[Help] No way to ban IPs

[sosandroid]

Hi there,

Just trying to set up properly Bitwarden_rs + Fail2ban on a Synology NAS using Docker's containers. I run a DS718+ with latest DSM and using the built-in reverse proxy.
At this time I went around most issues except one : the ban does not work despite the logs. What did I missed ?

Docker version 18.09.8, build 2c0a67b

Here the setup :

• dani-garcia/bitwarden_rs

  • Mounting point: docker/bw-data:/data/
  • Extended_logging true
  • Log_file: /data/bitwarden.log
  • log level: error

• crazy-max/docker-fail2ban

  • Run as root
  • Mounting points
    • docker/fail2ban:/data/
    • docker/bw-data:/bitwarden/ Read-Only
  • F2B_IPTABLE_CHAIN: Input as per issue 36 as I had before the exact same error before that change.

The jail :

[DEFAULT]

ignoreip = 127.0.0.1/8 192.168.0.0/22
#Ban for 30 days
#bantime = 2592000
bantime = 6400
findtime = 86400
maxretry = 4
backend = auto
action = iptables-allports[name=bitwarden]

[bitwarden]

enabled = true
port = 80,81,443
filter = bitwarden
logpath = /bitwarden/bitwarden.log

The filter:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

Bitwarden log :

[2020-03-05 21:53:26][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:53:35][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:53:38][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:53:40][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:53:51][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:56:22][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:56:27][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:56:33][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:56:49][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.

F2B Log:

2020-03-05 22:46:16,047 fail2ban.server         [1]: INFO    Reload all jails
2020-03-05 22:46:16,048 fail2ban.server         [1]: INFO    Reload jail 'bitwarden'
2020-03-05 22:46:16,049 fail2ban.filter         [1]: INFO      maxRetry: 4
2020-03-05 22:46:16,049 fail2ban.filter         [1]: INFO      findtime: 86400
2020-03-05 22:46:16,050 fail2ban.actions        [1]: INFO      banTime: 6400
2020-03-05 22:46:16,050 fail2ban.filter         [1]: INFO      encoding: UTF-8
2020-03-05 22:46:16,051 fail2ban.server         [1]: INFO    Jail 'bitwarden' reloaded
2020-03-05 22:46:16,051 fail2ban.actions        [1]: NOTICE  [bitwarden] Flush ticket(s) with iptables-allports
2020-03-05 22:46:16,052 fail2ban.server         [1]: INFO    Reload finished.
2020-03-05 22:53:04,043 fail2ban.filter         [1]: INFO    [bitwarden] Found 192.168.XX.XX - 2020-03-05 21:53:03
2020-03-05 22:53:26,758 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:53:26
2020-03-05 22:53:35,072 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:53:35
2020-03-05 22:53:38,592 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:53:38
2020-03-05 22:53:41,297 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:53:40
2020-03-05 22:53:41,896 fail2ban.actions        [1]: NOTICE  [bitwarden] Ban 80.XX.XX.XX
2020-03-05 22:53:51,006 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:53:51
2020-03-05 22:55:48,931 fail2ban.actions        [1]: NOTICE  [bitwarden] Unban 80.XX.XX.XX - Done manually after tested access still ok
2020-03-05 22:56:22,282 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:56:22
2020-03-05 22:56:27,154 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:56:27
2020-03-05 22:56:33,709 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:56:33
2020-03-05 22:56:34,098 fail2ban.actions        [1]: NOTICE  [bitwarden] Ban 80.XX.XX.XX
2020-03-05 22:56:49,381 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:56:49

[sosandroid]

The issue described above was due to TZ misconfiguration in Bitwarden container (UTC vs CET). The ban was already was ended at the time it began...
However, I have different comportment according to iptables chain setting.
The most interresting part is this error : stderr: 'iptables v1.8.3 (legacy): unknown option "--reject-with"'

What is your advise ?

