Fail2ban custom jails and filters

NethServer Version: 7.8.2003
Module: fail2ban

Hello everybody,

I’m in the process of installing WordPress on my Nethserver (using the standard WordPress version, not the Nethserver prepackaged module), and I want to protect it with fail2ban. Can I manually add my custom jails and filters in /etc/fail2ban/jail.d and /etc/fail2ban/filter.d or these directories are overwritten by the Nethserver configuration scripts?

Thank you in advance

It should be possible to add the files. Directories are not overwritten, only templated files. So if they don’t exist, they are not templated.
It could be a problem if you add the Neth wordpress module later.

2 Likes

NethServer Version: 7.9.2009
Module: fail2ban

Hello, i´m running Nextcloud inside a docker container on the nethserver-host. Nextcloud is running fine, is accessable from the Internet via reverse-proxy, ldap-auth is working too for the users… Just fail2ban isn´t woriking as expected. To integrate the nextcloud-container with nethserver fail2ban, i´ve added 2 files:
/etc/fail2ban/jail.d/nextcloud.conf

[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /mnt/data/docker/volumes/nextcloud3/_data/data/nextcloud.log

and /etc/fail2ban/filter.d/nextcloud.conf

[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+)))
failregex = ^{%(_groupsre)s,?\s
"remoteAddr":""%(_groupsre)s,?\s*“message”:“Login failed:
^{%(_groupsre)s,?\s*“remoteAddr”:”"%(_groupsre)s,?\s*“message”:“Trusted domain error.
datepattern = ,?\s*“time”\s*:\s*”%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

Both seem to work, since the fail2ban log inside the server-manger is showing bad-logins and bans the bad-ip:

2022-07-17 00:40:00,930 fail2ban.filter [32598]: INFO [nextcloud] Found - 2022-07-17 00:40:00
2022-07-17 00:40:06,938 fail2ban.filter [32598]: INFO [nextcloud] Found - 2022-07-17 00:40:06
2022-07-17 00:40:12,946 fail2ban.filter [32598]: INFO [nextcloud] Found - 2022-07-17 00:40:12
2022-07-17 00:40:13,268 fail2ban.actions [32598]: NOTICE [nextcloud] Ban
2022-07-17 00:40:20,956 fail2ban.filter [32598]: INFO [nextcloud] Found - 2022-07-17 00:40:20
2022-07-17 00:40:20,998 fail2ban.observer [32598]: INFO [nextcloud] Found , bad - 2022-07-17 00:40:20, 1 # → 2
2022-07-17 00:40:31,169 fail2ban.filter [32598]: INFO [nextcloud] Found - 2022-07-17 00:40:31
2022-07-17 00:40:31,180 fail2ban.observer [32598]: INFO [nextcloud] Found , bad - 2022-07-17 00:40:31, 1 # → 2
2022-07-17 00:40:31,296 fail2ban.actions [32598]: NOTICE [nextcloud] already banned

So far so good, but the access to the container isn´t blocked. Nethserver keeps communicating with the baned ip… Did i do something wrong? Can someone point me into the right direction?

Your filter is capturing a date instead of an IP address.
I can’t help with the filter, but if you post a one-line sample from your log, we may find someone who knows how to fix the filter.

@filippo_carletti Sorry, i´ve used <anon-ip> as an replacement for the testing ip, the post-editor didn´t like that and cut it out, thinking it was some kind of code…

occured… The fail2ban log is giving me:

2022-07-17 00:40:00,930 fail2ban.filter [32598]: INFO [nextcloud] Found anon-ip - 2022-07-17 00:40:00
2022-07-17 00:40:06,938 fail2ban.filter [32598]: INFO [nextcloud] Found anon-ip - 2022-07-17 00:40:06
2022-07-17 00:40:12,946 fail2ban.filter [32598]: INFO [nextcloud] Found anon-ip - 2022-07-17 00:40:12
2022-07-17 00:40:13,268 fail2ban.actions [32598]: NOTICE [nextcloud] Ban anon-ip
2022-07-17 00:40:20,956 fail2ban.filter [32598]: INFO [nextcloud] Found anon-ip - 2022-07-17 00:40:20
2022-07-17 00:40:20,998 fail2ban.observer [32598]: INFO [nextcloud] Found anon-ip, bad - 2022-07-17 00:40:20, 1 # → 2
2022-07-17 00:40:31,169 fail2ban.filter [32598]: INFO [nextcloud] Found anon-ip - 2022-07-17 00:40:31
2022-07-17 00:40:31,180 fail2ban.observer [32598]: INFO [nextcloud] Found anon-ip, bad - 2022-07-17 00:40:31, 1 # → 2
2022-07-17 00:40:31,296 fail2ban.actions [32598]: NOTICE [nextcloud] anon-ip already banned

where i replaced the ip with “anon-ip”… fail2ban recognizes the bad-logins, bans the ip as expected but still the reverse proxy still grants access to nextcould/the container.