docker-fail2ban
docker-fail2ban copied to clipboard
fail2ban is registering but not blocking specific ip address
Behaviour
Steps to reproduce this issue
- Try to login in vaultwarden with wrong user/password credentials from private ip-address 172.18.0.1
Expected behaviour
The ipaddress 172.18.0.1 should be banned and new connections should not be possible anymore for a defined time
Actual behaviour
The ipaddress 172.18.0.1 is being registered in the fail2ban log The command
docker exec -ti fail2ban fail2ban-client status
shows the following entries
Status
|- Number of jail: 2
`- Jail list: vaultwarden, vaultwarden-admin
The command
docker exec -ti fail2ban iptables -nvL
shows the following entries:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 f2b-vaultwarden tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-vaultwarden (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 172.18.0.1 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Configuration
- Docker version (type
docker --version
):Docker version 20.10.12, build e91ed57
- Docker compose version if applicable (type
docker-compose --version
) :docker-compose version 1.29.2, build unknown
- Platform (Debian 9, Ubuntu 18.04, ...):
Raspian/armv7l
- System info (type
uname -a
):Linux raspberrypi 5.10.63-v7l+ #1496 SMP Wed Dec 1 15:58:56 GMT 2021 armv7l GNU/Linux
- Include all necessary configuration files :
docker-compose.yml
,.env
, ...
docker-compose.yml
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: always
environment:
- SIGNUPS_ALLOWED=false
- INVITATIONS_ALLOWED=false
- WEBSOCKET_ENABLED=true
- ADMIN_TOKEN=XXXXXXXX
- LOG_LEVEL=INFO
- LOG_FILE=/data/vaultwarden_access.log
volumes:
- ./vw-data:/data
caddy:
image: caddy:2
container_name: caddy
restart: always
ports:
- 8080:80 # Needed for the ACME HTTP-01 challenge.
- 8443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./caddy-config:/config
- ./caddy-data:/data
environment:
- DOMAIN=https://mydomain.com # Your domain.
- [email protected] # The email address to use for ACME registration.
- LOG_FILE=/data/caddy_access.log
fail2ban:
container_name: fail2ban
restart: always
image: crazymax/fail2ban:latest
environment:
- TZ=Europe/Zurich
- F2B_DB_PURGE_AGE=30d
- F2B_LOG_TARGET=/data/fail2ban.log
- F2B_LOG_LEVEL=DEBUG
- F2B_IPTABLES_CHAIN=INPUT
- SSMTP_HOST=smtp.gmail.com
- SSMTP_PORT=587
- SSMTP_HOSTNAME=raspberrypi
- [email protected]
- SSMTP_PASSWORD=XXXXXXXX
- SSMTP_TLS=YES
- SSMTP_STARTTLS=YES
volumes:
- ./fail2ban-data:/data
- ./vw-data:/vaultwarden:ro
network_mode: "host"
privileged: true
cap_add:
- NET_ADMIN
- NET_RAW
Docker info
Output of command
docker info
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Docker Buildx (Docker Inc., v0.7.1-docker)
Server:
Containers: 3
Running: 3
Paused: 0
Stopped: 0
Images: 3
Server Version: 20.10.12
Storage Driver: fuse-overlayfs
Logging Driver: json-file
Cgroup Driver: none
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
runc version: v1.0.2-0-g52b36a2
init version: de40ad0
Security Options:
seccomp
Profile: default
rootless
Kernel Version: 5.10.63-v7l+
Operating System: Raspbian GNU/Linux 10 (buster)
OSType: linux
Architecture: armv7l
CPUs: 4
Total Memory: 3.749GiB
Name: raspberrypi
ID: QS44:BQ23:MLSO:S3QA:YEMR:NTHW:NMXN:4W3F:DFNM:UMMT:Q5UC:2S4L
Docker Root Dir: /home/docker/.local/share/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.
Logs
fail2ban.log
2021-12-15 15:36:43,641 fail2ban.server [1]: INFO --------------------------------------------------
2021-12-15 15:36:43,641 fail2ban.server [1]: INFO Starting Fail2ban v0.11.2
2021-12-15 15:36:43,642 fail2ban.server [1]: DEBUG Creating PID file /var/run/fail2ban/fail2ban.pid
2021-12-15 15:36:43,645 fail2ban.observer [1]: INFO Observer start...
2021-12-15 15:36:43,646 fail2ban.server [1]: DEBUG Starting communication
2021-12-15 15:36:43,663 fail2ban.database [1]: INFO Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3'
2021-12-15 15:36:43,666 fail2ban.jail [1]: INFO Creating new jail 'vaultwarden-admin'
2021-12-15 15:36:43,697 fail2ban.jail [1]: INFO Jail 'vaultwarden-admin' uses pyinotify {}
2021-12-15 15:36:43,698 fail2ban.filter [1]: DEBUG Setting usedns = warn for FilterPyinotify(Jail('vaultwarden-admin'))
2021-12-15 15:36:43,698 fail2ban.filter [1]: DEBUG Created FilterPyinotify(Jail('vaultwarden-admin'))
2021-12-15 15:36:43,710 fail2ban.filterpyinotify[1]: DEBUG Created FilterPyinotify
2021-12-15 15:36:43,710 fail2ban.jail [1]: INFO Initiated 'pyinotify' backend
2021-12-15 15:36:43,711 fail2ban.filter [1]: DEBUG Setting usedns = warn for FilterPyinotify(Jail('vaultwarden-admin'))
2021-12-15 15:36:43,711 fail2ban.server [1]: DEBUG failregex: '^.*Invalid admin token\\. IP: <ADDR>.*$'
2021-12-15 15:36:43,727 fail2ban.filter [1]: INFO maxRetry: 3
2021-12-15 15:36:43,728 fail2ban.filter [1]: INFO findtime: 14400
2021-12-15 15:36:43,729 fail2ban.actions [1]: INFO banTime: 14400
2021-12-15 15:36:43,730 fail2ban.filter [1]: INFO encoding: UTF-8
2021-12-15 15:36:43,731 fail2ban.filter [1]: INFO Added logfile: '/vaultwarden/vaultwarden_access.log' (pos = 3232, hash = bc79ca20b6d34e090dd6147924702c6ad462a135)
2021-12-15 15:36:43,731 fail2ban.filterpyinotify[1]: DEBUG New <Watch wd=1 path=/vaultwarden mask=1073745280 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb5eea070> dir=True >
2021-12-15 15:36:43,732 fail2ban.filterpyinotify[1]: DEBUG Added monitor for the parent directory /vaultwarden
2021-12-15 15:36:43,732 fail2ban.filterpyinotify[1]: DEBUG New <Watch wd=2 path=/vaultwarden/vaultwarden_access.log mask=2 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb5eea070> dir=False >
2021-12-15 15:36:43,733 fail2ban.filterpyinotify[1]: DEBUG Added file watcher for /vaultwarden/vaultwarden_access.log
2021-12-15 15:36:43,734 fail2ban.filterpyinotify[1]: MSG Log absence detected (possibly rotation) for /vaultwarden/vaultwarden_access.log, reason: INITIAL of /vaultwarden/vaultwarden_access.log
2021-12-15 15:36:43,734 fail2ban.CommandAction [1]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2021-12-15 15:36:43,734 fail2ban.CommandAction [1]: DEBUG Set actionstart = '<iptables> -N f2b-vaultwarden-admin\n<iptables> -A f2b-vaultwarden-admin -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-vaultwarden-admin'
2021-12-15 15:36:43,734 fail2ban.CommandAction [1]: DEBUG Set actionstop = '<iptables> -D INPUT -p tcp -j f2b-vaultwarden-admin\n<iptables> -F f2b-vaultwarden-admin\n<iptables> -X f2b-vaultwarden-admin'
2021-12-15 15:36:43,735 fail2ban.CommandAction [1]: DEBUG Set actionflush = '<iptables> -F f2b-vaultwarden-admin'
2021-12-15 15:36:43,735 fail2ban.CommandAction [1]: DEBUG Set actioncheck = "<iptables> -n -L INPUT | grep -q 'f2b-vaultwarden-admin[ \\t]'"
2021-12-15 15:36:43,735 fail2ban.CommandAction [1]: DEBUG Set actionban = '<iptables> -I f2b-vaultwarden-admin 1 -s <ip> -j <blocktype>'
2021-12-15 15:36:43,735 fail2ban.CommandAction [1]: DEBUG Set actionunban = '<iptables> -D f2b-vaultwarden-admin -s <ip> -j <blocktype>'
2021-12-15 15:36:43,735 fail2ban.CommandAction [1]: DEBUG Set port = '80,443,8081,8080,8443'
2021-12-15 15:36:43,736 fail2ban.CommandAction [1]: DEBUG Set protocol = 'tcp'
2021-12-15 15:36:43,736 fail2ban.CommandAction [1]: DEBUG Set chain = '<known/chain>'
2021-12-15 15:36:43,736 fail2ban.CommandAction [1]: DEBUG Set name = 'vaultwarden-admin'
2021-12-15 15:36:43,736 fail2ban.CommandAction [1]: DEBUG Set actname = 'iptables-allports'
2021-12-15 15:36:43,736 fail2ban.CommandAction [1]: DEBUG Set blocktype = 'DROP'
2021-12-15 15:36:43,736 fail2ban.CommandAction [1]: DEBUG Set returntype = 'RETURN'
2021-12-15 15:36:43,737 fail2ban.CommandAction [1]: DEBUG Set lockingopt = '-w'
2021-12-15 15:36:43,737 fail2ban.CommandAction [1]: DEBUG Set iptables = 'iptables <lockingopt>'
2021-12-15 15:36:43,737 fail2ban.CommandAction [1]: DEBUG Set blocktype?family=inet6 = 'DROP'
2021-12-15 15:36:43,737 fail2ban.CommandAction [1]: DEBUG Set iptables?family=inet6 = 'ip6tables <lockingopt>'
2021-12-15 15:36:43,737 fail2ban.CommandAction [1]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2021-12-15 15:36:43,738 fail2ban.CommandAction [1]: DEBUG Set actionstart = 'printf %b "Subject: [Fail2Ban] vaultwarden-admin: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@$(hostname -f)>\nTo: [email protected]\\n\nHi,\\n\nThe jail vaultwarden-admin has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@$(hostname -f)" "[email protected]"'
2021-12-15 15:36:43,738 fail2ban.CommandAction [1]: DEBUG Set actionstop = 'printf %b "Subject: [Fail2Ban] vaultwarden-admin: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@$(hostname -f)>\nTo: [email protected]\\n\nHi,\\n\nThe jail vaultwarden-admin has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@$(hostname -f)" "[email protected]"'
2021-12-15 15:36:43,738 fail2ban.CommandAction [1]: DEBUG Set actioncheck = ''
2021-12-15 15:36:43,738 fail2ban.CommandAction [1]: DEBUG Set actionban = '( printf %b "Subject: [Fail2Ban] vaultwarden-admin: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@$(hostname -f)>\nTo: [email protected]\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against vaultwarden-admin.\\n\\n\nHere is more information about <ip> :\\n"\nwhois <ip> || echo "missing whois program";\nprintf %b "\\nLines containing failures of <ip> (max 1000)\\n";\nlogpath="/vaultwarden/vaultwarden_access.log"; grep -m 1000 -wF "<ip>" $logpath | tail -n 1000;\nprintf %b "\\n\nRegards,\\n\nFail2Ban" ) | /usr/sbin/sendmail -f "root@$(hostname -f)" "[email protected]"'
2021-12-15 15:36:43,739 fail2ban.CommandAction [1]: DEBUG Set actionunban = ''
2021-12-15 15:36:43,739 fail2ban.CommandAction [1]: DEBUG Set norestored = True
2021-12-15 15:36:43,739 fail2ban.CommandAction [1]: DEBUG Set sender = 'root@$(hostname -f)'
2021-12-15 15:36:43,739 fail2ban.CommandAction [1]: DEBUG Set dest = '[email protected]'
2021-12-15 15:36:43,739 fail2ban.CommandAction [1]: DEBUG Set logpath = '/vaultwarden/vaultwarden_access.log'
2021-12-15 15:36:43,739 fail2ban.CommandAction [1]: DEBUG Set chain = '<known/chain>'
2021-12-15 15:36:43,740 fail2ban.CommandAction [1]: DEBUG Set name = 'vaultwarden-admin'
