Fail2Ban Integration
Fail2ban scans log files (e.g. /var/log/nginx/error.log) and bans IPs that show malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email/notification) could also be configured.
Prerequisites
- Fail2ban installed and configured.
Fail2Ban filter
Go to your filter.d
folder in your Fail2Ban install location (/etc/fail2ban/filter.d) and create a file called organizr-auth.conf
and add the following:
For Organizr V2 add:
[Definition]
failregex = ","username":"\S+","ip":"<HOST>","auth_type":"error"}*
ignoreregex =
For Organizr V1 add:
[Definition]
failregex = ","username":"\S+","ip":"<HOST>","auth_type":"bad_auth"}
ignoreregex =
Organizr Jail
Edit the jail.local file in the Fail2Ban directory and add the following:
[organizr-auth]
enabled = true
port = http,https
filter = organizr-auth
logpath = /var/www/html/db/organizrLoginLog.json
ignoreip = 192.168.1.0/24
- The ignore IP is so that fail2ban won’t ban your local IP. Check out https://www.aelius.com/njh/subnet_sheet.html if you are wondering what your CIDR notation is. Most often it will be /24 (netmask 255.255.255.0)
To find your netmask runipconfig /all
on windows orifconfig | grep netmask
on linux.
Restart Fail2Ban with sudo service fail2ban restart
Path to Organizr logs
V2: /var/www/html/db/organizrLoginLog.json
V1: /var/www/html/loginLog.json
Docker: /config/db/organizrLoginLog.json
Docker
Because the Organizr container only logs the docker IP addresses e.g 172.17.0.2
you need to add this in the Organizr default nginx site file. Go to \organizr\nginx\site-confs\default
and add the following inside the server block:
# get real IP
real_ip_header X-Forwarded-For;
set_real_ip_from 172.17.0.0/16;
real_ip_recursive on;
If you're using organizrtools/organizr-v2
it's already added and you only need to uncomment the set_real_ip_from
line.
Then restart the container: docker restart organizr
Using the linuxserver/letsencrypt container
The Fail2ban filter folder is in /<appdatafolder>/letsencrypt/fail2ban/filter.d
For this to work you need the letsencrypt container to be able to read the organizrLoginLog.json
file in the Organizr container.
Mount the Organizr log like this:
-v <path/to/organizr/config/db:/organizrlog:ro
And set the log path in the Fail2Ban jail.local
file to /organizrlog/organizrLoginLog.json
Banned
The fail2ban.log file should output something like this:
2017-08-08 21:51:13,777 fail2ban.filter [262]: INFO [organizr-auth] Found 5.153.234.107 - 2017-08-08 21:51:12
2017-08-08 21:51:18,811 fail2ban.filter [262]: INFO [organizr-auth] Found 5.153.234.107 - 2017-08-08 21:51:18
2017-08-08 21:51:43,965 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:51:51,008 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:51:57,045 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:52:03,080 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:53:25,578 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:24
2017-08-08 21:53:31,617 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:30
2017-08-08 21:53:36,650 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:36
2017-08-08 21:53:42,688 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:41
2017-08-08 21:53:48,726 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:47
2017-08-08 21:53:48,733 fail2ban.actions [262]: NOTICE [organizr-auth] Ban 104.160.20.131
If you managed to ban yourself or a friend banned themself you can run this to unban.
fail2ban-client unban <ip>
or docker exec letsencrypt fail2ban-client unban <ip>
Thanks to rix1337 for the fail2ban config:
1 Comment
Hi, I am running a reverse nginx proxy with letsencrypt, with an apache2 backend that Organizr and Fail2Ban runs on. Along with qBittorrent, Sonarr, Radarr, Nextcloud, etc. Fail2Ban logs show that it's recognising Organizr and banning the ip address after several incorrect logins but its still possible to login. It seems to be the exact same issue related to this post from a year ago; https://www.reddit.com/r/organizr/comments/8r3c15/organizr_v2_and_fail2ban_protection/
I've followed the guide above but it doesn't seem to work. Is there any further guidance available?? I can post logs if need be.