bock 0.0.0.3 on access from xxx.40.3.197?
Closed this issue · 1 comments
Irv007 commented
Hi,
Why does (crazy-max-docker-)fail2ban block 0.0.0.3, if it sees access from xxx.40.3.173?
with best regards,
I.
===================================================================================================================
conf-file from jail.d:
===================================================================================================================
[DEFAULT]
bantime = 1h
destemail = xxxxx@xxxx.com
sender = root@$(hostname -f)
action = %(action_mwl)s
[calweb-auth]
enabled = true
chain = DOCKER-USER
port = http,https
filter = calweb-auth
logpath = /var/log/calibre-web.log
===================================================================================================================
conf-file from filter.d:
===================================================================================================================
[Definition]
failregex = .*Login failed.*<HOST>
ignoreregex =
===================================================================================================================
john01@instance-2:~/yml$ docker logs fail2ban_c 2>&1|tail
2020-09-16 09:27:13,946 fail2ban.ipdns [1]: WARNING Determined IP using DNS Lookup: 3 = {'0.0.0.3'}
2020-09-16 09:27:13,947 fail2ban.filter [1]: INFO [calweb-auth] Found 0.0.0.3 - 2020-09-16 09:27:13
2020-09-16 09:27:18,997 fail2ban.ipdns [1]: WARNING Determined IP using DNS Lookup: 3 = {'0.0.0.3'}
2020-09-16 09:27:18,998 fail2ban.filter [1]: INFO [calweb-auth] Found 0.0.0.3 - 2020-09-16 09:27:18
2020-09-16 09:27:19,128 fail2ban.actions [1]: NOTICE [calweb-auth] Ban 0.0.0.3
2020-09-16 09:27:19,242 fail2ban.ipdns [1]: WARNING Determined IP using DNS Lookup: 3 = {'0.0.0.3'}
2020-09-16 09:27:19,243 fail2ban.filter [1]: INFO [calweb-auth] Found 0.0.0.3 - 2020-09-16 09:27:19
2020-09-16 09:27:23,461 fail2ban.ipdns [1]: WARNING Determined IP using DNS Lookup: 3 = {'0.0.0.3'}
2020-09-16 09:27:23,462 fail2ban.filter [1]: INFO [calweb-auth] Found 0.0.0.3 - 2020-09-16 09:27:23
2020-09-16 10:27:18,517 fail2ban.actions [1]: NOTICE [calweb-auth] Unban 0.0.0.3
john01@instance-2:~/yml$
===================================================================================================================
john01@instance-2:/var/log$ tail calibre-web.log
[2020-09-16 09:03:32,490] INFO {cps.server:184} Performing shutdown of Calibre-Web
[2020-09-16 09:04:05,286] INFO {cps:97} Starting Calibre Web...
[2020-09-16 09:04:05,903] INFO {cps.server:156} Starting Tornado server on :8083
[2020-09-16 09:26:59,410] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
[2020-09-16 09:27:05,108] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
[2020-09-16 09:27:09,138] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
[2020-09-16 09:27:13,570] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
[2020-09-16 09:27:18,996] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
[2020-09-16 09:27:19,241] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
[2020-09-16 09:27:23,460] INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
john01@instance-2:/var/log$
===================================================================================================================
part from docker-compose.yml:
===================================================================================================================
fail2ban_s:
restart: always
image: crazymax/fail2ban:latest
container_name: fail2ban_c
network_mode: "host"
depends_on:
- calweb_s
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- "./data:/data"
- "/var/log:/var/log:ro"
env_file:
- "./fail2ban.env"
=================================================================================================
```==================
Irv007 commented
Oh... wrong failregex. The following failregex does work.
failregex = .*Login failed.*: <HOST>