1

I'm running fail2ban on a docker host. I want fail2ban to recognize certain apache calls and ban the offending IPs by adding them to the DOCKER-USER iptables chain to mitigate an ongoing DDoS.

I created all the standard config files, and reloaded fail2ban. In fail2ban.log I can see it finding the lines (so my regex and logfile are OK) and it says it's banning the bad IP, but the DOCKER-USER iptables chain doesn't get the DROP rule. There are no errors in the fail2ban.log.

My fail2ban/filter.d/apache-useredit-save.conf:

[Definition]
failregex = ^<HOST> - - .* "POST /api/useredit-save
ignoreregex =

My /etc/fail2ban/jail.d/apache-useredit-save.conf:

[apache-useredit-save]
enabled  = true
port     = http,https
filter   = apache-useredit-save
logpath  = /mnt/distreplic/logs/theapp/apache2/default-access.log
maxretry = 50
findtime = 60
bantime  = 600
action   = iptables-docker-user[name=NoAuthFailures, port="http,https", protocol=tcp]

My /etc/fail2ban/action.d/iptables-docker-user.conf:

[Definition]
actionstart = 
actionstop = 
actioncheck = 
actionban = iptables -I DOCKER-USER -s <ip> -j DROP
actionunban = iptables -D DOCKER-USER -s <ip> -j DROP

[Init]

log file:

2023-06-21 14:03:56,643 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,718 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,724 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,758 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,779 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,820 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,827 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,839 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,881 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,884 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,898 fail2ban.actions        [563]: NOTICE  [apache-useredit-save] Ban 217.195.153.92
...
2023-06-21 14:11:33,293 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,301 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,336 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,365 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,396 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,434 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,458 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,488 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,504 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,554 fail2ban.filter         [563]: INFO    [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,725 fail2ban.actions        [563]: WARNING [apache-useredit-save] 217.195.153.92 already banned

and iptables -nL:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            XXX.YYY.ZZZ.WWW           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            XXX.YYY.ZZZ.WWW           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination                            
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain f2b-sshd (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Any ideas on how to debug this would be helpful!

Improve this question
5
  • instead of "iptables -I DOCKER-USER" try "iptables -A DOCKER-USER". A is append.
    – cybernard
    Commented Jun 21, 2023 at 15:18
  • Shouldn't the new rule come first though? Append will add it to the end. Anyway, my problem is that the new rule doesn't show up at all.
    – GaryO
    Commented Jun 22, 2023 at 14:18
  • "new rule doesn't show up at all." Correct because the -I requires a numeric value after it, such as 1. Otherwise, your command has a syntax error.
    – cybernard
    Commented Jun 22, 2023 at 15:53
  • I would also suggest you research ipset and combine that with iptables it will simplify the readability of your iptables and is faster when you have 1000's of banned IP.
    – cybernard
    Commented Jun 22, 2023 at 15:57
  • I thought the <rulenum> was optional after -I. I will try that though. (My man page says: "--insert -I chain [rulenum]")
    – GaryO
    Commented Jun 22, 2023 at 16:17

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .