Fail2ban with Organizr and Let’sEncrypt on unRAID

2

Ban everyone with Fail2ban!

In this guide I will explain how to integrate Let’s Encrypts Fail2ban with Organizr.

Organizr wiki:

https://github.com/causefx/Organizr/wiki/Fail2Ban-Integration

Preparation

For this to work we need the letsencrypt container to be able to see the “loginLog.json” file in the Organizr container.

  1. Open the letsencrypt container settings.
  2. Add a path from the letsencrypt container to the Organizr container.
      • Name: fail2ban organizr
      • Container path: /fail2ban or whatever you prefer
      • Host path: Your path to the Organizr /www folder e.g /AppData/Organizr/www/
      • Access mode: Read only
    • Description: fail2ban path into organizr /www folder

 

 

 

 

 

 

Fail2ban

    1. Edit the jail.local file in the fail2ban folder inside the letsencrypt appdata config pathAdd this:
      [organizr-auth]
      
      enabled = true
      port = http,https
      filter = organizr-auth
      logpath = /fail2ban/loginLog.json
      ignoreip = 192.168.1.0/24
      • The ignore IP is so that fail2ban won’t ban your local IP. Check out http://jodies.de/ipcalc if you are wondering what your netmask is.
      • The logpath is the container path you created in step 2.
    1. Create a file called organizr-auth.conf and add this:
      [Definition]
      failregex = ","username":"\S+","ip":"<HOST>","auth_type":"bad_auth"}
      ignoreregex =
      • Go to the fail2ban folder in the letsencrypt directory and place the file in the filter.d directory.
      • Since you need write permission to add files to that folder you can either use SSH or the Krusader file manager to move the file into the folder.

Organizr nginx

  1. Because the Organizr container only logs the docker IP addresses e.g 172.17.0.2 you need to add something in the Organizr default nginx site file.
    • Go to appdata\organizr\nginx\site-confs\default and add:
# get real IP
real_ip_header X-Forwarded-For;
set_real_ip_from 172.17.0.0/16;
real_ip_recursive on;

Do not add this in your nginx config. Organizr has it’s own config!

Should look like this:

server {
listen 80 default_server;
root /config/www/Dashboard;
index index.html index.htm index.php;

server_name _;
client_max_body_size 0;

# get real IP
real_ip_header X-Forwarded-For;
set_real_ip_from 172.17.0.0/16;
real_ip_recursive on; 

location / {
try_files $uri $uri/ /index.html /index.php?$args =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# With php5-cgi alone:
fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;

}

location /auth-admin {
internal;
rewrite ^ /auth.php?admin;
}
location /auth-user {
internal;
rewrite ^ /auth.php?user;
}
}

It should now log the actual IP in the Organizr log.

Remember to restart both containers.

Banned

The fail2ban.log file should output something like this:

2017-08-08 21:51:13,777 fail2ban.filter [262]: INFO [organizr-auth] Found 5.153.234.107 - 2017-08-08 21:51:12
2017-08-08 21:51:18,811 fail2ban.filter [262]: INFO [organizr-auth] Found 5.153.234.107 - 2017-08-08 21:51:18
2017-08-08 21:51:43,965 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:51:51,008 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:51:57,045 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:52:03,080 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:53:25,578 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:24
2017-08-08 21:53:31,617 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:30
2017-08-08 21:53:36,650 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:36
2017-08-08 21:53:42,688 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:41
2017-08-08 21:53:48,726 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:47
2017-08-08 21:53:48,733 fail2ban.actions [262]: NOTICE [organizr-auth] Ban 104.160.20.131

If by some reason the fail2ban log should stop logging bad auths, try to create a new path to the loginLog.json file and use that instead.

Unbanning

If you managed to ban yourself or a friend banned themself you can do this to unban.

Bash into the container with:

docker exec -it letsencrypt bash

Enter fail2ban interactive mode:

fail2ban-client -i

Check the status of the jail:

status organizr-auth

Output

Status for the jail: organizr-auth
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /fail2ban/loginLog.json
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 104.160.20.131

unban with:

set organizr-auth unbanip 104.160.20.131

If you already know the IP you want to unban you can just type this:

docker exec -it letsencrypt fail2ban-client set organizr-auth unbanip 104.160.20.131

For Fail2ban with basic auth check out my post here

W.

Weyland

Share

%d bloggers like this: