f2b adding to iptables but not banning

[modem7]

Behaviour

Steps to reproduce this issue

Bitwarden + f2b

Docker compose file:

# Fail2Ban - Intrusion prevention vs brute force attacks
  fail2ban:
    image: crazymax/fail2ban
    container_name: Fail2ban
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    privileged: true
    volumes:
      - $USERDIR/Fail2ban:/data
      - /var/log:/var/log:ro
      - /etc/localtime:/etc/localtime:ro
      - $USERDIR/Traefik/traefik.log:/traefik.log:ro
      - $USERDIR/Bitwarden/Data/bitwarden.log:/bitwarden.log:ro
      - $USERDIR/Authelia/authelia.log:/authelia.log:ro
    restart: always
    environment:
      - TZ=$TZ
      - SSMTP_HOST=$BW_SMTP_HOST
      - SSMTP_PORT=$BW_SMTP_PORT
      - SSMTP_USER=$BW_SMTP_USERNAME
      - SSMTP_PASSWORD=$BW_SMTP_PASSWORD
      - SSMTP_TLS=YES
      - F2B_LOG_TARGET=/data/fail2ban.log
      - F2B_LOG_LEVEL=INFO

Bitwarden log:

today at 10:30 PM [2020-09-05 22:30:14.258][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: hebeb@jsjshs.com.
today at 10:30 PM [2020-09-05 22:30:22.462][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: hebeb@jsjshs.com.
today at 10:30 PM [2020-09-05 22:30:24.183][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: hebeb@jsjshs.com.
today at 10:30 PM [2020-09-05 22:30:25.533][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: hebeb@jsjshs.com.
today at 10:30 PM [2020-09-05 22:30:26.683][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: hebeb@jsjshs.com.

F2B Log:

    today at 10:26 PM Setting timezone to Europe/London...
    today at 10:26 PM ln: /etc/localtime: File exists
    today at 10:26 PM Setting SSMTP configuration...
    today at 10:26 PM Initializing files and folders...
    today at 10:26 PM Setting Fail2ban configuration...
    today at 10:26 PM Checking for custom actions in /data/action.d...
    today at 10:26 PM Checking for custom filters in /data/filter.d...
    today at 10:26 PM Add custom filter authelia.conf...
    today at 10:26 PM Add custom filter bitwarden-admin.conf...
    today at 10:26 PM WARNING: bitwarden.conf already exists and will be overriden
    today at 10:26 PM Add custom filter bitwarden.conf...
    today at 10:26 PM WARNING: traefik-auth.conf already exists and will be overriden
    today at 10:26 PM Add custom filter traefik-auth.conf...
    today at 10:26 PM Add custom filter traefik-botsearch.conf...
    today at 10:26 PM 2020-09-05 22:26:38,592 fail2ban.configreader   [1]: INFO    Loading configs for fail2ban under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,593 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
    today at 10:26 PM 2020-09-05 22:26:38,594 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
    today at 10:26 PM 2020-09-05 22:26:38,594 fail2ban                [1]: INFO    Using socket file /var/run/fail2ban/fail2ban.sock
    today at 10:26 PM 2020-09-05 22:26:38,594 fail2ban                [1]: INFO    Using pid file /var/run/fail2ban/fail2ban.pid, [DEBUG] logging to /data/fail2ban.log
    today at 10:26 PM 2020-09-05 22:26:38,597 fail2ban.configreader   [1]: INFO    Loading configs for jail under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,597 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.conf']
    today at 10:26 PM 2020-09-05 22:26:38,607 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-debian.conf']
    today at 10:26 PM 2020-09-05 22:26:38,607 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf']
    today at 10:26 PM 2020-09-05 22:26:38,608 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-overrides.local']
    today at 10:26 PM 2020-09-05 22:26:38,609 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.d/authelia.conf']
    today at 10:26 PM 2020-09-05 22:26:38,611 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.d/bitwarden.conf']
    today at 10:26 PM 2020-09-05 22:26:38,612 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.d/traefik.conf']
    today at 10:26 PM 2020-09-05 22:26:38,612 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/authelia.conf', '/etc/fail2ban/jail.d/bitwarden.conf', '/etc/fail2ban/jail.d/traefik.conf']
    today at 10:26 PM 2020-09-05 22:26:38,620 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/bitwarden under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,620 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/bitwarden.conf']
    today at 10:26 PM 2020-09-05 22:26:38,621 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf']
    today at 10:26 PM 2020-09-05 22:26:38,622 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.local']
    today at 10:26 PM 2020-09-05 22:26:38,622 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/bitwarden.conf']
    today at 10:26 PM 2020-09-05 22:26:38,624 fail2ban.configreader   [1]: INFO    Loading configs for action.d/iptables-allports under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,624 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-allports.conf']
    today at 10:26 PM 2020-09-05 22:26:38,625 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
    today at 10:26 PM 2020-09-05 22:26:38,626 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
    today at 10:26 PM 2020-09-05 22:26:38,626 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
    today at 10:26 PM 2020-09-05 22:26:38,626 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/iptables-allports.conf']
    today at 10:26 PM 2020-09-05 22:26:38,628 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/traefik-auth under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,628 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/traefik-auth.conf']
    today at 10:26 PM 2020-09-05 22:26:38,629 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/traefik-auth.conf']
    today at 10:26 PM 2020-09-05 22:26:38,631 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/authelia under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,632 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/authelia.conf']
    today at 10:26 PM 2020-09-05 22:26:38,633 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/authelia.conf']
    today at 10:26 PM 2020-09-05 22:26:38,635 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/traefik-botsearch under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,636 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/traefik-botsearch.conf']
    today at 10:26 PM 2020-09-05 22:26:38,637 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/botsearch-common.conf']
    today at 10:26 PM 2020-09-05 22:26:38,637 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/botsearch-common.conf', '/etc/fail2ban/filter.d/traefik-botsearch.conf']
    today at 10:26 PM Server ready

