You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fail2Ban version (including any possible distribution suffixes): 0.11.1
OS, including release name/version: Centos 8.1911
Fail2Ban installed via OS/distribution mechanisms
You have not applied any additional foreign patches to the codebase
Some customizations were done to the configuration (provide details below is so)
The issue:
The banned ip address can't access SSH but still can access the web behind Reverse Proxy. For more detail, I have git push to the fail2ban-experiment branch
add privkey.pem and fullchain.pem to ./volumes/nginx/certs
sudo docker-compose up
sudo docker exec -ti fail2ban fail2ban-client set odoo banip
Expected behavior
The banned ip address can't access port HTTP and HTTPS.
Observed behavior
If you use chain = INPUT and banaction = iptables-allports to banip. The banned ip address can't access port SSH but still can access port HTTP and HTTPS.
If you use chain = DOCKER-USER and banaction = iptables-multiport to banip. The banned ip address still can access port HTTP and HTTPS. The log is in section Relevant parts of sudo docker-compose logs
Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
cat volumes/fail2ban/config/jail.d/jail.local
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
bantime.increment = true
# "bantime.rndtime" is the max number of seconds using for mixing with random time
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
bantime.rndtime = 59
# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
bantime.overalljails = true
# --------------------
# "bantime" is the number of seconds that a host is banned.
bantime = 1m
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
#
# HTTP servers
#
[odoo]
enabled = true
chain = DOCKER-USER
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
port = http,https
logpath = /var/log/odoo/odoo.access.log
linuxserver/letsencrypt repository has built-in dockerized Fail2ban with iptables chain DOCKER-USER.
I am assuming dockerized fail2ban need 2 services (one attached with iptables chain DOCKER-USER and one attached with iptables chain INPUT) to works as intended (filtering port SSH, HTTP, and HTTPS).
I think this is not bug issue but more like the iptables chains order behavior with Docker.
I have made exact issue on fail2ban/fail2ban repository.
fail2ban/fail2ban#2700 (comment)
sudo docker exec -ti fail2ban fail2ban-client -d | grep odoo
outputEnvironment:
The issue:
The banned ip address can't access SSH but still can access the web behind Reverse Proxy. For more detail, I have git push to the fail2ban-experiment branch
Summary here
Steps to reproduce
./volumes/nginx/certs
Expected behavior
The banned ip address can't access port HTTP and HTTPS.
Observed behavior
chain = INPUT
andbanaction = iptables-allports
to banip. The banned ip address can't access port SSH but still can access port HTTP and HTTPS.chain = DOCKER-USER
andbanaction = iptables-multiport
to banip. The banned ip address still can access port HTTP and HTTPS. The log is in section Relevant parts ofsudo docker-compose logs
Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
cat volumes/fail2ban/config/jail.d/jail.local
Relevant parts of
sudo docker-compose logs
The text was updated successfully, but these errors were encountered: