docker-fail2ban icon indicating copy to clipboard operation
docker-fail2ban copied to clipboard
verified publisher icon linuxserver

[BUG] Ban Action Triggered - Ban Not Working

Open admiralspeedy opened this issue 9 months ago • 1 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Current Behavior

I have set up fail2ban on my Unraid server. I was using Nginx Proxy Manager to enable remote access to my Emby server.

With my configuration, after 5 retries fail2ban issues the ban action but the IP is not actually banned and can still access my Emby server. There are no errors in the log and as far as fail2ban shows, the IP is banned, but I see no rule added to iptables.

My jail.local:

[DEFAULT]
# Prevents banning LAN subnets
ignoreip = 10.0.0.0/8
           192.168.0.0/16
           172.16.0.0/12

# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
bantime.increment = true

# "bantime.rndtime" is the max number of seconds using for mixing with random time
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
bantime.rndtime = 2048

# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
bantime.multipliers = 1 5 30 60 300 720 1440 2880

banaction = iptables-allports

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

[npm]
enabled = true
filter = npm
logpath = /var/log/proxy-host-*_access.log

My filter (npm.conf):

[INCLUDES]

[Definition]

failregex = ^.* (405|404|403|401|\-) (405|404|403|401) - .* \[Client <HOST>\] \[Length .*\] .* \[Sent-to <F-CONTAINER>.*</F-CONTAINER>\] <F-USERAGENT>".*"</F-USERAGENT> .*$

ignoreregex = ^.* (404|\-) (404) - .*".*(\.png|\.txt|\.jpg|\.ico|\.js|\.css|\.ttf|\.woff|\.woff2)(/)*?" \[Client <HOST>\] \[Length .*\] ".*" .*$

Interestingly, I switched to swag and its included fail2ban works fine.

Expected Behavior

The offending IP should be added to iptables to prevent it from connecting for the specified ban time.

Steps To Reproduce

  1. Install fail2ban and NPM in Unraid
  2. Configure as above
  3. Check fail2ban log and see ban issued
  4. Reload page on banned device and see that you are not actually banned

Environment

- OS: Unraid 7.0.1
- How docker service was installed: Through Unraid's app center

CPU architecture

x86-64

Docker creation

Unraid

Container logs

NA

admiralspeedy avatar Mar 03 '25 01:03 admiralspeedy

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

github-actions[bot] avatar Mar 03 '25 01:03 github-actions[bot]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

LinuxServer-CI avatar Apr 02 '25 13:04 LinuxServer-CI

This issue is locked due to inactivity

LinuxServer-CI avatar Jul 02 '25 14:07 LinuxServer-CI