Jail.d/Bitwarden.conf

[DEFAULT]

ignoreip = 127.0.01/8 192.168.0.0.22
bantime = 3600
findtime = 3600
maxretry = 3
action = iptables-allports[name=bitwarden, DOCKER]

[bitwarden]
enabled = true
port = 80,443,8089,3012
filter = bitwarden
#action = iptables-allports[name=bitwarden, DOCKER-USER]
action = iptables-allports[name=bitwarden, chain=DOCKER-USER]
#action = iptables-allports[name=bitwarden]
#chain = DOCKER-USER
logpath = /bitwarden.log
#maxretry = 3
#bantime = 3600
#findtime = 3600

[bitwarden-admin]
enabled = false
port = 80,443,8081
filter = bitwarden-admin
##action = iptables-allports[name=bitwarden, chain=forward]
action = iptables-allports[name=bitwarden, DOCKER-USER]
#action = iptables-allports[name=bitwarden]
#chain = DOCKER-USER
logpath = /bitwarden.log
#maxretry = 3
#bantime = 3600
#findtime = 3600

filter.d/bitwarden.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

IPTables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (3 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.22.0.108         tcp dpt:ttat3lb
ACCEPT     tcp  --  anywhere             172.22.0.101         tcp dpt:cslistener
ACCEPT     tcp  --  anywhere             172.22.0.109         tcp dpt:8089
ACCEPT     tcp  --  anywhere             172.22.0.109         tcp dpt:twsdss
ACCEPT     tcp  --  anywhere             172.22.0.107         tcp dpt:intermapper
ACCEPT     tcp  --  anywhere             172.22.0.103         tcp dpt:webcache
ACCEPT     tcp  --  anywhere             172.22.0.102         tcp dpt:webcache
ACCEPT     tcp  --  anywhere             172.22.0.111         tcp dpt:31337
ACCEPT     tcp  --  anywhere             172.33.0.4           tcp dpt:hbci
ACCEPT     tcp  --  anywhere             172.22.0.105         tcp dpt:sunwebadmins
ACCEPT     tcp  --  anywhere             172.22.0.106         tcp dpt:owms
ACCEPT     tcp  --  anywhere             172.22.0.104         tcp dpt:5076
ACCEPT     tcp  --  anywhere             172.22.0.114         tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             172.22.0.114         tcp dpt:webcache
ACCEPT     tcp  --  anywhere             172.22.0.114         tcp dpt:https
ACCEPT     tcp  --  anywhere             172.22.0.114         tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
f2b-bitwarden  tcp  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain f2b-bitwarden (1 references)
target     prot opt source               destination
REJECT     all  --  148.252.132.248      anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Expected behaviour

IP should be banned

Actual behaviour

IP is added to IPtables, but still has access

Configuration

• Docker version (type docker --version) : Docker version 19.03.5, build 633a0ea838
• Docker compose version if applicable (type docker-compose --version) : docker-compose version 1.24.1, build 4667896
• Platform (Debian 9, Ubuntu 18.04, ...) : Fedora
• System info (type uname -a) :
• Include all necessary configuration files : docker-compose.yml, .env, ...

Docker info

Client:
 Debug Mode: false

Server:
 Containers: 29
  Running: 28
  Paused: 0
  Stopped: 1
 Images: 30
 Server Version: 19.03.5
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
 runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.18.19-100.fc27.x86_64
 Operating System: Fedora 27 (Twenty Seven)
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 31.37GiB
 Name: HDA
 ID: Q4JX:I4DV:JYBQ:V35U:7SZG:FIQG:RPJR:5VGZ:TTSC:P5W3:EFBG:IYAJ
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: modem7
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

[hexxone]

Hi there :)
I would recommend setting "banaction" directly instead of "action".
Also I'm not sure if you should use the same filter action name for two different jails.
Keeping them seperate is usually better imo.

Also remember: if you are using some kind of proxy (like cloudflare) and traffic is coming in on SSL, the real IP can't be seen (in the encrypted "x-forwarded-for"-header), meaning the request won't be blocked and still show up in the logs.

Hope this helps a little, cheers :)

[modem7]

Hi there :)
I would recommend setting "banaction" directly instead of "action".
Also I'm not sure if you should use the same filter action name for two different jails.
Keeping them seperate is usually better imo.

Also remember: if you are using some kind of proxy (like cloudflare) and traffic is coming in on SSL, the real IP can't be seen (in the encrypted "x-forwarded-for"-header), meaning the request won't be blocked and still show up in the logs.

Hope this helps a little, cheers :)

Heya,

Thank you for replying! You've certainly triggered a thought process re Cloudflare.

So I was passing the real IP of the client, but that obviously wasn't the IP address that was hitting the server (due to CF).

My solution was to use Fail2Ban with the Cloudflare action and get f2b to block at Cloudflare instead of at the server, also more secure that way in many respects.

Solution:

[bitwarden]
enabled = true
port = 80,443,8089,3012
filter = bitwarden
logpath = /bitwarden.log
action = iptables-multiport
         cloudflare
findtime = 3600
bantime = 3600
maxretry = 3

[bitwarden-admin]
enabled = true
port = 80,443,8081
filter = bitwarden-admin
action = iptables-multiport
         cloudflare
logpath = /bitwarden.log
maxretry = 3
bantime = 3600
findtime = 3600

Setting up the cloudflare action: https://community.cloudflare.com/t/can-i-still-use-fail2ban-while-using-cloudflare-article/63674

Thanks again!