In this guide I will explain how to integrate swag’s Fail2ban with Organizr.

Organizr wiki:


To ban an IP-address after X amounts of failed login attempts for a set time.


For this to work we need the swag container to be able to see the organizrLoginLog.json (or LoginLog.json on v1 ) file in the Organizr container.

  1. Open the swag container settings.
  2. Add a path from the swag container to the Organizr container.
      • Name: fail2ban organizr
      • Container path: /fail2ban or whatever you prefer
      • Host path: Your path to the Organizr /dbfolder e.g /AppData/Organizr/db/
      • Access mode: Read only
    • Description: fail2ban path into organizr /db folder


Edit the jail.local file in the fail2ban folder inside the swag appdata config path Add this:


enabled = true
port = http,https
filter = organizr-auth
logpath = /fail2ban/organizrLoginLog.json
ignoreip =
  • The ignore IP is so that fail2ban won’t ban your local IP. Check out if you are wondering what your CIDR notation is. Most often it will be /24 (netmask
    To find your netmask run ipconfig /all on windows or ifconfig | grep netmask on linux.
  • The logpath is the container path you created in step 2.

Note: on Organizr V1 the log file is called loginLog.json

Create a file called organizr-auth.conf and add this:

failregex = ","username":"S+","ip":"<HOST>","auth_type":"bad_auth"}
ignoreregex =

In Organizr V2 the auth_type is error. So it needs to be:

failregex = ","username":"S+","ip":"<HOST>","auth_type":"error"}*
ignoreregex =
  • Go to the fail2ban folder in the swag directory and place the file in the filter.d directory.
  • Since you need write permission to add files to that folder you can either use cli or the Krusader file manager to move the file into the folder.

Organizr nginx

  1. Because the Organizr container only logs the docker IP addresses e.g you need to add something in the Organizr default nginx site file.
    • Go to appdataorganizrnginxsite-confsdefault and add:

Note: This has been added to the v2 container, you only need to uncomment the lines now.

# get real IP
real_ip_header X-Forwarded-For;
real_ip_recursive on;

Do not add this in your swag nginx config. Organizr has it’s own config!

Should look like this:

server {
listen 80 default_server;
root /config/www/Dashboard;
index index.html index.htm index.php;

server_name _;
client_max_body_size 0;

# get real IP
real_ip_header X-Forwarded-For;
real_ip_recursive on; 

location / {
try_files $uri $uri/ /index.html /index.php?$args =404;
location ~ .php$ {
fastcgi_split_path_info ^(.+.php)(/.+)$;
# With php5-cgi alone:
# With php5-fpm:
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;


location /auth-admin {
rewrite ^ /auth.php?admin;
location /auth-user {
rewrite ^ /auth.php?user;

It should now log the actual IP in the Organizr log.

Remember to restart both containers.


The fail2ban.log file should output something like this:

2017-08-08 21:51:13,777 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:51:12
2017-08-08 21:51:18,811 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:51:18
2017-08-08 21:51:43,965 fail2ban.filter [262]: INFO [organizr-auth] Ignore by ip
2017-08-08 21:51:51,008 fail2ban.filter [262]: INFO [organizr-auth] Ignore by ip
2017-08-08 21:51:57,045 fail2ban.filter [262]: INFO [organizr-auth] Ignore by ip
2017-08-08 21:52:03,080 fail2ban.filter [262]: INFO [organizr-auth] Ignore by ip
2017-08-08 21:53:25,578 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:53:24
2017-08-08 21:53:31,617 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:53:30
2017-08-08 21:53:36,650 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:53:36
2017-08-08 21:53:42,688 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:53:41
2017-08-08 21:53:48,726 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:53:47
2017-08-08 21:53:48,733 fail2ban.actions [262]: NOTICE [organizr-auth] Ban

If by some reason the fail2ban log should stop logging bad auths, try to create a new path to the loginLog.json file and use that instead.


If you managed to ban yourself or a friend banned themself you can do this to unban.

Bash into the container with:

docker exec -it swag bash

Enter fail2ban interactive mode and check the status of the jail:

fail2ban-client -i status organizr-auth


Status for the jail: organizr-auth
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /fail2ban/loginLog.json
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list:

unban with:

fail2ban-client unban

If you already know the IP you want to unban you can just type this:

docker exec -it swag fail2ban-client unban

For Fail2ban with basic auth check out my post here

For any questions you can find me here: