docker-fail2ban-synology icon indicating copy to clipboard operation
docker-fail2ban-synology copied to clipboard

Published 20 hours ago verified publisher icon sosandroid

iptables-common not working

Open Aurel004 opened this issue 3 years ago • 23 comments

Hi,

After hours of debugging, I finally managed to make "DROP" default. To make it work, the file now needs to be named iptables.local and not iptables-common.local anymore

Thank you

Aurel004 avatar Oct 23 '22 16:10 Aurel004

Thank you SOOOO much! I spent hours trying to track down why the synology wasn't banning even though the rules were all there. This needs to be updated on the main page to save people the headache.

LIvewire18 avatar Dec 14 '22 21:12 LIvewire18

Added the file to make it easier

sosandroid avatar Dec 14 '22 22:12 sosandroid

Hello :) Thanks for this tip ! It permit to go from : image

To this (where my IP is masked) : image

But, even if the IP seems to be banned from Fail2ban, and appears in iptables, I can access from it to my services, like gitea or calibre-web.

I'm pretty sure that's a DSM update who break things... but when... ?

Before, IP were correctly banned, and from this IP, I can't access any services on my NAS.

Is there a way to correct this behavior ?

MilesTEG1 avatar Feb 10 '23 11:02 MilesTEG1

Same issue as the above poster on DSM 7.2-64570 Update 3. The IPs get set to drop in iptables, but I can still access stuff.

Hacker1245 avatar Sep 22 '23 10:09 Hacker1245

2023/11/21 22:03:09 stdout Server ready 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,486 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/vaultwarden.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,486 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/vaultwarden.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,486 fail2ban.configreader [1]: INFO Loading configs for filter.d/vaultwarden under /etc/fail2ban 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,485 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables.conf', '/etc/fail2ban/action.d/iptables.local', '/etc/fail2ban/action.d/iptables-allports.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,485 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables.local'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,484 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,484 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-allports.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,483 fail2ban.configreader [1]: INFO Loading configs for action.d/iptables-allports under /etc/fail2ban 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,483 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/vaultwarden-admin.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,483 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.local'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,481 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,481 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/vaultwarden-admin.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,481 fail2ban.configreader [1]: INFO Loading configs for filter.d/vaultwarden-admin under /etc/fail2ban 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,478 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/vaultwarden-admin.conf', '/etc/fail2ban/jail.d/vaultwarden.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,478 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.d/vaultwarden.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,478 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.d/vaultwarden-admin.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,478 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-overrides.local'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,477 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,477 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-debian.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,474 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,473 fail2ban.configreader [1]: INFO Loading configs for jail under /etc/fail2ban 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,470 fail2ban [1]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /data/fail2ban.log 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,470 fail2ban [1]: INFO Using socket file /var/run/fail2ban/fail2ban.sock 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,470 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,470 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] 2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,469 fail2ban.configreader [1]: INFO Loading configs for fail2ban under /etc/fail2ban 2023/11/21 22:03:09 stdout Add custom filter vaultwarden.conf... 2023/11/21 22:03:09 stdout WARNING: vaultwarden.conf already exists and will be overriden 2023/11/21 22:03:09 stdout Add custom filter vaultwarden-admin.conf... 2023/11/21 22:03:09 stdout WARNING: vaultwarden-admin.conf already exists and will be overriden 2023/11/21 22:03:09 stdout Checking for custom filters in /data/filter.d... 2023/11/21 22:03:09 stdout Add custom action iptables.local... 2023/11/21 22:03:09 stdout WARNING: iptables.local already exists and will be overriden 2023/11/21 22:03:09 stdout Add custom action iptables-common.local... 2023/11/21 22:03:09 stdout WARNING: iptables-common.local already exists and will be overriden 2023/11/21 22:03:09 stdout Checking for custom actions in /data/action.d... 2023/11/21 22:03:09 stdout Setting Fail2ban configuration... 2023/11/21 22:03:09 stdout Initializing files and folders... 2023/11/21 22:03:09 stdout WARNING: SSMTP_HOST must be defined if you want fail2ban to send emails 2023/11/21 22:03:09 stdout Setting SSMTP configuration...

SergeySergeevitch avatar Nov 21 '23 19:11 SergeySergeevitch

Hello,

Thanks for your time and work. Can anyone confirm it still works with DSM 7.2?

I have copied iptables.local The IP is banned but I can still access the server...

