In this guide I will explain how to integrate swag’s Fail2ban with Organizr.
Organizr wiki:
https://github.com/causefx/Organizr/wiki/Fail2Ban-Integration
Purpose
To ban an IP-address after X amounts of failed login attempts for a set time.
Preparation
For this to work we need the swag container to be able to see the organizrLoginLog.json
(or LoginLog.json
on v1 ) file in the Organizr container.
- Open the swag container settings.
- Add a path from the swag container to the Organizr container.
-
- Name: fail2ban organizr
- Container path: /fail2ban or whatever you prefer
- Host path: Your path to the Organizr /dbfolder e.g /AppData/Organizr/db/
- Access mode: Read only
- Description: fail2ban path into organizr /db folder
-
Fail2ban
Edit the jail.local file in the fail2ban folder inside the swag appdata config path Add this:
[organizr-auth]
enabled = true
port = http,https
filter = organizr-auth
logpath = /fail2ban/organizrLoginLog.json
ignoreip = 192.168.1.0/24
- The ignore IP is so that fail2ban won’t ban your local IP. Check out https://www.aelius.com/njh/subnet_sheet.html if you are wondering what your CIDR notation is. Most often it will be /24 (netmask 255.255.255.0)
To find your netmask runipconfig /all
on windows orifconfig | grep netmask
on linux. - The logpath is the container path you created in step 2.
Note: on Organizr V1 the log file is called loginLog.
json
Create a file called organizr-auth.conf and add this:
[Definition]
failregex = ","username":"S+","ip":"<HOST>","auth_type":"bad_auth"}
ignoreregex =
In Organizr V2 the auth_type
is error
. So it needs to be:
[Definition]
failregex = ","username":"S+","ip":"<HOST>","auth_type":"error"}*
ignoreregex =
- Go to the fail2ban folder in the swag directory and place the file in the filter.d directory.
- Since you need write permission to add files to that folder you can either use cli or the Krusader file manager to move the file into the folder.
Organizr nginx
- Because the Organizr container only logs the docker IP addresses e.g 172.17.0.2 you need to add something in the Organizr default nginx site file.
- Go to appdataorganizrnginxsite-confsdefault and add:
Note: This has been added to the v2 container, you only need to uncomment the lines now.
# get real IP
real_ip_header X-Forwarded-For;
set_real_ip_from 172.17.0.0/16;
real_ip_recursive on;
Do not add this in your swag nginx config. Organizr has it’s own config!
Should look like this:
server {
listen 80 default_server;
root /config/www/Dashboard;
index index.html index.htm index.php;
server_name _;
client_max_body_size 0;
# get real IP
real_ip_header X-Forwarded-For;
set_real_ip_from 172.17.0.0/16;
real_ip_recursive on;
location / {
try_files $uri $uri/ /index.html /index.php?$args =404;
}
location ~ .php$ {
fastcgi_split_path_info ^(.+.php)(/.+)$;
# With php5-cgi alone:
fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
location /auth-admin {
internal;
rewrite ^ /auth.php?admin;
}
location /auth-user {
internal;
rewrite ^ /auth.php?user;
}
}
It should now log the actual IP in the Organizr log.
Remember to restart both containers.
Banned
The fail2ban.log file should output something like this:
2017-08-08 21:51:13,777 fail2ban.filter [262]: INFO [organizr-auth] Found 5.153.234.107 - 2017-08-08 21:51:12
2017-08-08 21:51:18,811 fail2ban.filter [262]: INFO [organizr-auth] Found 5.153.234.107 - 2017-08-08 21:51:18
2017-08-08 21:51:43,965 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:51:51,008 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:51:57,045 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:52:03,080 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:53:25,578 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:24
2017-08-08 21:53:31,617 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:30
2017-08-08 21:53:36,650 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:36
2017-08-08 21:53:42,688 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:41
2017-08-08 21:53:48,726 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:47
2017-08-08 21:53:48,733 fail2ban.actions [262]: NOTICE [organizr-auth] Ban 104.160.20.131
If by some reason the fail2ban log should stop logging bad auths, try to create a new path to the loginLog.json file and use that instead.
Unbanning
If you managed to ban yourself or a friend banned themself you can do this to unban.
Bash into the container with:
docker exec -it swag bash
Enter fail2ban interactive mode and check the status of the jail:
fail2ban-client -i
status organizr-auth
Output
Status for the jail: organizr-auth
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /fail2ban/loginLog.json
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 104.160.20.131
unban with:
fail2ban-client unban 104.160.20.131
If you already know the IP you want to unban you can just type this:
docker exec -it swag fail2ban-client unban 104.160.20.131