Info
Content

Fail2Ban Integration

Fail2ban scans log files (e.g. /var/log/nginx/error.log) and bans IPs that show malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email/notification) could also be configured.

Prerequisites

  • Fail2ban installed and configured.

Fail2Ban filter


Go to your filter.d folder in your Fail2Ban install location (/etc/fail2ban/filter.d) and create a file called organizr-auth.conf and add the following:

For Organizr V2 add:

[Definition]
failregex = ","username":"\S+","ip":"<HOST>","auth_type":"error"}*
ignoreregex =

For Organizr V1 add: 

[Definition]
failregex = ","username":"\S+","ip":"<HOST>","auth_type":"bad_auth"}
ignoreregex =

Organizr Jail


Edit the jail.local file in the Fail2Ban directory and add the following: 

[organizr-auth]
enabled = true
port = http,https
filter = organizr-auth
logpath = /var/www/html/db/organizrLoginLog.json
ignoreip = 192.168.1.0/24
  • The ignore IP is so that fail2ban won’t ban your local IP. Check out https://www.aelius.com/njh/subnet_sheet.html if you are wondering what your CIDR notation is. Most often it will be /24 (netmask 255.255.255.0)
    To find your netmask run ipconfig /all on windows or ifconfig | grep netmask on linux.

Restart Fail2Ban with sudo service fail2ban restart

Path to Organizr logs

V2: /var/www/html/db/organizrLoginLog.json

V1: /var/www/html/loginLog.json

Docker: /config/db/organizrLoginLog.json

Docker


Because the Organizr container only logs the docker IP addresses e.g 172.17.0.2 you need to add this in the Organizr default nginx site file. Go to \organizr\nginx\site-confs\default and add the following inside the server block:

# get real IP
real_ip_header X-Forwarded-For;
set_real_ip_from 172.17.0.0/16;
real_ip_recursive on;

If you're using organizrtools/organizr-v2 it's already added and you only need to uncomment the set_real_ip_from line. 

Then restart the container: docker restart organizr

Using the linuxserver/letsencrypt container

The Fail2ban filter folder is in /<appdatafolder>/letsencrypt/fail2ban/filter.d

For this to work you need the letsencrypt container to be able to read the organizrLoginLog.json file in the Organizr container.

Mount the Organizr log like this:

-v <path/to/organizr/config/db/>:/organizrlog:ro

And set the log path in the Fail2Ban jail.local file to /organizrlog/organizrLoginLog.json

Banned

The fail2ban.log file should output something like this:

2017-08-08 21:51:13,777 fail2ban.filter [262]: INFO [organizr-auth] Found 5.153.234.107 - 2017-08-08 21:51:12
2017-08-08 21:51:18,811 fail2ban.filter [262]: INFO [organizr-auth] Found 5.153.234.107 - 2017-08-08 21:51:18
2017-08-08 21:51:43,965 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:51:51,008 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:51:57,045 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:52:03,080 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:53:25,578 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:24
2017-08-08 21:53:31,617 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:30
2017-08-08 21:53:36,650 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:36
2017-08-08 21:53:42,688 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:41
2017-08-08 21:53:48,726 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:47
2017-08-08 21:53:48,733 fail2ban.actions [262]: NOTICE [organizr-auth] Ban 104.160.20.131

If you managed to ban yourself or a friend banned themself you can run this to unban.

fail2ban-client unban <ip> or docker exec letsencrypt fail2ban-client unban <ip>


Thanks to rix1337 for the fail2ban config:

1 Comment
#1    Conrad Porter   Conrad Porter commented 1 month ago

Hi, I am running a reverse nginx proxy with letsencrypt, with an apache2 backend that Organizr and Fail2Ban runs on. Along with qBittorrent, Sonarr, Radarr, Nextcloud, etc. Fail2Ban logs show that it's recognising Organizr and banning the ip address after several incorrect logins but its still possible to login. It seems to be the exact same issue related to this post from a year ago; https://www.reddit.com/r/organizr/comments/8r3c15/organizr_v2_and_fail2ban_protection/

I've followed the guide above but it doesn't seem to work. Is there any further guidance available?? I can post logs if need be.

Back to top