2021-12-15 15:36:43,740 fail2ban.CommandAction [1]: DEBUG Set actname = 'sendmail-whois-lines'
2021-12-15 15:36:43,740 fail2ban.CommandAction [1]: DEBUG Set mailcmd = '/usr/sbin/sendmail -f "<sender>" "<dest>"'
2021-12-15 15:36:43,740 fail2ban.CommandAction [1]: DEBUG Set sendername = 'Fail2Ban'
2021-12-15 15:36:43,740 fail2ban.CommandAction [1]: DEBUG Set greplimit = 'tail -n <grepmax>'
2021-12-15 15:36:43,741 fail2ban.CommandAction [1]: DEBUG Set grepmax = '1000'
2021-12-15 15:36:43,741 fail2ban.CommandAction [1]: DEBUG Set grepopts = '-m <grepmax>'
2021-12-15 15:36:43,741 fail2ban.jail [1]: INFO Creating new jail 'vaultwarden'
2021-12-15 15:36:43,741 fail2ban.jail [1]: INFO Jail 'vaultwarden' uses pyinotify {}
2021-12-15 15:36:43,742 fail2ban.filter [1]: DEBUG Setting usedns = warn for FilterPyinotify(Jail('vaultwarden'))
2021-12-15 15:36:43,742 fail2ban.filter [1]: DEBUG Created FilterPyinotify(Jail('vaultwarden'))
2021-12-15 15:36:43,748 fail2ban.filterpyinotify[1]: DEBUG Created FilterPyinotify
2021-12-15 15:36:43,748 fail2ban.jail [1]: INFO Initiated 'pyinotify' backend
2021-12-15 15:36:43,749 fail2ban.filter [1]: DEBUG Setting usedns = warn for FilterPyinotify(Jail('vaultwarden'))
2021-12-15 15:36:43,749 fail2ban.server [1]: DEBUG failregex: '^.*Username or password is incorrect\\. Try again\\. IP: <ADDR>\\. Username:.*$'
2021-12-15 15:36:43,752 fail2ban.filter [1]: INFO maxRetry: 3
2021-12-15 15:36:43,753 fail2ban.filter [1]: INFO findtime: 14400
2021-12-15 15:36:43,753 fail2ban.actions [1]: INFO banTime: 14400
2021-12-15 15:36:43,754 fail2ban.filter [1]: INFO encoding: UTF-8
2021-12-15 15:36:43,754 fail2ban.filter [1]: INFO Added logfile: '/vaultwarden/vaultwarden_access.log' (pos = 3232, hash = bc79ca20b6d34e090dd6147924702c6ad462a135)
2021-12-15 15:36:43,754 fail2ban.filterpyinotify[1]: DEBUG New <Watch wd=1 path=/vaultwarden mask=1073745280 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb5eea070> dir=True >
2021-12-15 15:36:43,755 fail2ban.filterpyinotify[1]: DEBUG Added monitor for the parent directory /vaultwarden
2021-12-15 15:36:43,755 fail2ban.filterpyinotify[1]: DEBUG New <Watch wd=2 path=/vaultwarden/vaultwarden_access.log mask=2 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb5eea070> dir=False >
2021-12-15 15:36:43,755 fail2ban.filterpyinotify[1]: DEBUG Added file watcher for /vaultwarden/vaultwarden_access.log
2021-12-15 15:36:43,756 fail2ban.filterpyinotify[1]: MSG Log absence detected (possibly rotation) for /vaultwarden/vaultwarden_access.log, reason: INITIAL of /vaultwarden/vaultwarden_access.log
2021-12-15 15:36:43,756 fail2ban.CommandAction [1]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2021-12-15 15:36:43,756 fail2ban.CommandAction [1]: DEBUG Set actionstart = '<iptables> -N f2b-vaultwarden\n<iptables> -A f2b-vaultwarden -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-vaultwarden'
2021-12-15 15:36:43,756 fail2ban.CommandAction [1]: DEBUG Set actionstop = '<iptables> -D INPUT -p tcp -j f2b-vaultwarden\n<iptables> -F f2b-vaultwarden\n<iptables> -X f2b-vaultwarden'
2021-12-15 15:36:43,757 fail2ban.CommandAction [1]: DEBUG Set actionflush = '<iptables> -F f2b-vaultwarden'
