Security

Banning with basic auth and Fail2Ban

By using basic auth on you apps there is nothing stopping people from trying to brute force their way in. But by implementing Fail2ban, you can give the user or intruder x amount of retries before getting banned.

Creating the .htpasswd file

exec into your container and create the .htpasswd file

Use this command to create a .htpasswd file. Just drop the docker part if you don’t use that.

docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd USER-NAME

New password:
Re-type new password:
Adding password for user yourusername

The outcome would be like this:

login:password
exampleuser:$apr1$adiBYUBX$61udeQ5OGHJXev1l.Mr5X/

If you choose to put the .htaccess in your root folder you can block access to it with this:

location ~ /\. { 
return 404; 
}

Nginx

Use the include syntax and create a basicauth.conf file that you include in the block.

include /config/nginx/basicauth.conf;

Here is an example:

# SABNZBD redirect
location /sabnzbd {
return 301 /sabnzbd/;
}
# SABNZBD
location /sabnzbd/ {
include /config/nginx/basicauth.conf;
include /config/nginx/proxy.conf;
proxy_pass http://192.168.1.34:8383/sabnzbd/;
}

Note: This will not work if you use server based authentication with Organizr. Read more here

basicauth.conf contents

auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;

Fail2ban

If you use linuxservers letsencrypt container, Fail2ban should already be pre configured to ban failed http auths.

If not you can add this in your jail.local file.

[nginx-http-auth]

enabled = true
filter = nginx-http-auth
port = http,https
logpath = /config/log/nginx/error.log
ignoreip = 192.168.1.0/24

Note: The ignore IP is so that fail2ban won’t ban your local IP.
Check out https://www.aelius.com/njh/subnet_sheet.html if you are wondering what your CIDR notation is. Most often it will be /24 (netmask 255.255.255.0)
To find your netmask run ipconfig /all on windows or ifconfig | grep netmask on linux.

  • The logpath is the path to your nginx error log

You also need to create a file called nginx-http-auth.conf in the filter.d folder in the fail2ban directory.

# fail2ban filter configuration for nginx
[Definition]

failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$

ignoreregex = 

# DEV NOTES:
# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
# Extensive search of all nginx auth failures not done yet.
# 
# Author: Daniel Black
Fail2ban.log output
2017-11-04 15:14:58,867 fail2ban.filter [308]: INFO [nginx-http-auth] Ignore 192.168.1.1 by ip
2017-11-04 15:14:58,868 fail2ban.filter [308]: INFO [nginx-http-auth] Ignore 192.168.1.1 by ip
2017-11-04 15:52:04,055 fail2ban.filter [308]: INFO [nginx-http-auth] Found 77.16.40.104 - 2017-11-04 15:52:04
2017-11-04 15:52:06,530 fail2ban.filter [308]: INFO [nginx-http-auth] Found 77.16.40.104 - 2017-11-04 15:52:06
2017-11-04 15:52:16,989 fail2ban.filter [308]: INFO [nginx-http-auth] Found 77.16.40.104 - 2017-11-04 15:52:16
2017-11-04 15:52:18,817 fail2ban.filter [308]: INFO [nginx-http-auth] Found 77.16.40.104 - 2017-11-04 15:52:18
2017-11-04 15:52:29,309 fail2ban.filter [308]: INFO [nginx-http-auth] Found 77.16.40.104 - 2017-11-04 15:52:29
2017-11-04 15:52:29,340 fail2ban.actions [308]: NOTICE [nginx-http-auth] Ban 77.16.40.104

Unbanning

If you managed to ban yourself or a friend banned themself you can do this to unban.

Exec into the container with:

docker exec -it letsencrypt bash

Enter fail2ban interactive mode:

fail2ban-client -i

Check the status of the jail:

status nginx-http-auth

Output

Status for the jail: nginx-http-auth
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /config/log/nginx/error.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 77.16.40.104

unban with:

set nginx-http-auth unbanip 77.16.40.104

If you already know the IP you want to unban you can just type this:

docker exec -it letsencrypt fail2ban-client set nginx-http-auth unbanip 77.16.40.104

For Fail2Ban integration with Organizr, check out my post here

For any questions you can find me here:

Discord 

20
Security
GilbN
Author

GilbN

Just a regular dude from Norway that recently got into servers. Likes long walks on the beach while watching grafana statistics and thinking "Is it really worth it?" "Yes... yes it is"

Related Article
Frontend
Spice up your homepage Part II
Read Article
Related Article
Backend
How to add email notifications to Fail2ban
Read Article
Related Article
Backend
Setting up Grafana and InfluxDB for UPS monitoring on unRAID
Read Article

Read More