Here's fail2ban.log

2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- exec: { iptables -w -C f2b-bitwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-bitwarden || true; iptables -w -A f2b-bitwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-bitwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-bitwarden; }
done
2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- returned 4
2024-04-24 07:40:57,608 fail2ban.actions        [756]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'xxx.xxx.xxx.xxx', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fe721dce480>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fe721dcec00>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'

Thanks for your help.

ngthwi avatar Apr 24 '24 06:04 ngthwi

Hi all, Same history in Version: 7.2.1-69057 Update 5 on my Syno 2024/05/05 00:06:25 stdout 2024-05-05 00:06:25,320 fail2ban.filter [1]: INFO [vaultwarden-admin] Found 37.170.151.69 - 2024-05-05 00:06:25 2024/05/05 00:06:23 stdout 2024-05-05 00:06:23,678 fail2ban.actions [1]: ERROR Failed to execute ban jail 'vaultwarden-admin' action 'iptables-allports' info 'ActionInfo({'ip': '37.170.151.69', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f130e351d00>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f130e352480>})': Error starting action Jail('vaultwarden-admin')/iptables-allports: 'Script error' 2024/05/05 00:06:23 stdout 2024-05-05 00:06:23,678 fail2ban.utils [1]: ERROR 7f130e973770 -- returned 4 2024/05/05 00:06:23 stdout 2024-05-05 00:06:23,678 fail2ban.utils [1]: ERROR 7f130e973770 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'

Marsupoil76 avatar May 04 '24 22:05 Marsupoil76

I have the same problem on DSM 7.2.1-69057 Update 5

2024-05-07 18:09:20,883 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-vaultwarden || true; iptables -w -A f2b-vaultwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; }
done
2024-05-07 18:09:20,884 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-07 18:09:20,884 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-07 18:09:20,884 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-07 18:09:20,884 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- returned 4
2024-05-07 18:09:20,884 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'XX.XX.XX.XX', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f0a12d85e40>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f0a12d865c0>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error'

vivoras avatar May 08 '24 12:05 vivoras

Hello,

Thanks for your time and work. Can anyone confirm it still works with DSM 7.2?

I have copied iptables.local The IP is banned but I can still access the server...

Here's fail2ban.log

2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- exec: { iptables -w -C f2b-bitwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-bitwarden || true; iptables -w -A f2b-bitwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-bitwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-bitwarden; }
done
2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- returned 4
2024-04-24 07:40:57,608 fail2ban.actions        [756]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'xxx.xxx.xxx.xxx', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fe721dce480>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fe721dcec00>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'

Thanks for your help.

I finally got it to work. My mistake... I attempted to use the conf files on a swag fail2ban instance... I tried a dedicated container as described here and it works straight out of the box.

ngthwi avatar May 08 '24 12:05 ngthwi

soory for my ENG can you tel me more about your solution, my is hosted in a separed container( with NET-ADMIN and SYS-ADMIN) betwin Vaultwarden, F2B see Vaultwarden logs, and wen it see ip it try to ban but it cannot,

Marsupoil76 avatar May 08 '24 14:05 Marsupoil76

soory for my ENG can you tel me more about your solution, my is hosted in a separed container( with NET-ADMIN and SYS-ADMIN) betwin Vaultwarden, F2B see Vaultwarden logs, and wen it see ip it try to ban but it cannot,

Did you create a fail2ban container as described here? https://github.com/sosandroid/docker-fail2ban-synology#installation

ngthwi avatar May 08 '24 14:05 ngthwi

I have a separate container following the instructions at https://github.com/sosandroid/docker-fail2ban-synology#installation

The error is still the same...

2024-05-08 17:22:00,792 fail2ban.utils          [1]: ERROR   7f52298856b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-vaultwarden || true; iptables -w -A f2b-vaultwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; }
done
2024-05-08 17:22:00,792 fail2ban.utils          [1]: ERROR   7f52298856b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-08 17:22:00,792 fail2ban.utils          [1]: ERROR   7f52298856b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-08 17:22:00,793 fail2ban.utils          [1]: ERROR   7f52298856b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-08 17:22:00,793 fail2ban.utils          [1]: ERROR   7f52298856b0 -- returned 4
2024-05-08 17:22:00,793 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'XX.XX.XX.XX', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f522981de40>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f522981e5c0>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error'

Just in case, I have deleted the container completely and recreated it. The only thing I have done afterwards is delete the bitwarden.conf and bitwarden-admin.conf files from the jail.d and filter.d folders because I use vaultwarden

vivoras avatar May 08 '24 15:05 vivoras

Have you put the file iptables.local in action.d?