F2B_IPTABLES_CHAIN=DOCKER-USER

This is the issue 36

2020-03-09 22:45:22,583 fail2ban.actions        [1]: DEBUG   Banned 1 / 1, 1 ticket(s) in 'bitwarden'
2020-03-09 22:45:42,557 fail2ban.actions        [1]: NOTICE  [bitwarden] Unban 80.XX.XX.XX
2020-03-09 22:45:42,557 fail2ban.actions        [1]: DEBUG   [bitwarden] action 'iptables-allports': unban 80.XX.XX.XX
2020-03-09 22:46:13,124 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:46:13,124 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:46:13,130 fail2ban.filter         [1]: DEBUG   Processing line with time:1583790373.0 and ip:80.XX.XX.XX
2020-03-09 22:46:13,130 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:46:13
2020-03-09 22:46:13,131 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:1
2020-03-09 22:46:16,670 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:46:16,671 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:46:16,671 fail2ban.filter         [1]: DEBUG   Processing line with time:1583790376.0 and ip:80.XX.XX.XX
2020-03-09 22:46:16,672 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:46:16
2020-03-09 22:46:16,672 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 2. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:2
2020-03-09 22:46:18,588 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:46:18,589 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:46:18,590 fail2ban.filter         [1]: DEBUG   Processing line with time:1583790378.0 and ip:80.XX.XX.XX
2020-03-09 22:46:18,590 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:46:18
2020-03-09 22:46:18,590 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 3. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:3
2020-03-09 22:46:20,517 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:46:20,518 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:46:20,518 fail2ban.filter         [1]: DEBUG   Processing line with time:1583790380.0 and ip:80.XX.XX.XX
2020-03-09 22:46:20,519 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:46:20
2020-03-09 22:46:20,519 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 4. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:4
2020-03-09 22:46:20,656 fail2ban.actions        [1]: NOTICE  [bitwarden] Ban 80.XX.XX.XX
2020-03-09 22:46:20,656 fail2ban.observer       [1]: DEBUG   [bitwarden] Observer: ban found 80.XX.XX.XX, 6400
2020-03-09 22:46:20,667 fail2ban.utils          [1]: ERROR   7f4bf7d00240 -- exec: iptables -w -N f2b-bitwarden
iptables -w -A f2b-bitwarden -j RETURN
iptables -w -I DOCKER-USER -p tcp -j f2b-bitwarden
2020-03-09 22:46:20,667 fail2ban.utils          [1]: ERROR   7f4bf7d00240 -- stderr: 'iptables: Chain already exists.'
2020-03-09 22:46:20,668 fail2ban.utils          [1]: ERROR   7f4bf7d00240 -- stderr: 'iptables: No chain/target/match by that name.'
2020-03-09 22:46:20,668 fail2ban.utils          [1]: ERROR   7f4bf7d00240 -- returned 1
2020-03-09 22:46:20,668 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': '80.XX.XX.XX', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f4bf7ad2dc0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f4bf7ad34c0>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/fail2ban/server/actions.py", line 482, in __checkBan
    action.ban(aInfo)
  File "/usr/lib/python3.8/site-packages/fail2ban/server/action.py", line 548, in ban
    self._start(family, forceStart=True)
  File "/usr/lib/python3.8/site-packages/fail2ban/server/action.py", line 529, in _start
    ret = self._executeOperation('<actionstart>', 'starting', family=family, afterExec=_started)
  File "/usr/lib/python3.8/site-packages/fail2ban/server/action.py", line 462, in _executeOperation
    raise RuntimeError("Error %s action %s/%s: %r" % (operation, self._jail, self._name, err))
RuntimeError: Error starting action Jail('bitwarden')/iptables-allports: 'Script error'
2020-03-09 22:46:20,669 fail2ban.actions        [1]: DEBUG   Banned 1 / 2, 1 ticket(s) in 'bitwarden'
2020-03-09 22:47:06,270 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:47:06,271 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:47:06,272 fail2ban.filter         [1]: DEBUG   Processing line with time:1583790426.0 and ip:80.XX.XX.XX
2020-03-09 22:47:06,273 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:47:06
2020-03-09 22:47:06,273 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 5. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:1

