Bonjour,
EDIT : solution trouvée et partagée un peu plus bas.
J'essaie de configurer Fail2ban pour protéger un contener Bitwarden des attaques en brute force.
Cependant, je n'arrive pas à avoir un ban des IP présentant trop d'erreur. Avez vous déjà réussi à faire fonctionner le ban d'IP ?
Merci
Voici les logs et la config
````
Docker version 18.09.8, build 2c0a67b
````
Here the setup :
- dani-garcia/bitwarden_rs
- Mounting point:
- docker/bw-data:/data/
- Extended_logging true
- Log_file: /data/bitwarden.log
- log level: error
- TZ: Europe/Paris
- crazy-max/docker-fail2ban
- Run as root
- Mounting points
- docker/fail2ban:/data/
- docker/bw-data:/bitwarden/ Read-Only
- TZ: Europe/Paris
- F2B_IPTABLE_CHAIN: Input Selon le ticket 36 sur Fail2Ban (https://github.com/crazy-max/docker-fail2ban/issues/36)
- DROP à la place de REJECT car non disponible sur Synology
The jail :
````
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.0/22
bantime = 6400
findtime = 86400
maxretry = 4
backend = auto
action = iptables-allports[name=bitwarden]
[bitwarden]
enabled = true
port = 80,81,443
filter = bitwarden
logpath = /bitwarden/bitwarden.log
````
The filter:
````
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: \. Username:.*$
ignoreregex =
````
Bitwarden log :
````
[2020-03-05 21:53:26][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:53:35][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:53:38][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:53:40][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:53:51][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:56:22][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:56:27][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:56:33][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
[2020-03-05 21:56:49][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: a@a.net.
````
F2B Log:
````
2020-03-09 23:43:04,736 fail2ban.CommandAction [1]: DEBUG Created
2020-03-09 23:43:04,736 fail2ban.CommandAction [1]: DEBUG Set actionstart = ' -N f2b-bitwarden\n -A f2b-bitwarden -j RETURN\n -I INPUT -p tcp -j f2b-bitwarden'
2020-03-09 23:43:04,736 fail2ban.CommandAction [1]: DEBUG Set actionstop = ' -D INPUT -p tcp -j f2b-bitwarden\n -F f2b-bitwarden\n -X f2b-bitwarden'
2020-03-09 23:43:04,736 fail2ban.CommandAction [1]: DEBUG Set actionflush = ' -F f2b-bitwarden'
2020-03-09 23:43:04,736 fail2ban.CommandAction [1]: DEBUG Set actioncheck = " -n -L INPUT | grep -q 'f2b-bitwarden[ \\t]'"
2020-03-09 23:43:04,737 fail2ban.CommandAction [1]: DEBUG Set actionban = ' -I f2b-bitwarden 1 -s -j '
2020-03-09 23:43:04,737 fail2ban.CommandAction [1]: DEBUG Set actionunban = ' -D f2b-bitwarden -s -j '
2020-03-09 23:43:04,737 fail2ban.CommandAction [1]: DEBUG Set name = 'bitwarden'
2020-03-09 23:43:04,737 fail2ban.CommandAction [1]: DEBUG Set actname = 'iptables-allports'
2020-03-09 23:43:04,737 fail2ban.CommandAction [1]: DEBUG Set chain = 'INPUT'
2020-03-09 23:43:04,737 fail2ban.CommandAction [1]: DEBUG Set port = 'ssh'
2020-03-09 23:43:04,738 fail2ban.CommandAction [1]: DEBUG Set protocol = 'tcp'
2020-03-09 23:43:04,738 fail2ban.CommandAction [1]: DEBUG Set blocktype = 'DROP'
2020-03-09 23:43:04,738 fail2ban.CommandAction [1]: DEBUG Set returntype = 'RETURN'
2020-03-09 23:43:04,738 fail2ban.CommandAction [1]: DEBUG Set lockingopt = '-w'
2020-03-09 23:43:04,738 fail2ban.CommandAction [1]: DEBUG Set iptables = 'iptables '
2020-03-09 23:43:04,738 fail2ban.CommandAction [1]: DEBUG Set blocktype?family=inet6 = 'DROP'
2020-03-09 23:43:04,738 fail2ban.CommandAction [1]: DEBUG Set iptables?family=inet6 = 'ip6tables '
2020-03-09 23:43:04,739 fail2ban.jail [1]: DEBUG Starting jail 'bitwarden'
2020-03-09 23:43:04,739 fail2ban.filterpyinotif [1]: DEBUG [bitwarden] filter started (pyinotifier)
2020-03-09 23:43:04,741 fail2ban.jail [1]: INFO Jail 'bitwarden' started
2020-03-09 23:43:04,741 fail2ban.transmitter [1]: DEBUG Status: ready
2020-03-09 23:44:37,877 fail2ban.filterpyinotif [1]: DEBUG Event queue size: 64
2020-03-09 23:44:37,878 fail2ban.filterpyinotif [1]: DEBUG <_RawEvent cookie=0 mask=0x100 name=db.sqlite3-wal wd=1 >
2020-03-09 23:44:37,878 fail2ban.filterpyinotif [1]: DEBUG <_RawEvent cookie=0 mask=0x100 name=db.sqlite3-shm wd=1 >
2020-03-09 23:44:37,878 fail2ban.filterpyinotif [1]: DEBUG Ignoring creation of /bitwarden/db.sqlite3-wal we do not monitor
2020-03-09 23:44:37,879 fail2ban.filterpyinotif [1]: DEBUG Ignoring creation of /bitwarden/db.sqlite3-shm we do not monitor
2020-03-09 23:44:38,609 fail2ban.filterpyinotif [1]: DEBUG Event queue size: 16
2020-03-09 23:44:38,609 fail2ban.filterpyinotif [1]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 23:44:38,615 fail2ban.filter [1]: DEBUG Processing line with time:1583793878.0 and ip:80.XX.XX.XX
2020-03-09 23:44:38,623 fail2ban.filter [1]: INFO [bitwarden] Found 80.XX.XX.XX - 2020-03-09 23:44:38
2020-03-09 23:44:38,623 fail2ban.failmanager [1]: DEBUG Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:1
2020-03-09 23:44:41,327 fail2ban.filterpyinotif [1]: DEBUG Event queue size: 16
2020-03-09 23:44:41,328 fail2ban.filterpyinotif [1]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 23:44:41,329 fail2ban.filter [1]: DEBUG Processing line with time:1583793881.0 and ip:80.XX.XX.XX
2020-03-09 23:44:41,329 fail2ban.filter [1]: INFO [bitwarden] Found 80.XX.XX.XX - 2020-03-09 23:44:41
2020-03-09 23:44:41,329 fail2ban.failmanager [1]: DEBUG Total # of detected failures: 2. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:2
2020-03-09 23:44:44,949 fail2ban.filterpyinotif [1]: DEBUG Event queue size: 16
2020-03-09 23:44:44,949 fail2ban.filterpyinotif [1]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 23:44:44,950 fail2ban.filter [1]: DEBUG Processing line with time:1583793884.0 and ip:80.XX.XX.XX
2020-03-09 23:44:44,950 fail2ban.filter [1]: INFO [bitwarden] Found 80.XX.XX.XX - 2020-03-09 23:44:44
2020-03-09 23:44:44,951 fail2ban.failmanager [1]: DEBUG Total # of detected failures: 3. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:3
2020-03-09 23:44:47,829 fail2ban.filterpyinotif [1]: DEBUG Event queue size: 16
2020-03-09 23:44:47,830 fail2ban.filterpyinotif [1]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 23:44:47,831 fail2ban.filter [1]: DEBUG Processing line with time:1583793887.0 and ip:80.XX.XX.XX
2020-03-09 23:44:47,831 fail2ban.filter [1]: INFO [bitwarden] Found 80.XX.XX.XX - 2020-03-09 23:44:47
2020-03-09 23:44:47,831 fail2ban.failmanager [1]: DEBUG Total # of detected failures: 4. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:4
2020-03-09 23:44:48,066 fail2ban.actions [1]: NOTICE [bitwarden] Ban 80.XX.XX.XX
2020-03-09 23:44:48,066 fail2ban.observer [1]: DEBUG [bitwarden] Observer: ban found 80.XX.XX.XX, 6400
2020-03-09 23:44:48,078 fail2ban.utils [1]: DEBUG 7fb73a032240 -- returned successfully 0
2020-03-09 23:44:48,087 fail2ban.utils [1]: DEBUG 7fb739a17a40 -- returned successfully 0
2020-03-09 23:44:48,095 fail2ban.utils [1]: DEBUG 7fb739a17ab0 -- returned successfully 0
2020-03-09 23:44:48,096 fail2ban.actions [1]: DEBUG Banned 1 / 1, 1 ticket(s) in 'bitwarden'
2020-03-09 23:44:55,188 fail2ban.filterpyinotif [1]: DEBUG Event queue size: 16
2020-03-09 23:44:55,189 fail2ban.filterpyinotif [1]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-03-09 23:44:55,190 fail2ban.filter [1]: DEBUG Processing line with time:1583793895.0 and ip:80.XX.XX.XX
2020-03-09 23:44:55,190 fail2ban.filter [1]: INFO [bitwarden] Found 80.XX.XX.XX - 2020-03-09 23:44:55
2020-03-09 23:44:55,191 fail2ban.failmanager [1]: DEBUG Total # of detected failures: 5. Current failures from 1 IPs (IP:count): 80.XX.XX.XX:1
````