked or had any suspicious attempts to gain access.

And we have never used f2b.

On one hand, this project's goals was for the average joe to be able to easily use HTTPS for their incoming websites; not become a network security specialist. I understand that there are malicious people out there and there are users who want to protect themselves, but is f2b the only way for them to do this?

On the other hand, f2b is easy to add to the docker container. It's the configuration of it that would be hard for the average joe. Anyone who wants f2b can take my docker image and build a new one with f2b installed.

Super secret stuff: I'm not working on v2 anymore, and instead slowly working on v3. I'll be considering all feature requests for this next version.

[dariusateik]

100 % agree - > ... On the other hand, f2b is easy to add to the docker container

[Rami-Pastrami]

hopping in to say that a 2fa solution (such the the one authelia brings) would be an amazing addition.

Authelia itself doesnt require a LDAP server or its own mysql database, it can use built in single file equivalents just fine for small personal installations

[JoschaMiddendorf]

Any news on that?

[wtf911]

To y'all looking to use fail2ban with your nginx-proxy-manager in docker here's a tip:

In your jail.local file under where the section (jail) for nginx-http-auth is you need to add this line so when something is banned it routes through iptables correctly with docker:

chain = DOCKER-USER

[johnnny1337]

Anyone who has a guide how to implement this by myself in the image?

[pto199]

Almost 4 years now. I guess fail2ban will never be implemented :(. I guess Ill stick to using swag until maybe one day it does.

[posta246]

Hope I have time to do some testing on this subject, soon.
I have a question about @mastan30 solution: fail2ban-docker requires that fail2ban itself has to (or must not) be installed on the host machine (dont think, iti is in the container...)?
Because I have already use it to protect ssh access to the host... so to avoid conflicts it is not clear to me how to manage this situation (f.e. : I should unistall fail2ban on host and moving the ssh jail into the fail2ban-docker config... or what? I'm confused).
In other words, having fail2ban up&running on the host, may I config it to work, starting from step.2?

[mastan30]

Hi @posta246 , Yes my fail2ban is not installed directly on the container, I used it inside a docker-container and forwarded ip ban rules to docker chains. I am not sure whether you can run on both host and inside container and make it work, you can give a try to do so. But anytime having it either totally running on host or totally on Container for any software is best thing to do.

[posta246]

Hi, sorry me if I dont understand...:( I've tried to add the config file outside the container, fail2ban is running but seems to not catch the bad ip, i've tried your rules with fail2ban-regex too... but I noted:

1. [PARTIALLY SOLVED, YOU REFER TO THE MAPPED FOLDERS] my logs make by npm are all in in a logs folder (no log, logS), and has the following pattern: /logs/proxy-host-*.log and also fallback*.log;
2. [UPDATE, PARTIALLY SOLVED] the regex seems to work, files proxy* contain:
   [13/Nov/2021:12:16:40 +0000] 444 - GET https MY_IP "/" [Client 45.146.164.110] [Length 0] [Gzip -] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" "-"
   while fallback*.log contain:
   [13/Nov/2021:14:15:00 +0000] 444 - GET https ONE_OF_THEPROXIED_DOMAIN "/api/" [Client xx.xx.xx.xxx] [Length 0] [Gzip -] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0" "https://proxy_name"
   May you help me to catch the malicious clients in the fallbak*?
   By the way, the jail is empty, maybe bacause some timezone errors... have to go deeply.

[posta246]

SUMMARY: it works, using the suggested config outside the container, on the host. Just need to understand if fallback file are useful

[henkiewie]

SUMMARY: it works, using the suggested config outside the container, on the host. Just need to understand if fallback file are useful

It works for me also.
Adding the fallback files seems useful to me. So I added the fallback_.log and the fallback-.log to my jali.d/npm-docker.local. But is the regex in the filter.d/npm-docker.conf good for this? If I test I get no hits. I'm not an regex expert so any help would be appreciated.

[henkiewie]

SUMMARY: it works, using the suggested config outside the container, on the host. Just need to understand if fallback file are useful

It works for me also. Adding the fallback files seems useful to me. So I added the fallback__.log and the fallback-_.log to my jali.d/npm-docker.local. But is the regex in the filter.d/npm-docker.conf good for this? If I test I get no hits. I'm not an regex expert so any help would be appreciated.

So why not make the failregex scan al log files including fallback*.log only for Client.<HOST>

if you have all local networks excluded and use a VPN for access. It works form me.

[NajibNour]

The following regex does not work for me could anyone help me with understanding it?
UsingRegex:

^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$ ^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$

Log output from npm:

[20/Jan/2022:19:19:45 +0000] - - 404 - GET https somesite.ca "/wp-login.php" [Client 8.8.8.8] [Length 172] [Gzip 3.21] [Sent-to somesite] "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "-"

DISREGARD It Works just fine! My dumbness

[TheUntouchable]

I am currently using NPM with a MACVLAN, therefore the fail2ban container can read the mounted logs and create ip tables on the host, but the traffice from and to NPM is not going to the iptables of the host because of the MACVLAN and so banning does not work. Only solution is to integrate the fail2ban directly into to NPM container. So please let this happen! :)

[CryPt00n]

I am currently using NPM with a MACVLAN, therefore the fail2ban container can read the mounted logs and create ip tables on the host, but the traffice from and to NPM is not going to the iptables of the host because of the MACVLAN and so banning does not work. Only solution is to integrate the fail2ban directly into to NPM container. So please let this happen! :)

Same for me, would be really great if it could added.

[arsaboo]

@hugalafutro I tried that approach and it works. However, it has an unintended side effect of blocking services like Nextcloud or Home Assistant where we define the trusted proxies. For example, Nextcloud required you to specify the trusted domains (https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html). Similarly, Home Assistant requires trusted proxies (https://www.home-assistant.io/integrations/http/#trusted_proxies). Did you try this out with any of those?

[hugalafutro]

@arsaboo I use both ha and nextcloud (and other 13-ish services, including mail server) with n-p-m set up with fail2ban as I outlined above without any issue.

I used to have all these on the same vm and it worked then, later I moved n-p-m to vm where my mail server is, and the vm with nextcloud and ha and other stuff is being tunelled via mullvad and everything still seems to work.

I just cobbled the fail2ban "integration" together from various tutorials, with zero understanding of iptables or docker networking etc. It seemed to work (as in I could see some addresses getting banned), for my configuration, but I'm not technically adept enough to say why it wouldn't for you.

edit:
for reference
in nextcloud I define the trusted proxy like so in config.php:

  'trusted_proxies' => 
  array (
    0 => '192.168.1.142',
  ),

in ha I define it in configuration.yaml like so:

http:
  server_host: 0.0.0.0
  use_x_forwarded_for: true
  cors_allowed_origins:
    - https://google.com
    - https://www.home-assistant.io
  trusted_proxies:
    - 192.168.1.142
  ip_ban_enabled: false
  login_attempts_threshold: 5

[captainabloc]

Hi all,
not running on docker, but on a Proxmox LCX I managed to get a working jail watching the access list rules I setup.
In addition, being proxied by cloudflare, added also a custom line in config to get real origin IP.

/etc/fail2ban/filter.d/nginx-access.conf

# fail2ban filter configuration for nginx
[Definition]
failregex = ^ \[error\] \d+#\d+: \*\d+ access forbidden by rule, client: <HOST>, server.+$

ignoreregex = ^ \[warn\] .+$

/etc/fail2ban/jail.conf extract:

[nginx-access]
enabled = true
filter   = nginx-access
logpath = /data/logs/proxy-host-*.log
          /data/logs/default-host*.log
maxretry = 3
bantime  = 360
findtime = 60

In NPM Edit Proxy Host added the following for real IP behind Cloudflare in Custom Nginx Configuration:
real_ip_header CF-Connecting-IP;

hope this can be useful. Please let me know if any way to improve

[TituxMetal]

This works for me: #39 (comment)

Hello @mastan30,
in this file fail2ban/data/jail.d/npm-docker.local
filter=npm-docker must be specified otherwise the filter is not applied, in my tests my ip is always found and then banned even for no reason.
I also adjusted the failregex in filter.d/npm-docker.conf, here is the file content:

[INCLUDES]

[Definition]

failregex = ^.+ ".*w00tw00t.*" \[Client <HOST>\] \[Length .+\] .+$
  ^.+ (4\d\d|5\d\d) .*- .+ ".*(~|admin|dbadmin|install|myadmin|MyAdmin|mysql|websql|pma|wp-|manager|blackcat|sprawdza).*" \[Client <HOST>\] \[Length .+\] .+$
  ^.+ (5\d\d|4(?!04)\d\d) - .+ \[Client <HOST>\] \[Length .+\] .+$

Thank you it helps me so much!

[kmanwar89]

Referencing the instructions that @hugalafutro mentions here:

I attempted to follow your steps, however had a few issues:

1. The compose file you mention includes a .env file, however you didn't provide the contents of this file. Is it save to assume it is the default file from the developer's repository?

2. In the volume directive of the compose file, you mention the path as - "../nginx-proxy-manager/data/logs/:/log/npm/:ro". I'm assuming this should be adjusted relative to the specific location of the NPM folder? In my case, my folder is just called "npm" and is within the ~/services directory on my server, so I modified it to be (relative to the f2b compose file) ../npm/data/logs.

3. In your instructions, you mount the NPM files as /data/logs and mount it to /log/npm, but in this blog post, the author specifically mentions "Ensure that you properly bind mount the logs at /data/logs of your NPM reverse proxy into the Fail2ban docker container at /var/log/npm. Otherwise, Fail2ban is not able to inspect your NPM logs!". I've tried both, and both work, so not sure which is the "most" correct.

I followed the above linked blog and (on the second attempt) got the fail2ban container running and detecting my logs, but I do get an error which (I'm assuming) actually blocks any of the ban behavior from taking effect:

f2b | 2023-01-28T16:41:28.094008433Z 2023-01-28 11:41:28,093 fail2ban.actions [1]: ERROR Failed to execute ban jail 'npm-general-forceful-browsing' action 'action-ban-docker-forceful-browsing' info 'ActionInfo({'ip': '75.225.129.88', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f0d4ec48820>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f0d4ec48ee0>})': Error banning 75.225.129.88

But what is interesting is that after 10 minutes, it DID un-ban the IP, though I never saw a difference in behavior, banned or otherwise:

f2b | 2023-01-28T16:51:41.122149261Z 2023-01-28 11:51:41,121 fail2ban.actions [1]: NOTICE [npm-general-forceful-browsing] Unban 75.225.129.88

I then created a separate instance of the f2b container following your instructions, which also seem to work (at least so far).

Additionally, how did you view the status of the fail2ban jails? What command did you issue, I'm assuming, from within the f2b container itself?

I'm curious to get this working, but may actually try CrowdSec instead, since the developers officially support the integration into NPM.

[kmanwar89]

I followed the guide that @mastan30 posted and observed a successful ban (though 24 hours after 3 tries is a bit long, so I have to figure out how to un-ban myself). Additionally I tried what you said about adding the filter=npm-docker to my file in jail.d, however I observed this actually did not detect the IP's, so I removed that line.

So I have 2 "working" iterations, and need to figure out the best from each and begin to really understand what I'm doing, rather than blindly copying others' logs.

[hugalafutro]

@kmanwar89
edit: most of your issues stem from having different paths / container / filter names imho, set it up exactly as I posted as that works to try it out, and then you can start adjusting paths and file locations and container names provided you change them in all relevant places. i.e. if you name your file instead of npm-docker.local to haha-hehe-hihi.local, you need to put filter=haha-hehe-hihi instead of filter=npm-docker etc.

1. Yes
2. Yes this is just relative path of the npm logs you mount read-only into the fail2ban container, you have to adjust accordingly to your path
3. Doesn't matter at all as long the

logpath = /log/npm/default-host_*.log
          /log/npm/proxy-host-*.log

inside the jail definition file matches the path you mounted the logs inside the f2b container

I do not want to comment on others instructions as the ones I posted are the only ones that ever worked for me.

