Secure Your Self Hosting with Fail2Ban + Nginx Proxy Manager + Cloudflare
HTML-код
- Опубликовано: 9 июл 2024
- Today's video is sponsored by Linode!
Sign up today and get a $100 60-day credit on your new Linode account, link is in the description.
🔗 dbte.ch/linode
/=========================================/
This video assumes that you already use Nginx Proxy Manager and Cloudflare for your self-hosting.
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured
The full, written tutorial with all the resources is available here:
dbte.ch/fail2bannpmcf
Chapters:
0:00 Intro
0:43 Ad
1:33 Demo
5:42 Installation
22:04 Wrap Up
/=========================================/
✨Find all my social accounts here:
✅ dbte.ch/
✨Ways to support DB Tech:
✅ / dbtech
✅ www.paypal.me/DBTechReviews
✅ ko-fi.com/dbtech
✨Come chat in Discord:
✅ dbte.ch/discord
✨Join this channel to get access to perks:
✅ / @dbtechyt
✨Services (Affiliate Links):
✅ Linode: dbte.ch/linode
✅ PrivadoVPN: dbte.ch/privadovpn
✅ Digital Ocean: dbte.ch/do
✅ Bunny CDN: dbte.ch/bunnycdn
✅ Private Internet Access (PIA) VPN: dbte.ch/piavpn
✅ Amazon: dbte.ch/amazonaffiliate
✨Hardware (Affiliate Links):
✅ TinyPilot KVM: dbte.ch/tpkvm
✅ LattePanda Delta 432: dbte.ch/dfrobot
✅ Lotmaxx SC-10 Shark: dbte.ch/sc10shark
✅ EchoGear 10U Rack: dbte.ch/echogear10u
The hardware in my current home server is:
✔ Synology DS1621xs+ (provided by Synology): amzn.to/2ZwTMgl
✔ 6x8TB Seagate Exos Enterprise HDDs (provided by Synology): amzn.to/3auLdcb
✔ 16GB DDR4 ECC RAM (provided by Synology): amzn.to/3do7avd
✔ 2TB NVMe Caching Drive (provided by Sabrent): amzn.to/3dwPCxj
All amzn.to links are affiliate links.
/=========================================/
Remember to leave a like on this video and subscribe if you want to see more!
/=========================================/
Like what I do? Want to be generous and help support my channel? Here are some ways to support:
✅ Patreon: dbte.ch/patreon
✅ PayPal: dbte.ch/paypal
✅ Ko-fi: dbte.ch/kofi
/=========================================/
Here's my Amazon Influencer Shop Link:
✅ dbte.ch/amazonshop 
Наука
You can get early access to my content by becoming a Patron! www.patreon.com/dbtech
This worked perfectly, very much appreciated! In addition to fail2ban, I would suggest setting up additional firewall rules that could further narrow the attack surface (like geolocation - I set mine to Europe only as that's where I am based)
Yes. This is what I did, but I'm in North America, so I set to Canada & the US.
I enjoy all your guides easy to follow, i set my server up based on all your stuff from a year ago, but with the new stuff you are doing its not as easy to follow as the directories have all changed, maybe a new up to date guide starting with NGIX and fail2ban with clouflare set up... Keep up the great work.. thanks
Thanks for this video! I'm actually running Fail2Ban at the OS level outside of Docker but with NPM in Docker, but this video steered me in the right direction and it's working great.
Glad it helped!
Can’t thank you enough for this. Exactly what I have been breaking my head over for past few weeks. Thank you so much. Will try it over weekend 🙏🏼
You got this!
@@DBTechYT Already implemented. Works like a charm! Only difference (compared to your documentation) being I deployed the stack from Portainer. Thanks again!
@@DBTechYT could this be used with something like h5ai to protect it and if so what config changes would authelia need? thankyou for any help
Finally the video and tutorial i have been waiting for!!! Many thanks!!!
Enjoy!
This is AWESOME! Thanks for the great guide!
Thank you very much, security is very important to protect our beloved server 😉 Super video!
Nice video as allways!! Cloudflare argo tunnel will be great in the mix, for an extra layer security to my opinion. Keep going
Thank you!! I really do need to do a Cloudflare argo tunnel video soon!
@@DBTechYT Yes, please, especially since this would also benefit people who don't have a real real Publi IP due to GCNAT!
@@DBTechYT That would be great to see. I just ordered a Pi and was planning on hosting services like bookstack, using Argo Tunnel and Cloudflare Access free tier.
Thanks for the demo and info, have a great day
worked like a charm! your videos are great. thank you!
Glad it helped!
@@DBTechYT can you do a refresh with crowdsec instead of fail2ban please?
Thanks from France !!!! Works great bro !
Working great after correcting some fat-fingering issues on my end. Thank you for the detailed walk through and references!
Great video. Keep it up!
Thanks!
Thanks a lot, it worked perfectly.
You're a legend!
Is there any benefit to installing fail2ban (and ufw) as a docker container instead of normallr via terminal, not as containers?
I love the approach of using Fail2Ban with CloudFlare, but now that NPM correctly sets the origin of the IP, now my access list in NPM which only allowed incoming connections from Cloudflare Ips does not work anymore. Does anyone have any suggestion about how to keep only allowing Cloudflare packages and also make Fail2Ban ban the original ip of the user?
Super video!🔥🔥
Thank you very much!
Spent a lot of time on this and cannot get it working. Seems to not like the jail. The container will endlessly restart and I can't bash into it to see what's up unless I disable the npm jail (if I try to bash into the container it says I must wait for it to start). None of the docker logs show errors. Have no idea where the issue is.
17:40 Looking for the nginx.conf file. You are using overlay for your Docker FS. How can I find the conf file if my Docker setup is using VFS? The search you suggest is not finding anything for me.
I couldn’t get this to work as it kept erroring with my cloudflare apiv4 pasted in the logs as the cause. I haven’t got a clue what’s gone wrong
for whatever reason I can't get this working. I'm able to deploy the container but I'm getting hung up on the section where I create the npm-docker.local file. I can't nano to create it. Sudo,apt , Vim nothign works so I'm unable to create the file to modifiy it.
Great video. How do you update the npm-docker.local if your providers ip address changes a lot?
Is this to deploy as a stack in portainer? It gives me syntax error on the time zone line?
Hi. thanks for the great video. Any idea how to get this working properly when running NPM behind Authelia or Authentik. I am running with Authentilk, and while this does work and bans IPs of perpetrators, the redirects used in authentik cause it to ban my home address as well. I am running this on a remote VPS. I can unban my IP, and have resulted to ignoring large ranges of IPs because my ISP only does dynamic. Or, if the redirects and 4xx errors are not an option, do you know how to just use f2b to block malicious logins on authentik or authelia. thanks
If I'm not using cloudflare, how do I set the action to iptable on the host?
Another great video.. Can I suggest a video on how to connect a linode server to be a part of a local private network? I want to be able to host a proxmox node on linode and use it as a backup server for running my unifi controller and pi-hole containers should my local server go down... I've failed miserably at the network side of the configuration..
Followed the guide and for what ever reason cloudflare kept triggering. I ended up whitelisting the ips. Is there a chance this is broken elsewhere?
DBTech great tutorial. Really helps me a lot. I have 1 request. Is it possible for you to create a video of the Self hosted Photo Gallery. There are so many option but not sure which one is best. just an option to get rid of GPhotos
Hi! Thanks for the tutorial! About the modifications to the nginx.conf file, will they survive when the npm docker image will be updated? Sorry for my ignorance about the subject!
That is a really good question actually. If it does, I believe you create your own nginx.conf file and store it somewhere on your server and map it there.
File has to live outside of the container space; Map a "/data/..." tree inside the Docker off to a persistent storage (Longhorn, perhaps). Under the /data/ tree you map the the config files, data files, etc., you need to "hang around." This works on NAS systems like Synology (harder to do LOL), or a standard Debian server build which is running multiple Dockers (my preference). Kubernetes cluster?--Yes, there too. The management of your containers has nothing to do with the setup (good news), BUT the config of the containers (variables, volume mappings) does indeed control this working. Once you do this, it's easy (easier?) to repeat for other Dockers. Oh and if it wasn't apparent--this has nothing to do specifically with Nginx: any containerized system with one or more instances can share it's config files over persistent storage. Then you can keep said files in your (private) Github/Gitlab repo, with version control. :) All of this works at home, in the Enterprise, or if you use a hosted cloud server solution.
This looks like an excellent description of how to use Fail2ban with Nginx Proxy Manager. One question, though: suppose you are not using Cloudflare but instead have your NPM on a virtual machine (set up with Proxmox, for example) or a bare- metal machine? How do you set up fail2ban in Docker so that it will work on uch machines?
Can you point to instructions for doing this or (better) create a video about creating such a setup?
This is a very informative video, and I can't thank Dave enough for all the excellent work he's done, but if possible, I would like to make a suggestion.
For anyone interested in a more permanent solution, instead of the process described at 19:04 in the video, I created a script that runs when the container starts that automatically makes the necessary edits to the nginx configuration file, but only if those changes don't already exist. The script utilizes the s6-overlay infrastructure that the NPM docker image already uses, so it's a bombproof solution. It's also much better than directly editing the configuration file in the container, because if you do it that way, anytime the container is recreated (like after an image update), you would have to make those edits all over again.
I wrote some basic instructions on pastebin, but youtube takes posts with links down, so I'm not sure how to get that info to everyone here.
100% agree this video is great. I don't fully follow why you have to edit the nginx conf directly vs putting the list of Cloudflare IP's in the ignore list on the jail file. I'd love to see the script you created if you can share.
@@rsebaugh I believe it's because if you simply ignore those IP's, nothing will ever get banned as fail2ban will always see the traffic as coming from those addresses. Remember, they're proxied. It's my understanding that those commands in nginx's configuration file will restore the proxied address to its real IP address so that fail2ban can see the real IP address of the attacker, etc. As for sharing my script, I have a short video up. I can't be more specific as every time I attempt to add more info, youtube removes my post.
@@glassman3333 Noted!
Good work! Unfortunately I've been unable to locate your pastebin and you don't have any youtube videos up so I've been unable to locate that. but that certainly sounds really convenient to have
@@RisingMooon So I took the video down as I didn't think anyone else would be interested, but I just put a post up on my page that has it. Just make sure to click the community tab to see it. Let me know if it helps.
Thanks for the nice tutorial. Can you also explain how to configure fail2ban to block ssh access of the real server ip and also see the log of the blocked ip in Cloudflare?
Great video !
How would you manage a dynamic WAN IP ? I've tried a FQDN in the config file but my IP keep getting banned.
Thx ;-)
A guide on how to setup the smtp functionality would be nice + potentially set it to send daily reports instead of an email for each ban
Agreed. I don't understand why we did that step just to NOT have any notifications.
I followed your video on setting up a cloudflared tunnel. I have a few sub domains to access some applications. I rarely see videos on it it’s always nginx. Why is this and so I need both ? Thanks
If you have CloudFlare tunnels then you don't need this. Tunnels replace it.
I use a Debian LXC on Proxmox and therefore it does not work. The line: "docker inspect $(docker ps -qa) | jq -r 'map([.Name, .GraphDriver.Data.MergedDir]) | .[] | "\(.[0])\t\(.[1])"' gave me a " 'jq' was not found". After searching manually (35 minutes) I could restart the container with errors: "NOTICE No file(s) found for glob /log/npm/default-host_acces..." It seems that there are no log-files found. Any idea what I can do after double check with redoing it?
Install jq:
- apt-get update
- apt-get -y install jq
I can get my ip banned but can still access the site which allows me to get a 'ip already banned' log message. If I'm already banned then why can I still access the site? hmmmm, any ideas anyone?
Tried to get this running on my Pi 4 and had some errors in the log before changing the configuration files:
Fatal Python error: init_interp_main: can't initialize time
PermissionError: [Errno 1] Operation not permitted
Corrected by using the older 0.11.1 image.
Did you now get it to work?
Because on my Raspberry the Installation is everything set up, but the Communcation to Cloudflare is not here or i do not see, when someone tries to login. Could you help me?
@@taylorbisig6149 thank you so much ! took me ages until i found your comment!
First, great tutorial! I like how you step-by-stepped the process. Second, I LOVE the orange wall. I know you're setting up a new studio, but I'll miss the orange. The color has convinced me to setup two walls in my home office as the same orange tint. (I'm very tired of white walls, white ceiling, blah.) So I always like your list of videos of setting up services on Docker. Between you and @TechnoTimLive (ruclips.net/user/TechnoTimLive )..I have a good handle on Docker containers to go along with my other VMs. :)
I agree, I watch those two channels all the time
Thanks for your video! I got it to work partly. For some services, like Jellyfin, it works fine. For others not so much because authentication failure has a different format in the logs. For some services, Transmission in my case, I get banned even when I use the correct login information cause the log gives a 409 code after login. Is there another way to include all kinds of failed logins?