ngthwi avatar May 08 '24 15:05 ngthwi

Yes of course, I have not modified the action.d folder

This is the iptables.local file:

[Init]
blocktype = DROP
[Init?family=inet6]
blocktype = DROP

vivoras avatar May 08 '24 15:05 vivoras

Same Pb for me Docker in Privilegied and Host Network F2B Logs :

`

2024/05/08 20:03:55 stdout 2024-05-08 18:03:55,813 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 18:03:55
2024/05/08 20:03:54 stdout 2024-05-08 18:03:54,586 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 18:03:54
2024/05/08 20:03:54 stdout 2024-05-08 18:03:53,672 fail2ban.actions        [1]: WARNING [vaultwarden] 78.243.145.140 already banned
2024/05/08 20:03:53 stdout 2024-05-08 18:03:53,314 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 18:03:53
2024/05/08 20:03:51 stdout 2024-05-08 18:03:51,953 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 18:03:51
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': '78.243.145.140', 'family': 'inet4', 'fid': <function Actions.ActionInfo. at 0x7f868deade40>, 'raw-ticket': <function Actions.ActionInfo. at 0x7f868deae5c0>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error'
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.utils          [1]: ERROR   7f868df156b0 -- returned 4
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.utils          [1]: ERROR   7f868df156b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.utils          [1]: ERROR   7f868df156b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.utils          [1]: ERROR   7f868df156b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024/05/08 20:00:46 stdout done
2024/05/08 20:00:46 stdout { iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; }
2024/05/08 20:00:46 stdout for proto in $(echo 'tcp' | sed 's/,/ /g'); do
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,353 fail2ban.utils          [1]: ERROR   7f868df156b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-vaultwarden || true; iptables -w -A f2b-vaultwarden -j RETURN; }
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,332 fail2ban.actions        [1]: NOTICE  [vaultwarden] Ban 78.243.145.140
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,881 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:47
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,880 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:46
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,880 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:45
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,880 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:43
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,879 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:41
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,878 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:39
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,878 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for optional: [Errno -2] Name does not resolve
2024/05/08 20:00:43 stdout 2024-05-08 18:00:43,264 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for #: [Errno -2] Name does not resolve
2024/05/08 20:00:43 stdout Server ready
`

-----My action.d-----

[Init] blocktype = DROP [Init?family=inet6] blocktype = DROP -----My filter.d---- vaultwarden.conf

[INCLUDES] before = common.conf

[Definition] failregex = ^.Username or password is incorrect. Try again. IP: <ADDR>. Username:.$ ignoreregex = -----My jail.d----- vaultwarden.conf

[DEFAULT]

ignoreip = 172.16.0.0/12 192.168.10.0/16 10.6.0.0/8 # optional #Ban for 30 days bantime = 2592000 findtime = 86400 maxretry = 4 banaction = iptables-allports ignoreself = false

[vaultwarden]

enabled = true port = 80,443,3012 # alternative: anyport filter = vaultwarden logpath = /logs/vaultwarden.log -------- My iptable.local --------- [Init] blocktype = DROP [Init?family=inet6] blocktype = DROP

