- OMV 6.x
- gelöst
- chente
- 9. September 2023
1. offizieller Beitrag
- 9. September 2023
- Offizieller Beitrag
BernH Thank you very much for this guide, very useful !!
Thema
NGINX Proxy Manager with fail2ban guide
OMV nginx-proxy-manager (referred to as NPM from here on) and fail2ban tutorial
This tutorial will assume that you know how to port forward in your router and that you have a DNS service configured to route incoming internet traffic to your internet connection based on your domain. It will also assume that you already have the OMV Compose plugin installed and are familiar with it's use. It is written as a simple and quick "how to", to get you started. Full documentation is available on the…
BernH
Setting up fail2ban in npm has been a piece of cake thanks to you. It's working, I tried wrong password 3 times from my smartphone and now it's banned.
My problem is what to do now with the banned smartphone. How can I unban my smartphone without deleting the container and start from scratch?
- 9. September 2023
Zitat von chente
Alles anzeigenBernH Thank you very much for this guide, very useful !!
Thema
NGINX Proxy Manager with fail2ban guide
OMV nginx-proxy-manager (referred to as NPM from here on) and fail2ban tutorial
This tutorial will assume that you know how to port forward in your router and that you have a DNS service configured to route incoming internet traffic to your internet connection based on your domain. It will also assume that you already have the OMV Compose plugin installed and are familiar with it's use. It is written as a simple and quick "how to", to get you started. Full documentation is available on the…
BernH
Setting up fail2ban in npm has been a piece of cake thanks to you. It's working, I tried wrong password 3 times from my smartphone and now it's banned.
My problem is what to do now with the banned smartphone. How can I unban my smartphone without deleting the container and start from scratch?
That ban will be removed once the bantime in the jail file expires.
The 3 entries in there dictate the behaviour and all are in seconds. Findtime is how long back in time to look for wrong attempts, maxretry is how many failed attempts in that time to look for, and bantime is how long to block that ip before releasing the ban.
- 9. September 2023
- Offizieller Beitrag
Zitat von BernH
all are in seconds
mmm Are you sure they are seconds? Is it possible that it is minutes? If it were seconds it should already be unlocked and it is not...
- 9. September 2023
If you must manually unban a device, it is possible to do so. You would need to bash into the fail2ban container, and from there you can use fail2ban-client to look at the bans and manipulate them.
fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE
- 9. September 2023
Zitat von chente
mmm Are you sure they are seconds? Is it possible that it is minutes? If it were seconds it should already be unlocked and it is not...
The documentation says seconds and seconds has always worked for me.
If you are testing, I would recommend that you set the bantime low. Maybe 60 (1 minute)
- 9. September 2023
BernH I have AIO install with NPM I have it set up great will this co*ck it up if I try to add Failtoban?
- 9. September 2023
Fail2ban-client can also let you see the status if the jail and banned statuses.
The manpage can help you see what some of the options are.
fail2ban-client(1): configure/control server - Linux man page
- 9. September 2023
- Offizieller Beitrag
ok i think i know what is going on. I did this with jellyfin, and if I remember correctly jellyfin also has fail2ban built in, so it must be jellyfin that won't let me log in
- 9. September 2023
- Offizieller Beitrag
It is my understanding that jailing npm's fail2ban container would restrict any access to npm, i.e. any service arriving from npm. However, I can access other services, so I'm out of that jail.
So I'll definitely have to look into how to get out of Jellyfin Jail now. Thanks for everything.
chente
Hat das Label gelöst hinzugefügt.
chente
Hat das Label OMV 6.x hinzugefügt.
- 9. September 2023
- Offizieller Beitrag
Fixed. Jellyfin banned the user. I have unbanned it and now I can access it.
If I try to log in with a non-existent user, jellyfin won't do anything, since it only bans users. However, on the third try I am still banned. That means the fail2ban container is working correctly.
Thanks once again!