F2B_IPTABLES_CHAIN=INPUT

2020-03-09 22:48:06,929 fail2ban.jail           [1]: INFO    Jail 'bitwarden' started
2020-03-09 22:48:06,930 fail2ban.transmitter    [1]: DEBUG   Status: ready
2020-03-09 22:52:54,110 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:52:54,111 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:52:54,116 fail2ban.filter         [1]: DEBUG   Processing line with time:1583790774.0 and ip:80.XX.XX.XX
2020-03-09 22:52:54,122 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:52:54
2020-03-09 22:52:54,122 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:1
2020-03-09 22:53:02,439 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:53:02,439 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:53:02,440 fail2ban.filter         [1]: DEBUG   Processing line with time:1583790782.0 and ip:80.XX.XX.XX
2020-03-09 22:53:02,441 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:53:02
2020-03-09 22:53:02,441 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 2. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:2
2020-03-09 22:53:07,248 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:53:07,248 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:53:07,249 fail2ban.filter         [1]: DEBUG   Processing line with time:1583790786.0 and ip:80.XX.XX.XX
2020-03-09 22:53:07,249 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:53:06
2020-03-09 22:53:07,250 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 3. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:3
2020-03-09 22:53:09,953 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:53:09,954 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:53:09,955 fail2ban.filter         [1]: DEBUG   Processing line with time:1583790789.0 and ip:80.XX.XX.XX
2020-03-09 22:53:09,955 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:53:09
2020-03-09 22:53:09,955 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 4. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:4
2020-03-09 22:53:10,500 fail2ban.actions        [1]: NOTICE  [bitwarden] Ban 80.XX.XX.XX
2020-03-09 22:53:10,502 fail2ban.observer       [1]: DEBUG   [bitwarden] Observer: ban found 80.XX.XX.XX, 6400
2020-03-09 22:53:10,513 fail2ban.utils          [1]: DEBUG   7feefc7c67c0 -- returned successfully 0
2020-03-09 22:53:10,522 fail2ban.utils          [1]: DEBUG   7feefc3eaab0 -- returned successfully 0
2020-03-09 22:53:10,532 fail2ban.utils          [1]: ERROR   7feefc9a4270 -- exec: iptables -w -I f2b-bitwarden 1 -s 80.XX.XX.XX -j REJECT --reject-with icmp-port-unreachable
2020-03-09 22:53:10,533 fail2ban.utils          [1]: ERROR   7feefc9a4270 -- stderr: 'iptables v1.8.3 (legacy): unknown option "--reject-with"'
2020-03-09 22:53:10,533 fail2ban.utils          [1]: ERROR   7feefc9a4270 -- stderr: "Try `iptables -h' or 'iptables --help' for more information."
2020-03-09 22:53:10,533 fail2ban.utils          [1]: ERROR   7feefc9a4270 -- returned 2
2020-03-09 22:53:10,533 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': '80.XX.XX.XX', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7feefc7d9dc0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7feefc7da4c0>})': Error banning 80.XX.XX.XX
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/fail2ban/server/actions.py", line 482, in __checkBan
    action.ban(aInfo)
  File "/usr/lib/python3.8/site-packages/fail2ban/server/action.py", line 551, in ban
    raise RuntimeError("Error banning %(ip)s" % aInfo)
RuntimeError: Error banning 80.XX.XX.XX
2020-03-09 22:53:10,536 fail2ban.actions        [1]: DEBUG   Banned 1 / 1, 1 ticket(s) in 'bitwarden'