---

For reference this is my current config that bans ip on 3 different nginx-proxy-manager installations, I have joined the npm and fail2ban containers into 1 compose now:

directory structure

pi@pi-docker:~/docker/nginx-proxy-manager $ find ./ -type d -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g'
|____
|____data_npm
| |____logs
| |____custom_ssl
| |____letsencrypt-acme-challenge
| | |____.well-known
| | | |____acme-challenge
| |____access
| |____nginx
| | |____default_www
| | |____dead_host
| | |____proxy_host
| | |____temp
| | |____redirection_host
| | |____default_host
| | |____stream
|____data_f2b
| |____db
| |____action.d
| |____jail.d
| |____filter.d
|____letsencrypt
| |____csr
| |____archive
| | |____npm-10
| | |____npm-1
| | |____npm-48
| | |____npm-46
| | |____npm-26
| | |____npm-15
| |____renewal-hooks
| | |____post
| | |____deploy
| | |____pre
| |____keys
| |____renewal
| |____live
| | |____npm-10
| | |____npm-1
| | |____npm-48
| | |____npm-46
| | |____npm-26
| | |____npm-15
| |____accounts
| | |____acme-v02.api.letsencrypt.org
| | | |____directory
| | | | |____b1fc0554c1bcfe0b429559f8bcefaf4b

docker-compose.yml

version: '3'
services:
  nginx-proxy-manager:
    container_name: nginx-proxy-manager_pi-docker
    image: 'jc21/nginx-proxy-manager:latest'
    ports:
      - '10080:80'
      - '10081:81'
      - '10443:443'
    volumes:
      - ./data_npm:/data
      - ./letsencrypt:/etc/letsencrypt
    restart: always
    environment:
      X_FRAME_OPTIONS: "sameorigin"
      DB_SQLITE_FILE: "/data/database.sqlite"
      TZ: "Europe/London"

  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban_pi-docker
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    privileged: true
    volumes:
      - "./data_f2b:/data"
      - "./data_npm/logs/:/log/npm/:ro"
    restart: always
    env_file:
      - "./fail2ban.env"
    depends_on:
      - nginx-proxy-manager

data_f2b/jail.d/npm-docker.local

pi@pi-docker:~/docker/nginx-proxy-manager $ cat data_f2b/jail.d/npm-docker.local
[npm-docker]
enabled = true
ignoreip = 127.0.0.1/8 192.168.1.0/24 172.16.0.1/16 192.168.1.1
chain = INPUT
logpath = /log/npm/default-host_*.log
          /log/npm/proxy-host-*.log
maxretry = 3
bantime  = 2419200
findtime = 86400
filter = npm-docker

data_f2b/filter.d/npm-docker.conf

pi@pi-docker:~/docker/nginx-proxy-manager $ cat data_f2b/filter.d/npm-docker.conf
[INCLUDES]

[Definition]
ignoreregex = ^ [warn] .+$

failregex = ^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
            ^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$
            ^.+ (4\d\d|5\d\d) .*- .+ ".*(~|admin|dbadmin|install|myadmin|MyAdmin|mysql|websql|pma|wp-|manager).*" \[Client <HOST>\] \[Length .+\] .+$
            ^.+ (5\d\d|4(?!04)\d\d) - .+ \[Client <HOST>\] \[Length .+\] .+$