2021-12-15 15:36:43,757 fail2ban.CommandAction [1]: DEBUG Set actioncheck = "<iptables> -n -L INPUT | grep -q 'f2b-vaultwarden[ \\t]'"
2021-12-15 15:36:43,757 fail2ban.CommandAction [1]: DEBUG Set actionban = '<iptables> -I f2b-vaultwarden 1 -s <ip> -j <blocktype>'
2021-12-15 15:36:43,757 fail2ban.CommandAction [1]: DEBUG Set actionunban = '<iptables> -D f2b-vaultwarden -s <ip> -j <blocktype>'
2021-12-15 15:36:43,757 fail2ban.CommandAction [1]: DEBUG Set port = '80,443,8081,8080,8443'
2021-12-15 15:36:43,757 fail2ban.CommandAction [1]: DEBUG Set protocol = 'tcp'
2021-12-15 15:36:43,758 fail2ban.CommandAction [1]: DEBUG Set chain = '<known/chain>'
2021-12-15 15:36:43,758 fail2ban.CommandAction [1]: DEBUG Set name = 'vaultwarden'
2021-12-15 15:36:43,758 fail2ban.CommandAction [1]: DEBUG Set actname = 'iptables-allports'
2021-12-15 15:36:43,758 fail2ban.CommandAction [1]: DEBUG Set blocktype = 'DROP'
2021-12-15 15:36:43,758 fail2ban.CommandAction [1]: DEBUG Set returntype = 'RETURN'
2021-12-15 15:36:43,758 fail2ban.CommandAction [1]: DEBUG Set lockingopt = '-w'
2021-12-15 15:36:43,759 fail2ban.CommandAction [1]: DEBUG Set iptables = 'iptables <lockingopt>'
2021-12-15 15:36:43,759 fail2ban.CommandAction [1]: DEBUG Set blocktype?family=inet6 = 'DROP'
2021-12-15 15:36:43,759 fail2ban.CommandAction [1]: DEBUG Set iptables?family=inet6 = 'ip6tables <lockingopt>'
2021-12-15 15:36:43,759 fail2ban.CommandAction [1]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2021-12-15 15:36:43,760 fail2ban.CommandAction [1]: DEBUG Set actionstart = 'printf %b "Subject: [Fail2Ban] vaultwarden: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@$(hostname -f)>\nTo: [email protected]\\n\nHi,\\n\nThe jail vaultwarden has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@$(hostname -f)" "[email protected]"'
2021-12-15 15:36:43,760 fail2ban.CommandAction [1]: DEBUG Set actionstop = 'printf %b "Subject: [Fail2Ban] vaultwarden: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@$(hostname -f)>\nTo: [email protected]\\n\nHi,\\n\nThe jail vaultwarden has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@$(hostname -f)" "[email protected]"'
2021-12-15 15:36:43,760 fail2ban.CommandAction [1]: DEBUG Set actioncheck = ''
2021-12-15 15:36:43,760 fail2ban.CommandAction [1]: DEBUG Set actionban = '( printf %b "Subject: [Fail2Ban] vaultwarden: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@$(hostname -f)>\nTo: [email protected]\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against vaultwarden.\\n\\n\nHere is more information about <ip> :\\n"\nwhois <ip> || echo "missing whois program";\nprintf %b "\\nLines containing failures of <ip> (max 1000)\\n";\nlogpath="/vaultwarden/vaultwarden_access.log"; grep -m 1000 -wF "<ip>" $logpath | tail -n 1000;\nprintf %b "\\n\nRegards,\\n\nFail2Ban" ) | /usr/sbin/sendmail -f "root@$(hostname -f)" "[email protected]"'
2021-12-15 15:36:43,760 fail2ban.CommandAction [1]: DEBUG Set actionunban = ''
2021-12-15 15:36:43,761 fail2ban.CommandAction [1]: DEBUG Set norestored = True
2021-12-15 15:36:43,761 fail2ban.CommandAction [1]: DEBUG Set sender = 'root@$(hostname -f)'
2021-12-15 15:36:43,761 fail2ban.CommandAction [1]: DEBUG Set dest = '[email protected]'