Docker with env : NET-ADMIN and NET-RAW - F2B Log : `

2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': '78.243.145.140', 'family': 'inet4', 'fid':  at 0x7ff9b648de40>, 'raw-ticket':  at 0x7ff9b648e5c0>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error' -- | -- | -- 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- returned 4 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument' 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument' 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument' 2024/05/08 20:27:28 | stdout | done 2024/05/08 20:27:28 | stdout | { iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } \|\| { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; } 2024/05/08 20:27:28 | stdout | for proto in $(echo 'tcp' \| sed 's/,/ /g'); do 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,961 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } \|\| { iptables -w -N f2b-vaultwarden \|\| true; iptables -w -A f2b-vaultwarden -j RETURN; } 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,945 fail2ban.actions        [1]: NOTICE  [vaultwarden] Restore Ban 78.243.145.140 2024/05/08 20:27:28 | stdout | Server ready 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,858 fail2ban.jail           [1]: INFO    Jail 'vaultwarden' started 2024/05/08 20:27:27 | stdout | 2024-05-08 18:27:27,857 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for optional: [Errno -2] Name does not resolve 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,349 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for #: [Errno -2] Name does not resolve 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,342 fail2ban.jail           [1]: INFO    Jail 'vaultwarden-admin' started 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,339 fail2ban.filter         [1]: INFO    Added logfile: '/logs/vaultwarden.log' (pos = 36395, hash = 3b7aacdf09134cd8aa20a589568f117a3bb79908) 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,339 fail2ban.filter         [1]: INFO      encoding: UTF-8 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,339 fail2ban.actions        [1]: INFO      banTime: 2592000 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,339 fail2ban.filter         [1]: INFO      findtime: 86400 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,338 fail2ban.filter         [1]: INFO      maxRetry: 4 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,337 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,336 fail2ban.jail           [1]: INFO    Jail 'vaultwarden' uses pyinotify {} 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,336 fail2ban.jail           [1]: INFO    Creating new jail 'vaultwarden' 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,336 fail2ban.filter         [1]: INFO    Added logfile: '/logs/vaultwarden.log' (pos = 36395, hash = 3b7aacdf09134cd8aa20a589568f117a3bb79908) 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,335 fail2ban.filter         [1]: INFO      encoding: UTF-8 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,335 fail2ban.actions        [1]: INFO      banTime: 2592000 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,335 fail2ban.filter         [1]: INFO      findtime: 86400 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,335 fail2ban.filter         [1]: INFO      maxRetry: 4 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,330 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,329 fail2ban.jail           [1]: INFO    Jail 'vaultwarden-admin' uses pyinotify {} 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,322 fail2ban.jail           [1]: INFO    Creating new jail 'vaultwarden-admin' 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,321 fail2ban.database       [1]: INFO    Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3' 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,313 fail2ban.observer       [1]: INFO    Observer start... 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,312 fail2ban.server         [1]: INFO    Starting Fail2ban v1.1.0 `

Marsupoil76 avatar May 08 '24 18:05 Marsupoil76

I have the issue now as well. I updated the container and image: crazymax/fail2ban:latest is currently 1.1.0 If I revert back my docker compose to image: crazymax/fail2ban:1.0.2, it's working again.

ngthwi avatar May 08 '24 18:05 ngthwi

I have the issue now as well. I updated the container and image: crazymax/fail2ban:latest is currently 1.1.0 If I revert back my docker compose to image: crazymax/fail2ban:1.0.2, it's working again.

Dude !!!! you'r sooo true.. Works !!! .

Marsupoil76 avatar May 08 '24 19:05 Marsupoil76

I've opened an issue in crazy-max/docker-fail2ban

ngthwi avatar May 08 '24 19:05 ngthwi

@ngthwi You're the best! Thank you so much!!!

vivoras avatar May 08 '24 19:05 vivoras

It's fixed, you can therefore pull image: crazymax/fail2ban:latest again

ngthwi avatar May 20 '24 08:05 ngthwi

Thank you for this follow up

sosandroid avatar May 21 '24 11:05 sosandroid

Hello,

For a long time, I was not using the crazy-max/docker-fail2ban image as instructed by this repo, but instead I was using swag. But this repository and its hacks helped me to configure swag's fail2ban to make it work with my synology, so thank you for that.

Unfortunately, recently I upgraded my swag container to the latest image (which hadn't been upgraded for a while), and since then, I get the same error.

Can anyone confirm it still works with DSM 7.2?

I'm still on DSM 7.1 (I know, shame on me, I should upgrade), so I don't think it's related to a new DSM upgrade.

I tried however to recreate my swag container with an older image (2.8.0, which is 4 month old), but strangely, the error is still there.

Furthermore, I tried as well to create a whole new separated fail2ban container, as advised by this repo and in this issue's comments: f2b successfully detects the login attempts, and "bans", however I'm not really banned, as shown in those logs, I can still connect:

2024-05-22 22:34:05,294 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:05
2024-05-22 22:34:08,659 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:08
2024-05-22 22:34:09,530 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:09
2024-05-22 22:34:10,233 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:10
2024-05-22 22:34:10,642 fail2ban.actions        [1]: NOTICE  [vaultwarden] Ban 149.102.245.141
2024-05-22 22:34:10,939 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:17

I tried with the crazy-max/docker-fail2ban:latest image and with the crazy-max/docker-fail2ban:1.0.2 image as well, but both don't "really ban" the IPs.

I'm not sure what I did wrong. The only thing that I changed is to only keep the vaultwarden.conf file in the filter.d/ folder, and same for the folder jail.d/ (only vaultwarden.conf was kept).

Any ideas ?

fbdb avatar May 23 '24 20:05 fbdb