check current bans

docker exec -it fail2ban_pi-docker fail2ban-client status npm-docker

example output

pi@pi-docker:~/docker/nginx-proxy-manager $ docker exec -it fail2ban_pi-docker fail2ban-client status npm-docker
Status for the jail: npm-docker
|- Filter
|  |- Currently failed: 58
|  |- Total failed:     4661
|  `- File list:        /log/npm/default-host_access.log /log/npm/default-host_error.log /log/npm/proxy-host-3_access.log /log/npm/proxy-host-10_error.log /log/npm/proxy-host-43_error.log /log/npm/proxy-host-22_error.log /log/npm/proxy-host-43_access.log /log/npm/proxy-host-15_error.log /log/npm/proxy-host-3_error.log /log/npm/proxy-host-22_access.log /log/npm/proxy-host-10_access.log /log/npm/proxy-host-1_access.log /log/npm/proxy-host-1_error.log /log/npm/proxy-host-15_access.log
`- Actions
   |- Currently banned: 255
   |- Total banned:     258
   `- Banned IP list:   101.68.211.3 103.72.147.115 104.155.129.44 107.150.126.151 108.194.208.147 109.237.97.180 109.237.98.226 109.249.187.77 109.74.204.123 111.30.107.154 116.203.223.117 118.193.56.146 128.14.188.209 134.122.40.17 134.209.105.9 134.209.172.210 136.33.158.151 137.184.147.18 137.184.214.147 137.184.69.186 138.197.12.104 138.197.147.198 138.197.157.88 139.59.101.36 139.59.190.229 139.59.251.216 139.64.164.73 139.99.120.203 139.99.123.180 141.255.167.130 142.93.240.129 143.110.178.178 143.198.212.64 143.198.220.72 143.198.239.27 143.244.140.48 144.126.236.89 144.91.106.14 146.148.39.73 146.19.24.230 146.190.244.19 146.70.119.3 146.70.119.35 146.70.119.37 146.70.119.67 148.63.28.25 150.129.81.213 152.32.227.68 152.89.196.211 157.245.136.139 157.245.99.223 159.203.35.125 159.223.68.123 159.65.111.248 159.89.107.64 159.89.111.42 161.35.161.99 161.35.188.150 162.142.125.10 162.142.125.210 162.142.125.211 162.142.125.212 162.142.125.213 162.142.125.219 162.142.125.221 162.142.125.7 162.142.125.8 162.142.125.9 164.92.135.200 165.22.54.62 165.22.65.114 165.227.208.24 165.227.212.9 165.232.124.165 165.232.64.133 167.172.103.51 167.172.188.222 167.172.90.80 167.172.93.19 167.248.133.117 167.248.133.120 167.248.133.44 167.248.133.46 167.248.133.60 167.248.133.61 167.248.133.62 167.71.201.171 167.71.73.251 167.71.85.7 167.94.138.119 167.94.138.120 167.94.138.44 167.94.138.46 167.94.138.47 167.94.138.60 167.94.138.61 167.94.138.62 167.94.146.57 167.94.146.58 167.94.146.60 167.99.207.240 170.64.134.42 170.64.148.163 170.64.176.251 170.64.176.7 170.64.180.140 176.65.137.4 179.43.155.157 179.43.177.242 183.106.161.103 183.136.225.32 183.136.225.45 184.105.139.67 184.105.139.70 185.180.143.141 185.180.143.81 185.195.232.131 185.195.232.133 185.195.232.139 185.195.232.140 185.195.232.141 185.195.232.149 185.195.232.152 185.195.232.160 185.195.232.161 185.195.232.169 185.195.232.170 185.195.232.180 185.213.175.253 185.224.128.219 185.225.73.198 185.225.74.45 185.225.74.55 185.248.85.10 185.248.85.31 185.248.85.32 185.248.85.36 185.248.85.4 188.166.232.195 191.254.254.119 193.32.162.159 193.35.18.189 193.35.18.227 193.35.18.228 193.35.18.242 193.38.55.200 194.180.49.233 194.55.186.216 195.133.40.86 195.154.77.190 198.20.69.98 2.57.122.80 20.163.207.204 201.163.190.64 201.23.6.2 207.154.245.167 208.100.26.229 209.126.151.116 209.126.151.117 209.126.151.119 209.126.151.120 209.126.151.122 209.141.33.8 212.18.176.230 213.205.192.74 213.205.196.194 213.205.241.29 213.205.241.92 213.205.242.98 219.85.88.188 23.224.186.225 24.150.82.71 24.199.92.233 34.121.19.107 34.122.44.159 34.135.91.26 34.136.137.67 34.171.253.186 34.172.163.221 34.172.175.164 34.172.209.163 34.173.116.45 34.201.148.42 34.27.133.230 34.29.37.32 34.67.120.116 34.67.167.189 34.67.214.23 34.69.204.32 34.70.93.107 34.71.162.68 35.192.12.146 35.202.182.162 35.202.234.8 35.216.248.122 35.222.78.111 35.224.175.167 35.225.212.38 35.226.241.168 35.226.97.237 35.232.70.169 35.238.41.231 35.239.89.230 37.44.238.144 37.44.238.71 43.134.171.148 43.135.123.64 45.12.253.180 45.61.186.176 45.9.110.186 45.93.201.64 46.19.136.74 47.89.188.40 49.234.150.132 5.188.210.227 5.75.202.224 52.4.28.5 61.147.15.65 61.147.15.67 62.171.128.107 62.210.75.103 64.225.103.50 64.225.18.115 64.225.56.220 65.49.20.66 65.49.20.68 67.222.109.195 68.183.111.90 68.183.12.150 71.6.135.131 72.55.136.154 74.82.47.3 74.82.47.4 77.81.142.251 79.124.59.150 80.94.92.57 82.170.148.96 89.248.165.204 89.248.165.52 89.31.112.234 90.2.97.189 91.107.142.252 92.118.39.29 92.118.39.82 94.62.138.31 185.195.232.165 112.47.34.246 159.89.171.91 35.153.144.36 193.35.18.206 161.35.213.143 134.209.159.229 163.123.181.180 185.195.232.159 34.136.218.224

