f2b adding to iptables but not banning
modem7 opened this issue · 2 comments
Behaviour
Steps to reproduce this issue
Bitwarden + f2b
Docker compose file:
# Fail2Ban - Intrusion prevention vs brute force attacks
fail2ban:
image: crazymax/fail2ban
container_name: Fail2ban
network_mode: "host"
cap_add:
- NET_ADMIN
- NET_RAW
privileged: true
volumes:
- $USERDIR/Fail2ban:/data
- /var/log:/var/log:ro
- /etc/localtime:/etc/localtime:ro
- $USERDIR/Traefik/traefik.log:/traefik.log:ro
- $USERDIR/Bitwarden/Data/bitwarden.log:/bitwarden.log:ro
- $USERDIR/Authelia/authelia.log:/authelia.log:ro
restart: always
environment:
- TZ=$TZ
- SSMTP_HOST=$BW_SMTP_HOST
- SSMTP_PORT=$BW_SMTP_PORT
- SSMTP_USER=$BW_SMTP_USERNAME
- SSMTP_PASSWORD=$BW_SMTP_PASSWORD
- SSMTP_TLS=YES
- F2B_LOG_TARGET=/data/fail2ban.log
- F2B_LOG_LEVEL=INFO
Bitwarden log:
today at 10:30 PM [2020-09-05 22:30:14.258][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: hebeb@jsjshs.com.
today at 10:30 PM [2020-09-05 22:30:22.462][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: hebeb@jsjshs.com.
today at 10:30 PM [2020-09-05 22:30:24.183][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: hebeb@jsjshs.com.
today at 10:30 PM [2020-09-05 22:30:25.533][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: hebeb@jsjshs.com.
today at 10:30 PM [2020-09-05 22:30:26.683][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: hebeb@jsjshs.com.
F2B Log:
today at 10:26 PM Setting timezone to Europe/London...
today at 10:26 PM ln: /etc/localtime: File exists
today at 10:26 PM Setting SSMTP configuration...
today at 10:26 PM Initializing files and folders...
today at 10:26 PM Setting Fail2ban configuration...
today at 10:26 PM Checking for custom actions in /data/action.d...
today at 10:26 PM Checking for custom filters in /data/filter.d...
today at 10:26 PM Add custom filter authelia.conf...
today at 10:26 PM Add custom filter bitwarden-admin.conf...
today at 10:26 PM WARNING: bitwarden.conf already exists and will be overriden
today at 10:26 PM Add custom filter bitwarden.conf...
today at 10:26 PM WARNING: traefik-auth.conf already exists and will be overriden
today at 10:26 PM Add custom filter traefik-auth.conf...
today at 10:26 PM Add custom filter traefik-botsearch.conf...
today at 10:26 PM 2020-09-05 22:26:38,592 fail2ban.configreader [1]: INFO Loading configs for fail2ban under /etc/fail2ban
today at 10:26 PM 2020-09-05 22:26:38,593 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
today at 10:26 PM 2020-09-05 22:26:38,594 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
today at 10:26 PM 2020-09-05 22:26:38,594 fail2ban [1]: INFO Using socket file /var/run/fail2ban/fail2ban.sock
today at 10:26 PM 2020-09-05 22:26:38,594 fail2ban [1]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [DEBUG] logging to /data/fail2ban.log
today at 10:26 PM 2020-09-05 22:26:38,597 fail2ban.configreader [1]: INFO Loading configs for jail under /etc/fail2ban
today at 10:26 PM 2020-09-05 22:26:38,597 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/jail.conf']
today at 10:26 PM 2020-09-05 22:26:38,607 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/paths-debian.conf']
today at 10:26 PM 2020-09-05 22:26:38,607 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf']
today at 10:26 PM 2020-09-05 22:26:38,608 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/paths-overrides.local']
today at 10:26 PM 2020-09-05 22:26:38,609 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/jail.d/authelia.conf']
today at 10:26 PM 2020-09-05 22:26:38,611 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/jail.d/bitwarden.conf']
today at 10:26 PM 2020-09-05 22:26:38,612 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/jail.d/traefik.conf']
today at 10:26 PM 2020-09-05 22:26:38,612 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/authelia.conf', '/etc/fail2ban/jail.d/bitwarden.conf', '/etc/fail2ban/jail.d/traefik.conf']
today at 10:26 PM 2020-09-05 22:26:38,620 fail2ban.configreader [1]: INFO Loading configs for filter.d/bitwarden under /etc/fail2ban
today at 10:26 PM 2020-09-05 22:26:38,620 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/bitwarden.conf']
today at 10:26 PM 2020-09-05 22:26:38,621 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf']
today at 10:26 PM 2020-09-05 22:26:38,622 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.local']
today at 10:26 PM 2020-09-05 22:26:38,622 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/bitwarden.conf']
today at 10:26 PM 2020-09-05 22:26:38,624 fail2ban.configreader [1]: INFO Loading configs for action.d/iptables-allports under /etc/fail2ban
today at 10:26 PM 2020-09-05 22:26:38,624 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-allports.conf']
today at 10:26 PM 2020-09-05 22:26:38,625 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
today at 10:26 PM 2020-09-05 22:26:38,626 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
today at 10:26 PM 2020-09-05 22:26:38,626 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
today at 10:26 PM 2020-09-05 22:26:38,626 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/iptables-allports.conf']
today at 10:26 PM 2020-09-05 22:26:38,628 fail2ban.configreader [1]: INFO Loading configs for filter.d/traefik-auth under /etc/fail2ban
today at 10:26 PM 2020-09-05 22:26:38,628 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/traefik-auth.conf']
today at 10:26 PM 2020-09-05 22:26:38,629 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/traefik-auth.conf']
today at 10:26 PM 2020-09-05 22:26:38,631 fail2ban.configreader [1]: INFO Loading configs for filter.d/authelia under /etc/fail2ban
today at 10:26 PM 2020-09-05 22:26:38,632 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/authelia.conf']
today at 10:26 PM 2020-09-05 22:26:38,633 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/authelia.conf']
today at 10:26 PM 2020-09-05 22:26:38,635 fail2ban.configreader [1]: INFO Loading configs for filter.d/traefik-botsearch under /etc/fail2ban
today at 10:26 PM 2020-09-05 22:26:38,636 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/traefik-botsearch.conf']
today at 10:26 PM 2020-09-05 22:26:38,637 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/botsearch-common.conf']
today at 10:26 PM 2020-09-05 22:26:38,637 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/botsearch-common.conf', '/etc/fail2ban/filter.d/traefik-botsearch.conf']
today at 10:26 PM Server ready
Jail.d/Bitwarden.conf
[DEFAULT]
ignoreip = 127.0.01/8 192.168.0.0.22
bantime = 3600
findtime = 3600
maxretry = 3
action = iptables-allports[name=bitwarden, DOCKER]
[bitwarden]
enabled = true
port = 80,443,8089,3012
filter = bitwarden
#action = iptables-allports[name=bitwarden, DOCKER-USER]
action = iptables-allports[name=bitwarden, chain=DOCKER-USER]
#action = iptables-allports[name=bitwarden]
#chain = DOCKER-USER
logpath = /bitwarden.log
#maxretry = 3
#bantime = 3600
#findtime = 3600
[bitwarden-admin]
enabled = false
port = 80,443,8081
filter = bitwarden-admin
##action = iptables-allports[name=bitwarden, chain=forward]
action = iptables-allports[name=bitwarden, DOCKER-USER]
#action = iptables-allports[name=bitwarden]
#chain = DOCKER-USER
logpath = /bitwarden.log
#maxretry = 3
#bantime = 3600
#findtime = 3600
filter.d/bitwarden.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
IPTables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.22.0.108 tcp dpt:ttat3lb
ACCEPT tcp -- anywhere 172.22.0.101 tcp dpt:cslistener
ACCEPT tcp -- anywhere 172.22.0.109 tcp dpt:8089
ACCEPT tcp -- anywhere 172.22.0.109 tcp dpt:twsdss
ACCEPT tcp -- anywhere 172.22.0.107 tcp dpt:intermapper
ACCEPT tcp -- anywhere 172.22.0.103 tcp dpt:webcache
ACCEPT tcp -- anywhere 172.22.0.102 tcp dpt:webcache
ACCEPT tcp -- anywhere 172.22.0.111 tcp dpt:31337
ACCEPT tcp -- anywhere 172.33.0.4 tcp dpt:hbci
ACCEPT tcp -- anywhere 172.22.0.105 tcp dpt:sunwebadmins
ACCEPT tcp -- anywhere 172.22.0.106 tcp dpt:owms
ACCEPT tcp -- anywhere 172.22.0.104 tcp dpt:5076
ACCEPT tcp -- anywhere 172.22.0.114 tcp dpt:tproxy
ACCEPT tcp -- anywhere 172.22.0.114 tcp dpt:webcache
ACCEPT tcp -- anywhere 172.22.0.114 tcp dpt:https
ACCEPT tcp -- anywhere 172.22.0.114 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
f2b-bitwarden tcp -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain f2b-bitwarden (1 references)
target prot opt source destination
REJECT all -- 148.252.132.248 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
Expected behaviour
IP should be banned
Actual behaviour
IP is added to IPtables, but still has access
Configuration
- Docker version (type
docker --version
) : Docker version 19.03.5, build 633a0ea838 - Docker compose version if applicable (type
docker-compose --version
) : docker-compose version 1.24.1, build 4667896 - Platform (Debian 9, Ubuntu 18.04, ...) : Fedora
- System info (type
uname -a
) : - Include all necessary configuration files :
docker-compose.yml
,.env
, ...
Docker info
Client:
Debug Mode: false
Server:
Containers: 29
Running: 28
Paused: 0
Stopped: 1
Images: 30
Server Version: 19.03.5
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.18.19-100.fc27.x86_64
Operating System: Fedora 27 (Twenty Seven)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 31.37GiB
Name: HDA
ID: Q4JX:I4DV:JYBQ:V35U:7SZG:FIQG:RPJR:5VGZ:TTSC:P5W3:EFBG:IYAJ
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: modem7
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Hi there :)
I would recommend setting "banaction" directly instead of "action".
Also I'm not sure if you should use the same filter action name for two different jails.
Keeping them seperate is usually better imo.
Also remember: if you are using some kind of proxy (like cloudflare) and traffic is coming in on SSL, the real IP can't be seen (in the encrypted "x-forwarded-for"-header), meaning the request won't be blocked and still show up in the logs.
Hope this helps a little, cheers :)
Hi there :)
I would recommend setting "banaction" directly instead of "action".
Also I'm not sure if you should use the same filter action name for two different jails.
Keeping them seperate is usually better imo.Also remember: if you are using some kind of proxy (like cloudflare) and traffic is coming in on SSL, the real IP can't be seen (in the encrypted "x-forwarded-for"-header), meaning the request won't be blocked and still show up in the logs.
Hope this helps a little, cheers :)
Heya,
Thank you for replying! You've certainly triggered a thought process re Cloudflare.
So I was passing the real IP of the client, but that obviously wasn't the IP address that was hitting the server (due to CF).
My solution was to use Fail2Ban with the Cloudflare action and get f2b to block at Cloudflare instead of at the server, also more secure that way in many respects.
Solution:
[bitwarden]
enabled = true
port = 80,443,8089,3012
filter = bitwarden
logpath = /bitwarden.log
action = iptables-multiport
cloudflare
findtime = 3600
bantime = 3600
maxretry = 3
[bitwarden-admin]
enabled = true
port = 80,443,8081
filter = bitwarden-admin
action = iptables-multiport
cloudflare
logpath = /bitwarden.log
maxretry = 3
bantime = 3600
findtime = 3600
Setting up the cloudflare action: https://community.cloudflare.com/t/can-i-still-use-fail2ban-while-using-cloudflare-article/63674
Thanks again!