Seems to only populate Cloudflare IP addresses I’m not sure what I’m doing wrong. I commented out the real IP like you said.
When i run the docker inspect command around 18:30 my responses all come back with null instead of a /var/ overlay. Any ideas on what would cause that?
As do I. No overlays found in my setup.
Looks like this is due to us using a different Docker file system. Mine is using VFS, not overlay.
thank you
Welcome!
Btw, the max-retry value '1' of your fail2ban filter seems also quite strict. I assume that a single 4XX error will ban the IP. I would use a friendlier value of 5 or 10, especially because we are banning full lifetime with bantime = -1
These were just some that were there t. As I said in the video, you can change those for your own needs. :)
getting error on the TZ part.... it gives me an syntax error what i try i everytime get error i can not depley the stack what ever i try, i already treid removeing som tabs and then the syntax error moves and in the end it gives an error on an empty line.....
I think he used tabs instead of spaces.. put the lines back to the first column using backspace and then use space to put them to the correct column that should fix it
@@OmgLuLzWTF ah that could be true, i pasted the text first in nano and then copied that this also dit the trick, so yur statement could be true.
This may be out of the scope of this but do I really need to change to cloudflare's name servers from my registrar's? I created clouflare account, added my TLD and then it wanted me to change the name servers. (registrar just forwards to my self hosting). Thank you.
if you want to use CloudFlare's security features, then you must forward your domain's name servers to CloudFlare
@@DBTechYT So, I would need to change over to Cloudflare's ddns client from what I'm currently using, correct?
@@DBTechYT Also, why did we put an email setup in fail2ban? It's not sending anything without a recipient address.
How do I know if the Cloudflare api is working. I don't see any firewall blocks in Cloudflare.
I'm having the same issue. Is a premium cloudflaire account required?
Is there any point to doing the Cloudflare thing if I don't have any Cloudflare sites?
I'm not sure what you mean by "cloudflare sites". This setup is specifically tailored for people who use CloudFlare to manage the DNS of their domains.
@@DBTechYT oh ok. I don't use CloudFlare to manage the DNS of my domains. I have a few domains that are DuckDNS and I'm using Nginx Proxy Manager to point to apps in my private network. Will Fail2ban in Docker still work without any CloudFlare management? I have only ever used Fail2ban as an install natively on a system (an asterisk server running on GCP, for example).
I wish I had a solid answer for you on this. It *might* work, but I've only tested it with Cloudflare as I only used DuckDNS for a very short amount of time. Now I use Cloudflare Tunnels to remotely access my sites and services
@@DBTechYT I use DuckDNS for an actual domain name. I'm too poor to pay for a domain name. 😅
You might look at www.porkbun.com They have .XYZ from $2.04 and .INFO from $3.07. I've been using them for years
Does anyone else has the Problem, that in the Log Files you get the Message "Server Ready" and the List of the Access and Error Log Files but there is no Communication to Cloudflare?
Are you sure that you got your global API key and email address in the configuration file?
@@DBTechYT Now i got it. My NPM Docker wasn't configured to write the Log Files to Path. In the Docker-Compose i had a volume linked to it, so now it works pretty good :)
Great news!
Something is amiss here. I think i followed your guide to the letter. However, the filter you used in combination with the the log files from ngninx, I get banned when I upload files to my nextcloud. I scanned the logs using a tool for regex and found no matches. I then saw that you didn't define the filter in your jail (filter = npm-docker) so I did that. The problem persists though. I'm having a hard time figuring out, where the false positives are coming from. Two regex tools could't find any matches in all of my log files. Maybe you got a lot of false positiv bans in your config too? Anyways, love your guides. Keep it up!
EDIT: The problem was the tool is used to analyze the regex. I used ChatGTP, which did spot the matches. I then added ingoreregex a la "string1" "string2" ... and now it works like a charm.
Does this deprecate the CloudFlare tunnel since your are now using nginx-proxy-manager?
I wouldn't go this route. I would stick with Tunnels.
