NGINX Proxy Manager with fail2ban guide - openmediavault (2024)

BernH Thank you very much for this guide, very useful !!

Setting up fail2ban in npm has been a piece of cake thanks to you. It's working, I tried wrong password 3 times from my smartphone and now it's banned.

My problem is what to do now with the banned smartphone. How can I unban my smartphone without deleting the container and start from scratch?

Zitat von chente

BernH Thank you very much for this guide, very useful !!

Thema

NGINX Proxy Manager with fail2ban guide

OMV nginx-proxy-manager (referred to as NPM from here on) and fail2ban tutorial

This tutorial will assume that you know how to port forward in your router and that you have a DNS service configured to route incoming internet traffic to your internet connection based on your domain. It will also assume that you already have the OMV Compose plugin installed and are familiar with it's use. It is written as a simple and quick "how to", to get you started. Full documentation is available on the…

BernH

4. September 2023

Setting up fail2ban in npm has been a piece of cake thanks to you. It's working, I tried wrong password 3 times from my smartphone and now it's banned.

My problem is what to do now with the banned smartphone. How can I unban my smartphone without deleting the container and start from scratch?

Alles anzeigen

That ban will be removed once the bantime in the jail file expires.

The 3 entries in there dictate the behaviour and all are in seconds. Findtime is how long back in time to look for wrong attempts, maxretry is how many failed attempts in that time to look for, and bantime is how long to block that ip before releasing the ban.

Zitat von BernH

all are in seconds

See Also

Configuring Fail2ban with Nginx Proxy Manager (NPM)fail2ban - LinuxServer.ioHardening a Selfhosted Vaultwarden Password ManagerServer inklusive Docker-Container mit Fail2Ban absichern – KWELLKORN

mmm Are you sure they are seconds? Is it possible that it is minutes? If it were seconds it should already be unlocked and it is not...

If you must manually unban a device, it is possible to do so. You would need to bash into the fail2ban container, and from there you can use fail2ban-client to look at the bans and manipulate them.

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

Zitat von chente

mmm Are you sure they are seconds? Is it possible that it is minutes? If it were seconds it should already be unlocked and it is not...

The documentation says seconds and seconds has always worked for me.

If you are testing, I would recommend that you set the bantime low. Maybe 60 (1 minute)

Fail2ban-client can also let you see the status if the jail and banned statuses.

The manpage can help you see what some of the options are.

fail2ban-client(1): configure/control server - Linux man page

It is my understanding that jailing npm's fail2ban container would restrict any access to npm, i.e. any service arriving from npm. However, I can access other services, so I'm out of that jail.

So I'll definitely have to look into how to get out of Jellyfin Jail now. Thanks for everything.

Fixed. Jellyfin banned the user. I have unbanned it and now I can access it.

If I try to log in with a non-existent user, jellyfin won't do anything, since it only bans users. However, on the third try I am still banned. That means the fail2ban container is working correctly.

Thanks once again!

Zitat von BlueCoffee

BernH I have AIO install with NPM I have it set up great will this co*ck it up if I try to add Failtoban?

by AIO do you mean nextcloud? Theoretically, it shouldn't mess up nextcloud but I don't run nextcloud as a docker, so I can't swear to it.

I run my nextcloud as an lxc doing a manual install on it via a script I have written and it uses it's own fail2ban setup.

Zitat von BernH

by AIO do you mean nextcloud? Theoretically, it shouldn't mess up nextcloud but I don't run nextcloud as a docker, so I can't swear to it.

I run my nextcloud as an lxc doing a manual install on it via a script I have written and it uses it's own fail2ban setup.

I also run it in a VM. ill have a try later and report back

Zitat von BlueCoffee

I also run it in a VM. ill have a try later and report back

In that case you should be fine.

As I said I have it using it's own fail2ban. The nextcloud filter is more complicated as are it's logs. The NPM fail2ban is applied on the docker-user chain in ip-tables, so it will block failed login attempts and block access through NPM if the errors are logged by NPM, but it will not block anything based on other things the nextcloud logs may be catching, such as the trusted domain error that the filter I use is also catching.

I you want to do that, you are better off having fail2ban either installed on the vm or at least monitoring the nextcloud logs. If your vm is an lxc monitoring the logs should be easy since lxc storage is just a directory on the server, but if it's a full vm, it is not.

Here are the 3 fail2ban files I use for my lxc. The last one (iptables.conf) should be the default one for fail2ban, but since the docker install does not install all the default files, I am including it here too.

[nextcloud]backend = autoenabled = trueport = 80protocol = tcpfilter = nextcloudmaxretry = 10bantime = 10800findtime = 43200logpath = /mnt/ncdata/nextcloud.logaction = iptables[name=nextcloud, port=http, protocol=tcp]

[Definition]_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed: ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

# Fail2Ban configuration file## Author: Cyril Jaquier##[INCLUDES]before = iptables-common.conf[Definition]# Option: actionstart# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).# Values: CMD#actionstart = <iptables> -N f2b-<name> <iptables> -A f2b-<name> -j <returntype> <iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name># Option: actionstop# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)# Values: CMD#actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name> <actionflush> <iptables> -X f2b-<name># Option: actioncheck# Notes.: command executed once before each actionban command# Values: CMD#actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'# Option: actionban# Notes.: command executed when banning an IP. Take care that the# command is executed with Fail2Ban user rights.# Tags: See jail.conf(5) man page# Values: CMD#actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype># Option: actionunban# Notes.: command executed when unbanning an IP. Take care that the# command is executed with Fail2Ban user rights.# Tags: See jail.conf(5) man page# Values: CMD#actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>[Init]

Zitat von BernH

If you are testing, I would recommend that you set the bantime low. Maybe 60 (1 minute)

This is how you have it in the guide. 3 attempts in less than 5 minutes will result in a 1-minute ban.

maxretry = 3bantime = 60findtime = 300

For production it would be interesting to modify this and increase bantime to something else, perhaps or bantime=86400 Even maybe also increase findtime to 3600

maxretry = 3bantime = 86400findtime = 3600

Zitat von chente

This is how you have it in the guide. 3 attempts in less than 5 minutes will result in a 1-minute ban.

Code

maxretry = 3bantime = 60findtime = 300

For production it would be interesting to modify this and increase bantime to something else, perhaps or bantime=86400 Even maybe also increase findtime to 3600

Code

maxretry = 3bantime = 86400findtime = 3600

Yes, I did say adjust as required. But tinking about it now, people are not always ones to read and understand directions. I do have my own times adjusted from those short times. I will edit the guide to clarify. As they are set up they are designed to stop hammering on the server by bots, blocking them for a short time. Most will stop once they stop getting responses. A better solution would be a second jail with the longer times specified and a higher maxretry (maybe 5) so that you will not get locked out. as easily if you are away and unable to login yourself.

Yes, something similar is what I finally decided to do. I did this:

maxretry = 5bantime = 604800findtime = 7200

The only two services I have on the internet (and not always, generally only VPN) are jellyfin and Nextcloud which have their own jails. So this will act as a second long-term jail.

5 attempts in less than 2 hours will result in a one-week ban.

Zitat von chente

I'll definitely have to look into how to get out of Jellyfin Jail now

The concept is the same that BernH told you above:

Bash into the container and run the unban command

Zitat von Soma

The concept is the same that BernH told you above:

Bash into the container and run the unban command

I already did it, you have it in the next posts after that. But Jellyfin doesn't work like that, it's much simpler. Jellyfin bans the user, then you can unban him from the Jellyfin GUI by editing the profile of the banned user. Nothing more than that is necessary.

BernH

It seems like fail2ban is causing me problems somehow. Yesterday I found the Nextcloud and fail2ban containers in Stopped status. I didn't give it any more importance, I picked them up again and everything worked fine.

This morning I was doing some things in the Nextcloud GUI and suddenly lost connection. After downloading the fail2ban container everything is back to normal.

I followed your guide strictly. Any idea what could be happening?

Zitat von chente

BernH

It seems like fail2ban is causing me problems somehow. Yesterday I found the Nextcloud and fail2ban containers in Stopped status. I didn't give it any more importance, I picked them up again and everything worked fine.

This morning I was doing some things in the Nextcloud GUI and suddenly lost connection. After downloading the fail2ban container everything is back to normal.

I followed your guide strictly. Any idea what could be happening?

I don't run nextcloud as a container, so I am not sure why could be happening exactly when run as a container. My nectcloud is ran as an lxc so as far as NPM and fail2ban are concerned it is actually a different server, and my access to the lxc from NPM is all unencrypted over port 80, leaving NPM to handle the encryption and port 443 access. If you deployed the container using port 443, as the container guide had outlined, the container port 443, which is an ssl port and and the NPM encryption are probably conflicting. From my experience, nextcloud does not really like to have it's port 443 proxied. If you do still want to run like that you would have to figure out what advanced settings would allow that. You may be able you find that in the swag site config, since it seems to work like that, but since I don't run that way I can't test it.

That said though, nextcloud is a bit of a different beast and required some extra settings in NPM even when leaving all the access on port 80. I don't know if these will work the same with the container

Here is what I have added:

add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";rewrite ^/\.well-known/carddav https://$server_name/remote.php/dav/ redirect;rewrite ^/\.well-known/caldav https://$server_name/remote.php/dav/ redirect;proxy_hide_header Upgrade;proxy_read_timeout 180m;

Additionally, in the Custom Locations I have 3 defined. The first 2 are for caldav and carddav connections and the third is for webfinger protocols.

location: /.well-known/caldav

scheme: http

Forward Hostname/IP: <your server ip address>

Forward Port: 80

location: /.well-known/caldav

scheme: http

Forward Hostname/IP: <your server ip address>

Forward Port: 80

location: /.well-known/webfinger

scheme: http

Forward Hostname/IP: <your server ip address>

Forward Port: 80