Fail2ban with Organizr and Letsencrypt on unRAID

In this guide I will explain how to integrate Letsencrypts Fail2ban with Organizr.

Organizr wiki:

https://github.com/causefx/Organizr/wiki/Fail2Ban-Integration

Purpose

To ban an IP-address after X amounts of failed login attempts for a set time.

Preparation

For this to work we need the letsencrypt container to be able to see the loginLog.json (or organizrLoginLog.json on v2 ) file in the Organizr container.

1. Open the letsencrypt container settings.
2. Add a path from the letsencrypt container to the Organizr container.
   • • Name: fail2ban organizr
     • Container path: /fail2ban or whatever you prefer
     • Host path: Your path to the Organizr /www folder e.g /AppData/Organizr/www/db/
     • Access mode: Read only
   • Description: fail2ban path into organizr /www folder

Fail2ban

Edit the jail.local file in the fail2ban folder inside the letsencrypt appdata config path Add this:

[organizr-auth]

enabled = true
port = http,https
filter = organizr-auth
logpath = /fail2ban/loginLog.json
ignoreip = 192.168.1.0/24

• The ignore IP is so that fail2ban won’t ban your local IP. Check out https://www.aelius.com/njh/subnet_sheet.html if you are wondering what your CIDR notation is. Most often it will be /24 (netmask 255.255.255.0)
  To find your netmask run ipconfig /all on windows or ifconfig | grep netmask on linux.
• The logpath is the container path you created in step 2.

Note: on Organizr V2 the log file is called organizrLoginLog.json

Create a file called organizr-auth.conf and add this:

[Definition]
failregex = ","username":"\S+","ip":"<HOST>","auth_type":"bad_auth"}
ignoreregex =

In Organizr V2 the auth_type is error. So it needs to be:

[Definition]
failregex = ","username":"\S+","ip":"<HOST>","auth_type":"error"}*
ignoreregex =

• Go to the fail2ban folder in the letsencrypt directory and place the file in the filter.d directory.
• Since you need write permission to add files to that folder you can either use cli or the Krusader file manager to move the file into the folder.

Organizr nginx

5. Because the Organizr container only logs the docker IP addresses e.g 172.17.0.2 you need to add something in the Organizr default nginx site file.
   • Go to appdata\organizr\nginx\site-confs\default and add:

Note: There seems to have been an update to the container. It now logs the correct IP. So if you see the correct IP in the log, this is not needed.

# get real IP
real_ip_header X-Forwarded-For;
set_real_ip_from 172.17.0.0/16;
real_ip_recursive on;

Do not add this in your letsencrypt nginx config. Organizr has it’s own config!

Should look like this:

server {
listen 80 default_server;
root /config/www/Dashboard;
index index.html index.htm index.php;

server_name _;
client_max_body_size 0;

# get real IP
real_ip_header X-Forwarded-For;
set_real_ip_from 172.17.0.0/16;
real_ip_recursive on; 

location / {
try_files $uri $uri/ /index.html /index.php?$args =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# With php5-cgi alone:
fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;

}

location /auth-admin {
internal;
rewrite ^ /auth.php?admin;
}
location /auth-user {
internal;
rewrite ^ /auth.php?user;
}
}

It should now log the actual IP in the Organizr log.

Remember to restart both containers.

Banned

The fail2ban.log file should output something like this:

2017-08-08 21:51:13,777 fail2ban.filter [262]: INFO [organizr-auth] Found 5.153.234.107 - 2017-08-08 21:51:12
2017-08-08 21:51:18,811 fail2ban.filter [262]: INFO [organizr-auth] Found 5.153.234.107 - 2017-08-08 21:51:18
2017-08-08 21:51:43,965 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:51:51,008 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:51:57,045 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:52:03,080 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:53:25,578 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:24
2017-08-08 21:53:31,617 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:30
2017-08-08 21:53:36,650 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:36
2017-08-08 21:53:42,688 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:41
2017-08-08 21:53:48,726 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:47
2017-08-08 21:53:48,733 fail2ban.actions [262]: NOTICE [organizr-auth] Ban 104.160.20.131

If by some reason the fail2ban log should stop logging bad auths, try to create a new path to the loginLog.json file and use that instead.

Unbanning

If you managed to ban yourself or a friend banned themself you can do this to unban.

Bash into the container with:

docker exec -it letsencrypt bash

Check the status of the jail:

fail2ban-client status organizr-auth

Output

Status for the jail: organizr-auth
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| `- File list: /fail2ban/loginLog.json
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 104.160.20.131

unban with:

fail2ban-client unban 104.160.20.131

If you already know the IP you want to unban you can just type this:

docker exec -it letsencrypt fail2ban-client set organizr-auth unbanip 104.160.20.131
or
docker exec -it letsencrypt fail2ban-client unban 104.160.20.131

For Fail2ban with basic auth check out my post here