@@DBTechYT , are you more confident of just implementing the CloudFlare Zero trust and forget about fail2ban + nginx-proxy-manager?
💯
Hello how do you map the logs in nginx proxy manager
ruclips.net/video/-CQcEWVBjQU/видео.html
Good video. I am trying to understand why fail2ban needs a 'host' network config. Does the fail2ban need to reside on the same machine as nginx proxy manager?
It needs 'host' so that it can monitor network traffic. And, yes, it needs to be on the same machine as NPM
@@DBTechYT I didnt understand the linkage of NPM in the video, that wasnt clear. Also, npm isnt in the requirements for fail2ban, so why is it needed?
NPM is being used as a reverse proxy so you can host multiple domains/subdomains on your docker server. Fail2Ban monitors NPM logs and reports sketchy behavior to CloudFlare and they work together to block IP addresses that are doing the sketchy stuff. This is just ONE method of setting up remote access to Docker containers.
@@DBTechYT O Right, nginX Proxy Manager... For some reason I didnt join the dots and was confused why you were making mention of npmjs the software repo. Also, I dont think you actually need it to be on the same machine as your host as you arent doing any iptables actions. Technically you could have your fail2ban on another docker host and use a Read Only NFS share to grab the Proxy Mgr's logs. Might be worth a shot.
i can't seem to find the directory /var/lib/docker/overlay2 in my setup. im running lxc on proxmox and portainer as a docker manager.
running this docker inspect $(docker ps -qa) | jq -r 'map([.Name, .GraphDriver.Data.MergedDir]) | .[] | "\(.[0])\t\(.[1])"' gives me a null result
any help?
Am I correct that due to the cloudfrale Firewall update this does not work now ?
what update?
@@DBTechYT "Firewall rules are becoming WAF custom rules
Cloudflare started converting existing firewall rules into WAF custom rules. With custom rules you get the same level of protection and a few additional features. Custom rules are available in the Cloudflare dashboard under Security > WAF > Custom rules.
Cloudflare started this conversion as a phased rollout on 2023-02-28. Your zones will soon have WAF custom rules instead of firewall rules."
The sections or section names in the cloudflare panel have changed. I used to follow the link to remove my IP from the ban list now this section is just gone. After that I decided to check if fail2ban works at all and it turned out that it doesn't work at all. It used to work perfectly configured according to your video for what you thank you very much, but now alas does not work.
Gotcha. Honestly I have no idea. I don't use Fail2Ban or Nginx Proxy Manager and haven't for quite a while now. I use Cloudflare tunnels for basically everything
@@DBTechYT I will be looking for something new. Thank you very much for your quick reply and your very interesting videos.
Hello, i also use Authelia so i think thats why it doesn't work properly. In the log Files i get the Message Server ready, but i never see any Communication or something else. Can i also use Fail2ban and Authelia together?
This implementation for my environment works for both Authelia and NPM. If I enter in wrong credentials for Authelia I can see the Fail2Ban logs record this and ban.
@@TritonB7 Hmm.. I don't see any Communication from Fail2ban.. Maybe i got something wrong configured. Do you also use a Raspberry?
@@TritonB7 Have you set the Filter exact the same as in the Video?
@@lichtii1972 Yeah my filter is the same.
Nice video as always. Question: Im using Nginx on a Pi, how do i map the volume in the container?
volumes:
- "remote server"/volume1/docker/nginx/data/logs :/logs/npo :ro
Lets assume the path is correct, the question is around the remote server part. Thanks in advance.
Why are you trying to put fail2ban on a different system? Why not just put it on the same device?
I'll test this, but I assume that the regex is wrong. The first 4XX error is the upstream cache and the second one the 'real' response header of the underlying application proxied to.
So the regex should focus on the second 4XX error code, not the first one. But I might be wrong.
Great tutorial!
Well it seems to be working on my end. It has blocked more than 200 IP addresses since I implemented it on my system
Fail2Ban is quite a suitable name for this video, which unfortunately does not warn of an important problem - Cloudflare prohibits the transfer of videos and photos in its terms and conditions - there is a risk of service ban... so just to add... so you don't fail2Ban... ;)
Section 2.8 of their TOS was removed within the last couple of months, so... you know... make of that what you will.