F2B_IPTABLES_CHAIN=FORWARD

2020-03-09 22:57:47,536 fail2ban.transmitter    [1]: DEBUG   Status: ready
2020-03-09 22:59:08,086 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:59:08,087 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:59:08,092 fail2ban.filter         [1]: DEBUG   Processing line with time:1583791148.0 and ip:80.XX.XX.XX
2020-03-09 22:59:08,098 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:59:08
2020-03-09 22:59:08,099 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:1
2020-03-09 22:59:11,530 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:59:11,531 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:59:11,532 fail2ban.filter         [1]: DEBUG   Processing line with time:1583791151.0 and ip:80.XX.XX.XX
2020-03-09 22:59:11,533 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:59:11
2020-03-09 22:59:11,533 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 2. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:2
2020-03-09 22:59:15,048 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:59:15,048 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:59:15,049 fail2ban.filter         [1]: DEBUG   Processing line with time:1583791155.0 and ip:80.XX.XX.XX
2020-03-09 22:59:15,050 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:59:15
2020-03-09 22:59:15,050 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 3. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:3
2020-03-09 22:59:18,178 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 22:59:18,178 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 22:59:18,179 fail2ban.filter         [1]: DEBUG   Processing line with time:1583791158.0 and ip:80.XX.XX.XX
2020-03-09 22:59:18,180 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 22:59:18
2020-03-09 22:59:18,180 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 4. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:4
2020-03-09 22:59:18,245 fail2ban.actions        [1]: NOTICE  [bitwarden] Ban 80.XX.XX.XX
2020-03-09 22:59:18,245 fail2ban.observer       [1]: DEBUG   [bitwarden] Observer: ban found 80.XX.XX.XX, 6400
2020-03-09 22:59:18,257 fail2ban.utils          [1]: DEBUG   7fb4cfe07240 -- returned successfully 0
2020-03-09 22:59:18,265 fail2ban.utils          [1]: DEBUG   7fb4cf7eaab0 -- returned successfully 0
2020-03-09 22:59:18,274 fail2ban.utils          [1]: ERROR   7fb4cfda41e0 -- exec: iptables -w -I f2b-bitwarden 1 -s 80.XX.XX.XX -j REJECT --reject-with icmp-port-unreachable
2020-03-09 22:59:18,275 fail2ban.utils          [1]: ERROR   7fb4cfda41e0 -- stderr: 'iptables v1.8.3 (legacy): unknown option "--reject-with"'
2020-03-09 22:59:18,275 fail2ban.utils          [1]: ERROR   7fb4cfda41e0 -- stderr: "Try `iptables -h' or 'iptables --help' for more information."
2020-03-09 22:59:18,275 fail2ban.utils          [1]: ERROR   7fb4cfda41e0 -- returned 2
2020-03-09 22:59:18,275 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': '80.XX.XX.XX', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fb4cfbd9dc0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fb4cfbda4c0>})': Error banning 80.XX.XX.XX
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/fail2ban/server/actions.py", line 482, in __checkBan
    action.ban(aInfo)
  File "/usr/lib/python3.8/site-packages/fail2ban/server/action.py", line 551, in ban
    raise RuntimeError("Error banning %(ip)s" % aInfo)
RuntimeError: Error banning 80.XX.XX.XX
2020-03-09 22:59:18,277 fail2ban.actions        [1]: DEBUG   Banned 1 / 1, 1 ticket(s) in 'bitwarden'

[crazy-max]

Hi @sosandroid, this error seems related to Synology and/or iptables version. Maybe this thread can help you: https://serverfault.com/questions/664160/fail2ban-error-on-setting-iptables-on-synology-nas

[sosandroid]

Thank you @crazy-max

Without reading this thread, I tried the proposed solution : moving to the DROP command.
This is not blocking neither. Despite the log of banned IP, I can still try false creds and then log in with a valid account.