[hugalafutro]

Apologies if this is offtopic, but if anyone doubts usefulness of adding f2b to npm or whether the method I used is working I'd like to share some statistics from my cloud server with exposed ssh and http(s) ports. Along banning failed attempts for n-p-m I also ban failed ssh log ins. Endlessh is a wonderful little app that sits on the default ssh port and drags out random ssh responses until they time out to waste the script kiddie's time and then f2b bans them for a month. Graphs are from LibreNMS.

I get about twice the amount of bans on my cloud based mailcow mail server, along the bans that mailcow itself facilitates for failed mail logins.

[alneven]

| |____action.d

@hugalafutro : just to make it sure, in a totally new setup, npm and fail2ban:
do I need something in this action.d folder?
a docker.conf file or something?
with definition like

actionstart
actionstop
actioncheck
actionban
actionunban

[hugalafutro]

@alneven In both my setups using n-p-m+f2b the directory ended up empty. I'm not really sure what it's for (every tutorial for implementing f2b whether in docker or on the bare metal I followed only talks about making a filter and a jail).

[alneven]

In both my setups using n-p-m+f2b the directory ended up empty.

thanks for the prompt feedback, I will ignore it as well

[JS-E]

Sorry to bump and old topic but i was considering trying to get this to work- Think it would be great to have another tab on the dashboard that shows you blocked IPs and various stats about fail2ban. Has anyone actually got this working nicely inside the nginx container? I do agree that i think it's better to have it all in one as it's the main entry point to services

[gzxiexl]

I hope to merge the functions of Fail2Ban and make a dashboard to display the banned logs.

[JS-E]

I hope to merge the functions of Fail2Ban and make a dashboard to display the banned logs.

I love to help out where i can and i love the idea of having a dashboard to monitor what's been blocked and why. Maybe with the option to expose it to something like grafana? Just ideas

[samwathegreat]

Add me to the list of people that would be eternally grateful to see fail2ban integration with npm. I use proxmox (LXC containers), so it would be great if this was available using the proxmox script and not just docker.

[captainabloc]

Add me to the list of people that would be eternally grateful to see fail2ban integration with npm. I use proxmox (LXC containers), so it would be great if this was available using the proxmox script and not just docker.

it is! just install Fail2ban on your LXC after NPM install

[B0F1B0]

``> Hi all, not running on docker, but on a Proxmox LCX I managed to get a working jail watching the access list rules I setup. In addition, being proxied by cloudflare, added also a custom line in config to get real origin IP.

/etc/fail2ban/filter.d/nginx-access.conf

# fail2ban filter configuration for nginx
[Definition]
failregex = ^ \[error\] \d+#\d+: \*\d+ access forbidden by rule, client: <HOST>, server.+$

ignoreregex = ^ \[warn\] .+$

/etc/fail2ban/jail.conf extract:

[nginx-access]
enabled = true
filter   = nginx-access
logpath = /data/logs/proxy-host-*.log
          /data/logs/default-host*.log
maxretry = 3
bantime  = 360
findtime = 60

In NPM Edit Proxy Host added the following for real IP behind Cloudflare in Custom Nginx Configuration: real_ip_header CF-Connecting-IP;

hope this can be useful. Please let me know if any way to improve

For me the /etc/fail2ban/filter.d/nginx-access.conf was not working to ban someone. With this nginx-access.conf it works

nano/etc/fail2ban/filter.d/nginx-access.conf

[INCLUDES]

[Definition]

failregex = ^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
            ^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$