2021-12-15 15:36:43,761 fail2ban.CommandAction [1]: DEBUG Set logpath = '/vaultwarden/vaultwarden_access.log'
2021-12-15 15:36:43,761 fail2ban.CommandAction [1]: DEBUG Set chain = '<known/chain>'
2021-12-15 15:36:43,761 fail2ban.CommandAction [1]: DEBUG Set name = 'vaultwarden'
2021-12-15 15:36:43,762 fail2ban.CommandAction [1]: DEBUG Set actname = 'sendmail-whois-lines'
2021-12-15 15:36:43,762 fail2ban.CommandAction [1]: DEBUG Set mailcmd = '/usr/sbin/sendmail -f "<sender>" "<dest>"'
2021-12-15 15:36:43,762 fail2ban.CommandAction [1]: DEBUG Set sendername = 'Fail2Ban'
2021-12-15 15:36:43,762 fail2ban.CommandAction [1]: DEBUG Set greplimit = 'tail -n <grepmax>'
2021-12-15 15:36:43,762 fail2ban.CommandAction [1]: DEBUG Set grepmax = '1000'
2021-12-15 15:36:43,762 fail2ban.CommandAction [1]: DEBUG Set grepopts = '-m <grepmax>'
2021-12-15 15:36:43,763 fail2ban.jail [1]: DEBUG Starting jail 'vaultwarden-admin'
2021-12-15 15:36:43,763 fail2ban.filterpyinotify[1]: DEBUG [vaultwarden-admin] filter started (pyinotifier)
2021-12-15 15:36:43,765 fail2ban.filterpyinotify[1]: MSG Log presence detected for file /vaultwarden/vaultwarden_access.log
2021-12-15 15:36:43,766 fail2ban.jail [1]: INFO Jail 'vaultwarden-admin' started
2021-12-15 15:36:43,766 fail2ban.jail [1]: DEBUG Starting jail 'vaultwarden'
2021-12-15 15:36:43,767 fail2ban.filter [1]: DEBUG Seek to find time 1639564603.7675607 (2021-12-15 11:36:43), file size 3404
2021-12-15 15:36:43,773 fail2ban.filter [1]: DEBUG Position 3232 from 3404, found time 1639575403.0 (2021-12-15 14:36:43) within 1 seeks
2021-12-15 15:36:43,774 fail2ban.filterpyinotify[1]: DEBUG [vaultwarden] filter started (pyinotifier)
2021-12-15 15:36:43,775 fail2ban.filterpyinotify[1]: MSG Log presence detected for file /vaultwarden/vaultwarden_access.log
2021-12-15 15:36:43,777 fail2ban.filter [1]: DEBUG Seek to find time 1639564603.7758288 (2021-12-15 11:36:43), file size 3404
2021-12-15 15:36:43,778 fail2ban.filter [1]: DEBUG Position 3232 from 3404, found time 1639575403.0 (2021-12-15 14:36:43) within 1 seeks
2021-12-15 15:36:43,801 fail2ban.jail [1]: INFO Jail 'vaultwarden' started
2021-12-15 15:36:43,803 fail2ban.transmitter [1]: DEBUG Status: ready
2021-12-15 15:36:44,837 fail2ban.utils [1]: DEBUG b63f9198 -- returned successfully 0
2021-12-15 15:36:45,864 fail2ban.utils [1]: DEBUG b5c10d10 -- returned successfully 0
2021-12-15 15:36:45,865 fail2ban.actions [1]: NOTICE [vaultwarden] Restore Ban 172.18.0.1
2021-12-15 15:36:45,905 fail2ban.utils [1]: DEBUG b645c770 -- returned successfully 0
2021-12-15 15:36:45,932 fail2ban.utils [1]: DEBUG b5eeda18 -- returned successfully 0
2021-12-15 15:36:45,958 fail2ban.utils [1]: DEBUG b63e82a0 -- returned successfully 0
2021-12-15 15:36:45,959 fail2ban.actions [1]: DEBUG Banned 1 / 1, 1 ticket(s) in 'vaultwarden'```
docker logs fail2ban
Setting timezone to Europe/Zurich...
Setting SSMTP configuration...
Initializing files and folders...
Setting Fail2ban configuration...
Checking for custom actions in /data/action.d...
Add custom action iptables-common.local...
Checking for custom filters in /data/filter.d...
Add custom filter vaultwarden-admin.local...
Add custom filter vaultwarden.local...