2020-03-09 23:43:04,736 fail2ban.CommandAction  [1]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
2020-03-09 23:43:04,736 fail2ban.CommandAction  [1]: DEBUG     Set actionstart = '<iptables> -N f2b-bitwarden\n<iptables> -A f2b-bitwarden -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-bitwarden'
2020-03-09 23:43:04,736 fail2ban.CommandAction  [1]: DEBUG     Set actionstop = '<iptables> -D INPUT -p tcp -j f2b-bitwarden\n<iptables> -F f2b-bitwarden\n<iptables> -X f2b-bitwarden'
2020-03-09 23:43:04,736 fail2ban.CommandAction  [1]: DEBUG     Set actionflush = '<iptables> -F f2b-bitwarden'
2020-03-09 23:43:04,736 fail2ban.CommandAction  [1]: DEBUG     Set actioncheck = "<iptables> -n -L INPUT | grep -q 'f2b-bitwarden[ \\t]'"
2020-03-09 23:43:04,737 fail2ban.CommandAction  [1]: DEBUG     Set actionban = '<iptables> -I f2b-bitwarden 1 -s <ip> -j <blocktype>'
2020-03-09 23:43:04,737 fail2ban.CommandAction  [1]: DEBUG     Set actionunban = '<iptables> -D f2b-bitwarden -s <ip> -j <blocktype>'
2020-03-09 23:43:04,737 fail2ban.CommandAction  [1]: DEBUG     Set name = 'bitwarden'
2020-03-09 23:43:04,737 fail2ban.CommandAction  [1]: DEBUG     Set actname = 'iptables-allports'
2020-03-09 23:43:04,737 fail2ban.CommandAction  [1]: DEBUG     Set chain = 'INPUT'
2020-03-09 23:43:04,737 fail2ban.CommandAction  [1]: DEBUG     Set port = 'ssh'
2020-03-09 23:43:04,738 fail2ban.CommandAction  [1]: DEBUG     Set protocol = 'tcp'
2020-03-09 23:43:04,738 fail2ban.CommandAction  [1]: DEBUG     Set blocktype = 'DROP'
2020-03-09 23:43:04,738 fail2ban.CommandAction  [1]: DEBUG     Set returntype = 'RETURN'
2020-03-09 23:43:04,738 fail2ban.CommandAction  [1]: DEBUG     Set lockingopt = '-w'
2020-03-09 23:43:04,738 fail2ban.CommandAction  [1]: DEBUG     Set iptables = 'iptables <lockingopt>'
2020-03-09 23:43:04,738 fail2ban.CommandAction  [1]: DEBUG     Set blocktype?family=inet6 = 'DROP'
2020-03-09 23:43:04,738 fail2ban.CommandAction  [1]: DEBUG     Set iptables?family=inet6 = 'ip6tables <lockingopt>'
2020-03-09 23:43:04,739 fail2ban.jail           [1]: DEBUG   Starting jail 'bitwarden'
2020-03-09 23:43:04,739 fail2ban.filterpyinotif [1]: DEBUG   [bitwarden] filter started (pyinotifier)
2020-03-09 23:43:04,741 fail2ban.jail           [1]: INFO    Jail 'bitwarden' started
2020-03-09 23:43:04,741 fail2ban.transmitter    [1]: DEBUG   Status: ready
2020-03-09 23:44:37,877 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 64
2020-03-09 23:44:37,878 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x100 name=db.sqlite3-wal wd=1 >
2020-03-09 23:44:37,878 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x100 name=db.sqlite3-shm wd=1 >
2020-03-09 23:44:37,878 fail2ban.filterpyinotif [1]: DEBUG   Ignoring creation of /bitwarden/db.sqlite3-wal we do not monitor
2020-03-09 23:44:37,879 fail2ban.filterpyinotif [1]: DEBUG   Ignoring creation of /bitwarden/db.sqlite3-shm we do not monitor
2020-03-09 23:44:38,609 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 23:44:38,609 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 23:44:38,615 fail2ban.filter         [1]: DEBUG   Processing line with time:1583793878.0 and ip:80.XX.XX.XX
2020-03-09 23:44:38,623 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 23:44:38
2020-03-09 23:44:38,623 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:1
2020-03-09 23:44:41,327 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 23:44:41,328 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 23:44:41,329 fail2ban.filter         [1]: DEBUG   Processing line with time:1583793881.0 and ip:80.XX.XX.XX
2020-03-09 23:44:41,329 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 23:44:41
2020-03-09 23:44:41,329 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 2. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:2
2020-03-09 23:44:44,949 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 23:44:44,949 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 23:44:44,950 fail2ban.filter         [1]: DEBUG   Processing line with time:1583793884.0 and ip:80.XX.XX.XX
2020-03-09 23:44:44,950 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 23:44:44
2020-03-09 23:44:44,951 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 3. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:3
2020-03-09 23:44:47,829 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 23:44:47,830 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 23:44:47,831 fail2ban.filter         [1]: DEBUG   Processing line with time:1583793887.0 and ip:80.XX.XX.XX
2020-03-09 23:44:47,831 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 23:44:47
2020-03-09 23:44:47,831 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 4. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:4
2020-03-09 23:44:48,066 fail2ban.actions        [1]: NOTICE  [bitwarden] Ban 80.XX.XX.XX
2020-03-09 23:44:48,066 fail2ban.observer       [1]: DEBUG   [bitwarden] Observer: ban found 80.XX.XX.XX, 6400
2020-03-09 23:44:48,078 fail2ban.utils          [1]: DEBUG   7fb73a032240 -- returned successfully 0
2020-03-09 23:44:48,087 fail2ban.utils          [1]: DEBUG   7fb739a17a40 -- returned successfully 0
2020-03-09 23:44:48,095 fail2ban.utils          [1]: DEBUG   7fb739a17ab0 -- returned successfully 0
2020-03-09 23:44:48,096 fail2ban.actions        [1]: DEBUG   Banned 1 / 1, 1 ticket(s) in 'bitwarden'
2020-03-09 23:44:55,188 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-03-09 23:44:55,189 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 23:44:55,190 fail2ban.filter         [1]: DEBUG   Processing line with time:1583793895.0 and ip:80.XX.XX.XX
2020-03-09 23:44:55,190 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-09 23:44:55
2020-03-09 23:44:55,191 fail2ban.failmanager    [1]: DEBUG   Total # of detected failures: 5. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:1

