# Fail2Ban Integration

## Summary

***Fail2ban*** scans log files (e.g. /var/log/nginx/error.log) and bans IPs that show malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other **action** (e.g. sending an email/notification) could also be configured.

## Prerequisites

* Fail2ban installed and configured

## **Fail2Ban filter**

Go to your `filter.d` folder in your Fail2Ban install location `/etc/fail2ban/filter.d` and create a file called `organizr-auth.conf` and add the following:

```
[Definition]
failregex = {"log_level":"WARNING","message":"Wrong Password".*,"remote_ip_address":"<HOST>"
ignoreregex =
```

## **Organizr Jail**

Edit the `jail.local` file in the Fail2Ban directory and add the following:&#x20;

```
[organizr-auth]
enabled = true
port = http,https
logtimezone = UTC
filter = organizr-auth
logpath = /var/www/html/db/logs/organizr*.log
ignoreip = 192.168.1.0/24
```

The ignore IP is so that fail2ban won’t ban your local IP. Check out <https://www.aelius.com/njh/subnet_sheet.html> if you are wondering what your [**CIDR notation**](https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking) is. Most often it will be **/24** (netmask 255.255.255.0)\
To find your netmask run **`ipconfig /all`** on windows or **`ifconfig | grep netmask`** on linux.

Restart Fail2Ban with `sudo service fail2ban restart`

## Organizr logs

Normal Install

```
/var/www/html/db/logs/organizr*.log
```

Docker Install

```
/config/db/logs/organizr*.log
```

## Docker

Because the Organizr container only logs the docker IP addresses e.g `172.17.0.2` you need to add this in the Organizr default nginx site file. Go to `\organizr\nginx\site-confs\default` and add the following inside the server block:

```
# get real IP
real_ip_header X-Forwarded-For;
set_real_ip_from 172.17.0.0/16;
real_ip_recursive on;
```

If you're using `organizr/organizr` it's already added and you only need to uncomment the `set_real_ip_from` line.&#x20;

Then restart the container: `docker restart organizr`

### **Using the linuxserver/swag container**

{% hint style="info" %}
&#x20;The Fail2ban filter folder is in `/<appdatafolder>/swag/fail2ban/filter.d`
{% endhint %}

For this to work you need the SWAG container to be able to read the `organizr-<date>.log` file in the Organizr container.&#x20;

Mount the Organizr log like this:

```
-v <path/to/organizr/config/db/logs:/organizrlog:ro
```

&#x20;And set the log path in the Fail2Ban `jail.local` file to `/organizrlog/organizr*.log`

## **Banned**

&#x20;The **`fail2ban.log`** file should output something like this:

```
2017-08-08 21:51:13,777 fail2ban.filter [262]: INFO [organizr-auth] Found 5.153.234.107 - 2017-08-08 21:51:12
2017-08-08 21:51:18,811 fail2ban.filter [262]: INFO [organizr-auth] Found 5.153.234.107 - 2017-08-08 21:51:18
2017-08-08 21:51:43,965 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:51:51,008 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:51:57,045 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:52:03,080 fail2ban.filter [262]: INFO [organizr-auth] Ignore 192.168.1.1 by ip
2017-08-08 21:53:25,578 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:24
2017-08-08 21:53:31,617 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:30
2017-08-08 21:53:36,650 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:36
2017-08-08 21:53:42,688 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:41
2017-08-08 21:53:48,726 fail2ban.filter [262]: INFO [organizr-auth] Found 104.160.20.131 - 2017-08-08 21:53:47
2017-08-08 21:53:48,733 fail2ban.actions [262]: NOTICE [organizr-auth] Ban 104.160.20.131
```

If you managed to ban yourself or a friend banned themself you can run one of these commands:

```
fail2ban-client unban <ip>
#OR
docker exec letsencrypt fail2ban-client unban <ip>
```

Thanks to rix1337 for the fail2ban config:

* [organizr-auth.conf](https://github.com/rix1337/docker-organizr/blob/master/root/etc/fail2ban/filter.d/organizr-auth.conf)
* [jail.local](https://github.com/rix1337/docker-organizr/blob/master/root/defaults/jail.local)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.organizr.app/features/fail2ban-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.