I'm running fail2ban on a docker host. I want fail2ban to recognize certain apache calls and ban the offending IPs by adding them to the DOCKER-USER iptables chain to mitigate an ongoing DDoS.
I created all the standard config files, and reloaded fail2ban. In fail2ban.log I can see it finding the lines (so my regex and logfile are OK) and it says it's banning the bad IP, but the DOCKER-USER iptables chain doesn't get the DROP rule. There are no errors in the fail2ban.log.
My fail2ban/filter.d/apache-useredit-save.conf
:
[Definition]
failregex = ^<HOST> - - .* "POST /api/useredit-save
ignoreregex =
My /etc/fail2ban/jail.d/apache-useredit-save.conf
:
[apache-useredit-save]
enabled = true
port = http,https
filter = apache-useredit-save
logpath = /mnt/distreplic/logs/theapp/apache2/default-access.log
maxretry = 50
findtime = 60
bantime = 600
action = iptables-docker-user[name=NoAuthFailures, port="http,https", protocol=tcp]
My /etc/fail2ban/action.d/iptables-docker-user.conf
:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = iptables -I DOCKER-USER -s <ip> -j DROP
actionunban = iptables -D DOCKER-USER -s <ip> -j DROP
[Init]
log file:
2023-06-21 14:03:56,643 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,718 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,724 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,758 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,779 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,820 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,827 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,839 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,881 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,884 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:03:56
2023-06-21 14:03:56,898 fail2ban.actions [563]: NOTICE [apache-useredit-save] Ban 217.195.153.92
...
2023-06-21 14:11:33,293 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,301 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,336 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,365 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,396 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,434 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,458 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,488 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,504 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,554 fail2ban.filter [563]: INFO [apache-useredit-save] Found 217.195.153.92 - 2023-06-21 14:11:33
2023-06-21 14:11:33,725 fail2ban.actions [563]: WARNING [apache-useredit-save] 217.195.153.92 already banned
and iptables -nL
:
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 XXX.YYY.ZZZ.WWW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 XXX.YYY.ZZZ.WWW tcp dpt:80
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Any ideas on how to debug this would be helpful!
-I
. I will try that though. (My man page says: "--insert -I chain [rulenum]")