[crazy-max]

@sosandroid Can you post all config files without sensitive values? (docker-compose.yml, .env, jails, actions, etc..). And also, is Bitwarden deployed through Docker? If so you have to use DOCKER-USER as F2B_IPTABLES_CHAIN.

[sosandroid]

Hello,

From your request I realized I did not used any docker-compose.yml file. I used the Synology GUI instead. Before replying, I wanted to test using a proper docker-compose.yml.

To respond the question about Bitwarden, I am using it through Docker with bitwardenrs/server:latest image

Here we go with a working solution on Synology:

Modifying the REJECT command to DROP by adding action.d/iptables-common.local. The first one is not suppoted by iptables on Synology

[Init]
blocktype = DROP
[Init?family=inet6]
blocktype = DROP

Setting the filter : filter.d/bitwarden.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

Setting jail jail.d/bitwarden.conf

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.0/22
bantime = 6400
findtime = 86400
maxretry = 4
backend = auto
action = iptables-allports[name=bitwarden]
#action = route

[bitwarden]
enabled = true
port = 80,81,443,8081
filter = bitwarden
logpath = /bitwarden/bitwarden.log

Last but not least, the docker-compose.yml

version: '3'
services:
  fail2ban:
    container_name: fail2ban
    restart: always
    image: crazymax/fail2ban:latest
    environment: 
    - TZ=Europe/Paris
    - F2B_DB_PURGE_AGE=30d
    - F2B_LOG_TARGET=/data/fail2ban.log
    - F2B_LOG_LEVEL=DEBUG
    - F2B_IPTABLES_CHAIN=INPUT

    volumes:
    - /volumeX/docker/fail2ban:/data
    - /volumeX/docker/bw-data:/bitwarden:ro

    network_mode: "host"

    privileged: true
    cap_add:
        - NET_ADMIN
        - NET_RAW

The issue was about adding capabilities NET_ADMIN and NET_RAW according to my understanding. The Synology's Docker GUI does not allow such settings.

[sosandroid]

Closed

[ladromelaboratoire]

Full solution pushed there : https://github.com/sosandroid/docker-fail2ban-synology