Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dockerized fail2ban unable to block banned ip from sending request to nginx port 80 and port 443. #41

Closed
1 of 3 tasks
jasonrichdarmawan opened this issue Apr 25, 2020 · 2 comments
Closed
1 of 3 tasks

Dockerized fail2ban unable to block banned ip from sending request to nginx port 80 and port 443. #41

jasonrichdarmawan opened this issue Apr 25, 2020 · 2 comments

Comments

@jasonrichdarmawan
Copy link

jasonrichdarmawan commented Apr 25, 2020
edited

I have made exact issue on fail2ban/fail2ban repository.

fail2ban/fail2ban#2700 (comment)

sudo docker exec -ti fail2ban fail2ban-client -d | grep odoo output

['add', 'odoo', 'auto']
['set', 'odoo', 'usedns', 'warn']
['set', 'odoo', 'addfailregex', '^ \\d+ INFO \\S+ \\S+ Login failed for db:\\S+ login:\\S+ from <HOST>']
['set', 'odoo', 'maxretry', 5]
['set', 'odoo', 'maxmatches', 5]
['set', 'odoo', 'findtime', '10m']
['set', 'odoo', 'bantime', '1m']
['set', 'odoo', 'bantime.increment', True]
['set', 'odoo', 'bantime.rndtime', '59']
['set', 'odoo', 'bantime.overalljails', True]
['set', 'odoo', 'ignorecommand', '']
['set', 'odoo', 'logencoding', 'auto']
['set', 'odoo', 'addlogpath', '/var/log/odoo/odoo.access.log', 'head']
['set', 'odoo', 'addaction', 'iptables-multiport']
['multi-set', 'odoo', 'action', 'iptables-multiport', [['actionstart', '<iptables> -N f2b-odoo\n<iptables> -A f2b-odoo -j RETURN\n<iptables> -I DOCKER-USER -p tcp -m multiport --dports http,https -j f2b-odoo'], ['actionstop', '<iptables> -D DOCKER-USER -p tcp -m multiport --dports http,https -j f2b-odoo\n<iptables> -F f2b-odoo\n<iptables> -X f2b-odoo'], ['actionflush', '<iptables> -F f2b-odoo'], ['actioncheck', "<iptables> -n -L DOCKER-USER | grep -q 'f2b-odoo[ \\t]'"], ['actionban', '<iptables> -I f2b-odoo 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-odoo -s <ip> -j <blocktype>'], ['name', 'odoo'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', 'DOCKER-USER'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]]
['start', 'odoo']

Environment:

  • Fail2Ban version (including any possible distribution suffixes): 0.11.1
  • OS, including release name/version: Centos 8.1911
  • Fail2Ban installed via OS/distribution mechanisms
  • You have not applied any additional foreign patches to the codebase
  • Some customizations were done to the configuration (provide details below is so)

The issue:

The banned ip address can't access SSH but still can access the web behind Reverse Proxy. For more detail, I have git push to the fail2ban-experiment branch

Summary here

Steps to reproduce

  1. git clone https://github.com/tempatkerja/docker-odoo-https/tree/fail2ban-experiment
  2. add privkey.pem and fullchain.pem to ./volumes/nginx/certs
  3. sudo docker-compose up
  4. sudo docker exec -ti fail2ban fail2ban-client set odoo banip

Expected behavior

The banned ip address can't access port HTTP and HTTPS.

Observed behavior

  1. If you use chain = INPUT and banaction = iptables-allports to banip. The banned ip address can't access port SSH but still can access port HTTP and HTTPS.
  2. If you use chain = DOCKER-USER and banaction = iptables-multiport to banip. The banned ip address still can access port HTTP and HTTPS. The log is in section Relevant parts of sudo docker-compose logs

Configuration, dump and another helpful excerpts

Any customizations done to /etc/fail2ban/ configuration

cat volumes/fail2ban/config/jail.d/jail.local

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
bantime.increment = true

# "bantime.rndtime" is the max number of seconds using for mixing with random time
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
bantime.rndtime = 59

# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
bantime.overalljails = true

# --------------------

# "bantime" is the number of seconds that a host is banned.
bantime = 1m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

#
# HTTP servers
#

[odoo]

enabled = true

chain = DOCKER-USER

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

port = http,https

logpath = /var/log/odoo/odoo.access.log

Relevant parts of sudo docker-compose logs

fail2ban    | 2020-04-25 07:48:16,198 fail2ban.actions        [1]: NOTICE  [odoo] Ban 158.140.187.220
fail2ban    | 2020-04-25 07:48:16,212 fail2ban.utils          [1]: ERROR   7f4b445da0f0 -- exec: iptables -w -N f2b-odoo
fail2ban    | iptables -w -A f2b-odoo -j RETURN
fail2ban    | iptables -w -I DOCKER-USER -p tcp -m multiport --dports http,https -j f2b-odoo
fail2ban    | 2020-04-25 07:48:16,212 fail2ban.utils          [1]: ERROR   7f4b445da0f0 -- stderr: 'iptables: No chain/target/match by that name.'
fail2ban    | 2020-04-25 07:48:16,212 fail2ban.utils          [1]: ERROR   7f4b445da0f0 -- returned 1
fail2ban    | 2020-04-25 07:48:16,213 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'odoo' action 'iptables-multiport' info 'ActionInfo({'ip': '158.140.187.220', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f4b44c3dca0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f4b44c3e3a0>})': Error starting action Jail('odoo')/iptables-multiport: 'Script error'
fail2ban    | 2020-04-25 07:49:17,665 fail2ban.actions        [1]: NOTICE  [odoo] Unban 158.140.187.220
@crazy-max
Copy link
Owner

@jasononggo

git clone https://github.com/tempatkerja/docker-odoo-https/tree/fail2ban-experiment

Branch does not exist.

'iptables: No chain/target/match by that name.'

Duplicated of #36 and maybe #40?

Also please create a bug report related to this repo.

@jasonrichdarmawan
Copy link
Author

jasonrichdarmawan commented Apr 27, 2020
edited

@crazy-max
I updated the repository with the linuxserver/letsencrypt repository.

linuxserver/letsencrypt repository has built-in dockerized Fail2ban with iptables chain DOCKER-USER.

I am assuming dockerized fail2ban need 2 services (one attached with iptables chain DOCKER-USER and one attached with iptables chain INPUT) to works as intended (filtering port SSH, HTTP, and HTTPS).

I think this is not bug issue but more like the iptables chains order behavior with Docker.

I have updated it to the Dockerized Odoo with HTTPS behind Proxy repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crazy-max @jasonrichdarmawan