NethServer Version: 7.9.2009
Module: fail2ban
Hello, i´m running Nextcloud inside a docker container on the nethserver-host. Nextcloud is running fine, is accessable from the Internet via reverse-proxy, ldap-auth is working too for the users… Just fail2ban isn´t woriking as expected. To integrate the nextcloud-container with nethserver fail2ban, i´ve added 2 files:
/etc/fail2ban/jail.d/nextcloud.conf
[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /mnt/data/docker/volumes/nextcloud3/_data/data/nextcloud.log
and /etc/fail2ban/filter.d/nextcloud.conf
[Definition]
_groupsre = (?:(?:,?\s*“\w+”:(?:“[^”]+“|\w+)))
failregex = ^{%(_groupsre)s,?\s"remoteAddr”:“”%(_groupsre)s,?\s*“message”:“Login failed:
^{%(_groupsre)s,?\s*“remoteAddr”:”“%(_groupsre)s,?\s*“message”:“Trusted domain error.
datepattern = ,?\s*“time”\s*:\s*”%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?”
Both seem to work, since the fail2ban log inside the server-manger is showing bad-logins and bans the bad-ip:
2022-07-17 00:40:00,930 fail2ban.filter [32598]: INFO [nextcloud] Found - 2022-07-17 00:40:00
2022-07-17 00:40:06,938 fail2ban.filter [32598]: INFO [nextcloud] Found - 2022-07-17 00:40:06
2022-07-17 00:40:12,946 fail2ban.filter [32598]: INFO [nextcloud] Found - 2022-07-17 00:40:12
2022-07-17 00:40:13,268 fail2ban.actions [32598]: NOTICE [nextcloud] Ban
2022-07-17 00:40:20,956 fail2ban.filter [32598]: INFO [nextcloud] Found - 2022-07-17 00:40:20
2022-07-17 00:40:20,998 fail2ban.observer [32598]: INFO [nextcloud] Found , bad - 2022-07-17 00:40:20, 1 # → 2
2022-07-17 00:40:31,169 fail2ban.filter [32598]: INFO [nextcloud] Found - 2022-07-17 00:40:31
2022-07-17 00:40:31,180 fail2ban.observer [32598]: INFO [nextcloud] Found , bad - 2022-07-17 00:40:31, 1 # → 2
2022-07-17 00:40:31,296 fail2ban.actions [32598]: NOTICE [nextcloud] already banned
So far so good, but the access to the container isn´t blocked. Nethserver keeps communicating with the baned ip… Did i do something wrong? Can someone point me into the right direction?