@@DBTechYTSo does that mean one could use it for emby media streaming? Also do you know if this applies to the tunnels on clouflare too or just dns?
Thanks so much!! Working like a charm!
One question: is it possible for me to ban myself? And if so: is it enough do "unban" myself in cloudflare?
I think there's any option to whitelist your ip, but I don't remember where it is
Will this work with Traefik? Great video! Thanks
You can make it work with Traefik, but this setup will most likely not work as it is
Does anyone else having Problems getting Mail Notifications?
Thanks a bunch, I've got this mostly working however, my logs folder doesn't actually contain any error.log or access.logs. They only have proxy_host-*.log. If you have a minute, could you please let me know the full path to the logs folder in case I'm missing something? Thanks in advance!
Your logs are located wherever you stored them when you installed Nginx Proxy Manager
@@DBTechYT thanks for responding, it means a lot. Ans that's what I was hoping too. So I'm in npm/_data/logs and see no error logs. Do I have to enable error logging in NPM or something?
@@DBTechYT i.e. the logs folder only has these proxy_host-(number).logs
For my NPM, my logs are here: /home/docker/apps/npm/data/logs So that's the path that I would mount in this setup
@@DBTechYT ok thank you so much, I will check there.
How about crowdsec instead fail2ban?
I might look into that one as well :)
Hi, nice, thanks! :)
It works, but the "real_ip_header X-Forwarded-For;" option was causing cloudflare addresses to be banned - "real_ip_header X-Real-IP" is the correct one for me and fail2ban sees the correct addresses.
Did you already try "real_ip_header CF-Connecting-IP" ?
@@TritonB7 I just checked and the option you gave works.
I see that cloudflare writes about using one of these options, so I started to wonder why it didn't work last time and boom, now both options work.
Not sure why, but I must have missed something back then. Thanks!
@@Aktez98 @Aktezik No problem, on the front end Cloudflare uses the X-Real-IP header and passes the IP to the CF-Connecting-IP header that is between Cloudflare Edge and Origin servers. Also something to look into is that instead of modifying the nginx.conf file found in the overlays path, I created my own .conf file "/data/nginx/custom/cloudflare/real_ip.conf" which includes all "set_real_ip_from" entries and the and the single "real_ip_header CF-Connecting-IP;" entry and used that for each Proxy Host by adding "include /data/nginx/custom/cloudflare/real_ip.conf;" in Custom Nginx Configuration field, found under the Advanced tab of each Proxy Host. Sure you have to do this for each host, but you also don't have to worry about the original nginx.conf file being overwritten due to future updates.
@@TritonB7 can you give a little more detail how to add the include for the "real_ip.conf" file on the advanced tab. I have the file in my data directory and I can't get it to work. I you could reply back with what exactly you have in the Advanced tab that would extremely helpful. Thanks in advance!
@@TritonB7 Nevermind, I finally figured it out. Thanks for your original post
Can't get it working without cloudflare. Can you point me in the right direction?
This is meant to be a setup WITH CloudFlare. I don't do anything regarding hosting without CloudFlare
@@DBTechYT Anyway my problem is not with cloudflare, I can migrate to them. My problem is that fail2ban just sees the npm IP. Do you have any idea why that might be happening?
No idea. You've given me NO information about what you've done, what you've tried, what errors you've seen, nothing. Both of your comments have been very vague. The more descriptive and consice you can be in your explanation, the better the chances of getting help are.
@@DBTechYT So, at the moment I use Duckdns with NPM, hosted on a Synology NAS. I've followed your video from start to end, even the cloudflare part, I was hoping to get it kind of working and latter remove the cloudflare from my config. In the fail2ban logs I just see the NPM local IP no errors or anything else. It's kind of working but just banning NPM IP?! To me it seems that NPM isn't passing thru the real client IP to FAIL2BAN but unfortunately I can't resolve this problem
You could just replace fail2ban with CrowdSec, it's far more powerful and automated compared to fail2ban. Plus it's actually compatable with Cloudflare.
👍
👍
If you are getting the error "jq: command not found" when trying to find the path of nginx.conf (when you execute the command: docker inspect $(docker ps -qa)...), just run: sudo apt install jq
This will fix the problem.