2021-12-15 15:36:43,215 fail2ban.configreader [1]: INFO Loading configs for fail2ban under /etc/fail2ban
2021-12-15 15:36:43,219 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-12-15 15:36:43,223 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-12-15 15:36:43,225 fail2ban [1]: INFO Using socket file /var/run/fail2ban/fail2ban.sock
2021-12-15 15:36:43,225 fail2ban [1]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [DEBUG] logging to /data/fail2ban.log
2021-12-15 15:36:43,237 fail2ban.configreader [1]: INFO Loading configs for jail under /etc/fail2ban
2021-12-15 15:36:43,239 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.conf']
2021-12-15 15:36:43,274 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-debian.conf']
2021-12-15 15:36:43,278 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf']
2021-12-15 15:36:43,285 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-overrides.local']
2021-12-15 15:36:43,287 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.d/jail.conf']
2021-12-15 15:36:43,288 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.d/vaultwarden-admin.local']
2021-12-15 15:36:43,292 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.d/vaultwarden.local']
2021-12-15 15:36:43,294 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/jail.conf', '/etc/fail2ban/jail.d/vaultwarden-admin.local', '/etc/fail2ban/jail.d/vaultwarden.local']
2021-12-15 15:36:43,340 fail2ban.configreader [1]: INFO Loading configs for filter.d/vaultwarden-admin under /etc/fail2ban
2021-12-15 15:36:43,349 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/vaultwarden-admin.local']
2021-12-15 15:36:43,353 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf']
2021-12-15 15:36:43,362 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.local']
2021-12-15 15:36:43,367 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/vaultwarden-admin.local']
2021-12-15 15:36:43,381 fail2ban.configreader [1]: INFO Loading configs for action.d/iptables-allports under /etc/fail2ban
2021-12-15 15:36:43,384 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-allports.conf']
2021-12-15 15:36:43,388 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
2021-12-15 15:36:43,396 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
2021-12-15 15:36:43,399 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
2021-12-15 15:36:43,403 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/iptables-common.local', '/etc/fail2ban/action.d/iptables-common.local', '/etc/fail2ban/action.d/iptables-allports.conf']
2021-12-15 15:36:43,409 fail2ban.configreader [1]: INFO Loading configs for action.d/sendmail-whois-lines under /etc/fail2ban
2021-12-15 15:36:43,414 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/sendmail-whois-lines.conf']
2021-12-15 15:36:43,420 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/sendmail-common.conf']
2021-12-15 15:36:43,427 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/sendmail-common.local']
2021-12-15 15:36:43,430 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/mail-whois-common.conf']
2021-12-15 15:36:43,436 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/mail-whois-common.local']
2021-12-15 15:36:43,439 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/helpers-common.conf']
2021-12-15 15:36:43,444 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/sendmail-common.conf', '/etc/fail2ban/action.d/mail-whois-common.conf', '/etc/fail2ban/action.d/helpers-common.conf', '/etc/fail2ban/action.d/sendmail-whois-lines.conf']
2021-12-15 15:36:43,453 fail2ban.configreader [1]: INFO Loading configs for filter.d/vaultwarden under /etc/fail2ban
2021-12-15 15:36:43,463 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/vaultwarden.local']
2021-12-15 15:36:43,467 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/vaultwarden.local']
Server ready
I'm not sure if i choosed the correct setting for F2B_IPTABLES_CHAIN (INPUT) as i don't understand it well. But i also tried with the value "DOCKER-USER" but unfortunately without success. Furthermore one really important thing is to mention, that docker is running in rootless mode.
As till now, i was not able to install the plugin https://github.com/mastercactapus/caddy-proxyprotocol i still get the private ip address from the docker host itself when trying to login with wrong credentials which will cause a DOS at this time. But at the end, i would like to ban the right ip address which i'll try to implement when i could fixed this issue.
Thank you for your support!
Exactly the same for me. Fail2ban registers it, but the block doesn't work.
Both with chain = DOCKER-USER and chain = INPUT.
Also the latest release 0.11.2-r4 makes no difference.
Hi 786534786
Few weeks ago i finally found the solution to solve the problem. Take a look on the following website: https://docs.docker.com/engine/security/rootless/
... docker run -p does not propagate source IP addresses
This is because Docker with rootless mode uses RootlessKit’s builtin port driver by default.
The source IP addresses can be propagated by creating ~/.config/systemd/user/docker.service.d/override.conf with the following content:
[Service] Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
And then restart the daemon: systemctl --user daemon-reload systemctl --user restart docker
This solved my problem :)
Greetings
Thank you FDF1337 for your detailed reply.
Regardless of your solution.
It is now also clear to me that if docker is not running with rootless mode, it also makes no difference. While this was previously the case.
Hello @786534786, I have the same issue. I am using the official Docker package from the Synology package center. My Vaultwarden (vaultwarden/server:latest) is generating the logs, fail2ban is noticing the login attempts and baning the real IP. But it seems that the IP gets not passed on to the iptables or the Synology firewall.
Have you been able to fix the issue?
No unfortunately not yet.
Following, have a very similar issue I opened today within the Vaultwarden github.
I have the same problem but I don't understand why with SSH it works correctly. If I add some other service it doesn't work for me.