Comments (6)
Sorry about that, thanks for the info 👍
from docker-fail2ban.
Your iptables chain is not the good one for this jail. Please take a look at this example.
from docker-fail2ban.
@crazy-max can you please help me here?
I am not sure whether this is the right place to post this but I am trying to resolve the issue for fail2ban docker container still allowing banned IP's. I tried setting Chain to DOCKER-USER but it's failing with the following error:
2021-10-25 21:52:14,022 fail2ban.utils [1]: ERROR b64f6650 -- exec: iptables -w -N f2b-npm-docker
iptables -w -A f2b-npm-docker -j RETURN
iptables -w -I DOCKER-USER -p tcp -m multiport --dports 0:65535 -j f2b-npm-docker
2021-10-25 21:52:14,023 fail2ban.utils [1]: ERROR b64f6650 -- stderr: 'iptables: Chain already exists.'
2021-10-25 21:52:14,023 fail2ban.utils [1]: ERROR b64f6650 -- stderr: 'iptables: No chain/target/match by that name.'
2021-10-25 21:52:14,023 fail2ban.utils [1]: ERROR b64f6650 -- returned 1
2021-10-25 21:52:14,024 fail2ban.actions [1]: ERROR Failed to execute ban jail 'npm-docker' action 'iptables-multiport' info 'ActionInfo({'ip': '77.81.98.70', 'family': 'inet4', 'fid': <function Actions.ActionInfo. at 0xb64d8cd0>, 'raw-ticket': <function Actions.ActionInfo. at 0xb64d6070>})': Error starting action Jail('npm-docker')/iptables-multiport: 'Script error'
2021-10-25 21:52:14,682 fail2ban.filter [1]: INFO [npm-docker] Found 77.81.98.70 - 2021-10-25 21:52:14
This is my iptables detials in raspberry pi (not of fail2ban docker):
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5019 3594K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
5019 3594K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
767 468K ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
8 416 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
916 952K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
5795 2549K ACCEPT all -- * br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
7675 747K ACCEPT all -- br-8f06c3dc391f !br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-8f06c3dc391f br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
43965 23M ACCEPT all -- * br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1083 59844 DOCKER all -- * br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
22862 17M ACCEPT all -- br-288ddad3c4ae !br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
22 1320 ACCEPT all -- br-288ddad3c4ae br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (3 references)
pkts bytes target prot opt in out source destination
8 416 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9000
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:8000
11 540 ACCEPT tcp -- !br-288ddad3c4ae br-288ddad3c4ae 0.0.0.0/0 172.18.0.2 tcp dpt:443
4 208 ACCEPT tcp -- !br-288ddad3c4ae br-288ddad3c4ae 0.0.0.0/0 172.18.0.2 tcp dpt:81
0 0 ACCEPT tcp -- !br-288ddad3c4ae br-288ddad3c4ae 0.0.0.0/0 172.18.0.2 tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
916 952K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
184 17672 DOCKER-ISOLATION-STAGE-2 all -- br-8f06c3dc391f !br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
720 189K DOCKER-ISOLATION-STAGE-2 all -- br-288ddad3c4ae !br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
5019 3594K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
102K 73M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-8f06c3dc391f 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-288ddad3c4ae 0.0.0.0/0 0.0.0.0/0
1820 1159K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Warning: iptables-legacy tables present, use iptables-legacy to see them
I am running my fail2ban, nginx proxy manager inside docker.
This is my fail2ban configuration :
version: "3.7"
services:
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban_docker
network_mode: "host"
environment:
- TZ=US/Eastern
- F2B_LOG_TARGET=STDOUT
- F2B_LOG_LEVEL=INFO
- F2B_DB_PURGE_AGE=1d
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- "Path/to/fail2ban/data:/data"
- "Path/to/fail2ban/log/:/var/log/"
- "Path/to/data/logs:/log/npm/:ro"
- "Path/to/logs:/log/emby/:ro"
restart: unless-stopped
This is my jail conf:
[npm-docker]
enabled = true
ignoreip = 127.0.0.1/8 192.168.0.0/24
chain = INPUT
logpath = /log/npm/default-host_.log
/log/npm/proxy-host-.log
maxretry = 3
bantime = 84600
findtime = 60
Can some please help me with this?
from docker-fail2ban.
I'm having similar issues, is there any update?
from docker-fail2ban.
@valvanet , I am able to resolve this, You need to check the IPtables chain in order to set the chain, check if your docker containers are associated with DOCKER-USER chain or FORWARD chain or INPUT chain, based on that you need to provide the chain.
from docker-fail2ban.
I did the following things to finally able to get fail2ban work for me : NginxProxyManager/nginx-proxy-manager#39 (comment)
from docker-fail2ban.
Related Issues (20)
- Sendmail "wrong parameters" issue , always the first time execution of "sendmail" command,second try always okay. HOT 1
- Consider adding mail standalone feature HOT 1
- pip binary is missing, trying to `apk add py3-pip` breaks HOT 1
- [Feature Request] Add AbuseIPDB API integration
- [Feature Request] Add AbuseIPDB API integration HOT 1
- Can't send SMTP emails HOT 1
- F2B_DB_PURGE_AGE in examples is bogus HOT 2
- Help I banned my WAN IP and Unbanning command did not work HOT 1
- Is it possible to support Webhook? HOT 1
- Warning message is always triggered: already exists and will be overriden HOT 1
- Input chain not working sshd
- How to configure SSMTP if smtp server no authentication is required
- Disable: WARNING Unable to find a corresponding IP address for fail2ban: [Errno -2] Name does not resolve HOT 4
- Functionality for PUID/PGID
- System slowdown after more than 1 day of operation
- How to custom dockerfile to run container?
- Fail2ban docker not banning even if it says "already banned" HOT 3
- Subdomain access not blocked
- docker-fail2ban:1.1.0 compatibility issue with Synology HOT 9
- add linux/arm/v8 image HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-fail2ban.