Hope it was helpful
Have you got a beginners guide to starting docker? Still don't know what it is all about lol
Most of my videos are based on using a system with Docker pre-installed. I use things like OpenMediaVault 5, CasaOS, Synology, etc. There's a good explanation on how to install it here: docs.docker.com/engine/install/debian/
Thanks for the great video but the link to the resources is not working.
Thanks for letting me know. It should be fixed
This was a great walkthrough and I got it running without much drama. That said, it instantly bans me 🙂
My Nginx logs have many Warns about proxy buffering files ("an upstream response is buffered to a temporary file"), which I honestly can't tell if these are captured by the criteria... i.e.:
failregex = ^.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
^.+ 4\d\d \d\d\d - .+ \[Client \] \[Length .+\] ".+" .+$)
I also wonder if the Nginx proxy buffer settings can be changed to reduce or eliminate this? I'll have a look through the logs to see if there's anything else amiss.
trying to set this up via your guide but when I use the following: "docker inspect $(docker ps -qa) | jq -r 'map([.Name, .GraphDriver.Data.MergedDir]) | .[] | "\(.[0])\t\(.[1])"'"
an error occurs: -bash: jq: command not found
sudo apt-get install jq
this fixes that
as a security engineer, I don't recommend banning IP addresses, in that case there are many innocent peoples behind that ip that you've blocked, we use other techniques to ban only the attacker
As a fork lift operator, I recommend banning IP addresses. In that case the security on my private home run server is greatly increased, without affecting the 5-10 people using the server.
thx
I found out that the file in jail.d must end with .local for it to works.
I am fairly certain that I followed directions completely however I cannot get the server up.. I am running docker with omv6 if that matters... here is the error in the logs
2022-03-20 12:32:31,965 fail2ban.configreader [1]: INFO Loading configs for filter.d/npm-docker under /etc/fail2ban
2022-03-20 12:32:31,966 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/npm-docker.conf']
2022-03-20 12:32:31,966 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/npm-docker.conf']
2022-03-20 12:32:31,969 fail2ban.configreader [1]: INFO Loading configs for action.d/cloudflare-apiv4 under /etc/fail2ban
2022-03-20 12:32:31,970 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/cloudflare-apiv4.conf']
2022-03-20 12:32:31,971 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/cloudflare-apiv4.conf']
2022-03-20 12:32:31,973 fail2ban.jailreader [1]: NOTICE No file(s) found for glob /log/npm/default-host_access.log
2022-03-20 12:32:31,974 fail2ban.jailreader [1]: NOTICE No file(s) found for glob /log/npm/proxy-host-*_access.log
2022-03-20 12:32:31,974 fail2ban.jailreader [1]: NOTICE No file(s) found for glob /log/npm/proxy-host-*_error.log
2022-03-20 12:32:31,975 fail2ban [1]: ERROR Failed during configuration: Have not found any log file for npm-docker jail
2022-03-20 12:32:31,977 fail2ban [1]: ERROR Async configuration of server failed
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/fail2ban/client/fail2banserver.py", line 189, in start
raise ServerExecutionException('Async configuration of server failed')
fail2ban.client.fail2bancmdline.ServerExecutionException: Async configuration of server failed
any thoughts?
find a fix?
you have to change to the directory where your npm logs are located in the docker-compose file :
In my case :
- "/home/docker/nginx-proxy-manager/data/logs/:/log/npm/:ro"
to
- "'/data/compose/4/npm-data/logs:/log/npm/:ro"
no joy after the command to find the correct docker
docker inspect $(docker ps -qa) | jq -r 'map([.Name, .GraphDriver.Data.MergedDir]) | .[] | "\(.[0])\t\(.[1])"'
E get a bunch of nulls after the container name, ex:
I had to use sudo or su for it to work for me. I wasn't logged in as root, like he was. Try that?
@@bencollinz No that did not work :(
@@designrepcom 'jq' was not found in my system. So, I just listed the containers using 'docker ps'. Then use the NPM container id to run 'docker inspect | grep MergedDir. That gave me the 'overlay' path.
@@abie1o Thanks, I will try that
Works but I had to add
real_ip_header CF-Connecting-IP;
To the nginx.conf
I can get my ip banned but can still access the site which allows me to get a 'ip already banned' log message. If I'm already banned then why can I still access the site? hmmmm, any ideas anyone?
I'd switch to this method: ruclips.net/video/VrV0udRUi8A/видео.html