- 9. September 2023
Zitat von BlueCoffee
BernH I have AIO install with NPM I have it set up great will this co*ck it up if I try to add Failtoban?
by AIO do you mean nextcloud? Theoretically, it shouldn't mess up nextcloud but I don't run nextcloud as a docker, so I can't swear to it.
I run my nextcloud as an lxc doing a manual install on it via a script I have written and it uses it's own fail2ban setup.
- 9. September 2023
Zitat von BernH
by AIO do you mean nextcloud? Theoretically, it shouldn't mess up nextcloud but I don't run nextcloud as a docker, so I can't swear to it.
I run my nextcloud as an lxc doing a manual install on it via a script I have written and it uses it's own fail2ban setup.
I also run it in a VM. ill have a try later and report back
- 9. September 2023
Zitat von BlueCoffee
I also run it in a VM. ill have a try later and report back
In that case you should be fine.
As I said I have it using it's own fail2ban. The nextcloud filter is more complicated as are it's logs. The NPM fail2ban is applied on the docker-user chain in ip-tables, so it will block failed login attempts and block access through NPM if the errors are logged by NPM, but it will not block anything based on other things the nextcloud logs may be catching, such as the trusted domain error that the filter I use is also catching.
I you want to do that, you are better off having fail2ban either installed on the vm or at least monitoring the nextcloud logs. If your vm is an lxc monitoring the logs should be easy since lxc storage is just a directory on the server, but if it's a full vm, it is not.
Here are the 3 fail2ban files I use for my lxc. The last one (iptables.conf) should be the default one for fail2ban, but since the docker install does not install all the default files, I am including it here too.
Code: /etc/fail2ban/jail.d/nextcloud.local
[nextcloud]backend = autoenabled = trueport = 80protocol = tcpfilter = nextcloudmaxretry = 10bantime = 10800findtime = 43200logpath = /mnt/ncdata/nextcloud.logaction = iptables[name=nextcloud, port=http, protocol=tcp]
Alles anzeigen
Code: /etc/fail2ban/filter.d/nextcloud.conf
[Definition]_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed: ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
Code: /etc/fail2ban/action.d/iptables.conf
# Fail2Ban configuration file## Author: Cyril Jaquier##[INCLUDES]before = iptables-common.conf[Definition]# Option: actionstart# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).# Values: CMD#actionstart = <iptables> -N f2b-<name> <iptables> -A f2b-<name> -j <returntype> <iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name># Option: actionstop# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)# Values: CMD#actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name> <actionflush> <iptables> -X f2b-<name># Option: actioncheck# Notes.: command executed once before each actionban command# Values: CMD#actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'# Option: actionban# Notes.: command executed when banning an IP. Take care that the# command is executed with Fail2Ban user rights.# Tags: See jail.conf(5) man page# Values: CMD#actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype># Option: actionunban# Notes.: command executed when unbanning an IP. Take care that the# command is executed with Fail2Ban user rights.# Tags: See jail.conf(5) man page# Values: CMD#actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>[Init]
Alles anzeigen
- 9. September 2023
- Offizieller Beitrag
Zitat von BernH
If you are testing, I would recommend that you set the bantime low. Maybe 60 (1 minute)
This is how you have it in the guide. 3 attempts in less than 5 minutes will result in a 1-minute ban.
Code
maxretry = 3bantime = 60findtime = 300
For production it would be interesting to modify this and increase bantime to something else, perhaps or bantime=86400 Even maybe also increase findtime to 3600
Code
maxretry = 3bantime = 86400findtime = 3600
- 9. September 2023
Zitat von chente
This is how you have it in the guide. 3 attempts in less than 5 minutes will result in a 1-minute ban.
Code
maxretry = 3bantime = 60findtime = 300
For production it would be interesting to modify this and increase bantime to something else, perhaps or bantime=86400 Even maybe also increase findtime to 3600
Code
maxretry = 3bantime = 86400findtime = 3600
Yes, I did say adjust as required. But tinking about it now, people are not always ones to read and understand directions. I do have my own times adjusted from those short times. I will edit the guide to clarify. As they are set up they are designed to stop hammering on the server by bots, blocking them for a short time. Most will stop once they stop getting responses. A better solution would be a second jail with the longer times specified and a higher maxretry (maybe 5) so that you will not get locked out. as easily if you are away and unable to login yourself.
- 9. September 2023
- Offizieller Beitrag
Yes, something similar is what I finally decided to do. I did this:
Code
maxretry = 5bantime = 604800findtime = 7200
The only two services I have on the internet (and not always, generally only VPN) are jellyfin and Nextcloud which have their own jails. So this will act as a second long-term jail.
5 attempts in less than 2 hours will result in a one-week ban.
- 9. September 2023
Zitat von chente
I'll definitely have to look into how to get out of Jellyfin Jail now
The concept is the same that BernH told you above:
Bash into the container and run the unban command
- 9. September 2023
- Offizieller Beitrag
Zitat von Soma
The concept is the same that BernH told you above:
Bash into the container and run the unban command
I already did it, you have it in the next posts after that. But Jellyfin doesn't work like that, it's much simpler. Jellyfin bans the user, then you can unban him from the Jellyfin GUI by editing the profile of the banned user. Nothing more than that is necessary.
- 12. September 2023
- Offizieller Beitrag
BernH
It seems like fail2ban is causing me problems somehow. Yesterday I found the Nextcloud and fail2ban containers in Stopped status. I didn't give it any more importance, I picked them up again and everything worked fine.
This morning I was doing some things in the Nextcloud GUI and suddenly lost connection. After downloading the fail2ban container everything is back to normal.
I followed your guide strictly. Any idea what could be happening?
- 12. September 2023
Zitat von chente
BernH
It seems like fail2ban is causing me problems somehow. Yesterday I found the Nextcloud and fail2ban containers in Stopped status. I didn't give it any more importance, I picked them up again and everything worked fine.
This morning I was doing some things in the Nextcloud GUI and suddenly lost connection. After downloading the fail2ban container everything is back to normal.
I followed your guide strictly. Any idea what could be happening?
I don't run nextcloud as a container, so I am not sure why could be happening exactly when run as a container. My nectcloud is ran as an lxc so as far as NPM and fail2ban are concerned it is actually a different server, and my access to the lxc from NPM is all unencrypted over port 80, leaving NPM to handle the encryption and port 443 access. If you deployed the container using port 443, as the container guide had outlined, the container port 443, which is an ssl port and and the NPM encryption are probably conflicting. From my experience, nextcloud does not really like to have it's port 443 proxied. If you do still want to run like that you would have to figure out what advanced settings would allow that. You may be able you find that in the swag site config, since it seems to work like that, but since I don't run that way I can't test it.
That said though, nextcloud is a bit of a different beast and required some extra settings in NPM even when leaving all the access on port 80. I don't know if these will work the same with the container
Here is what I have added:
Code: Advanced - Custom Nginx Configuration
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";rewrite ^/\.well-known/carddav https://$server_name/remote.php/dav/ redirect;rewrite ^/\.well-known/caldav https://$server_name/remote.php/dav/ redirect;proxy_hide_header Upgrade;proxy_read_timeout 180m;
Additionally, in the Custom Locations I have 3 defined. The first 2 are for caldav and carddav connections and the third is for webfinger protocols.
location: /.well-known/caldav
scheme: http
Forward Hostname/IP: <your server ip address>
Forward Port: 80
location: /.well-known/caldav
scheme: http
Forward Hostname/IP: <your server ip address>
Forward Port: 80
location: /.well-known/webfinger
scheme: http
Forward Hostname/IP: <your server ip address>
Forward Port: 80
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!
Benutzerkonto erstellenAnmelden
Ähnliche Themen
NGINX Proxy Manager with fail2ban guide
- BernH
- Guides