Fail2Ban Integration


Fail2ban scans log files (e.g. /var/log/nginx/error.log) and bans IPs that show malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email/notification) could also be configured.


  • Fail2ban installed and configured

Fail2Ban filter

Go to your filter.d folder in your Fail2Ban install location /etc/fail2ban/filter.d and create a file called organizr-auth.conf and add the following:

failregex = {"log_level":"WARNING","message":"Wrong Password".*,"remote_ip_address":"<HOST>"
ignoreregex =

Organizr Jail

Edit the jail.local file in the Fail2Ban directory and add the following:

enabled = true
port = http,https
logtimezone = UTC
filter = organizr-auth
logpath = /var/www/html/db/logs/organizr*.log
ignoreip =

The ignore IP is so that fail2ban wonโ€™t ban your local IP. Check out if you are wondering what your CIDR notation is. Most often it will be /24 (netmask To find your netmask run ipconfig /all on windows or ifconfig | grep netmask on linux.

Restart Fail2Ban with sudo service fail2ban restart

Organizr logs

Normal Install


Docker Install



Because the Organizr container only logs the docker IP addresses e.g you need to add this in the Organizr default nginx site file. Go to \organizr\nginx\site-confs\default and add the following inside the server block:

# get real IP
real_ip_header X-Forwarded-For;
real_ip_recursive on;

If you're using organizr/organizr it's already added and you only need to uncomment the set_real_ip_from line.

Then restart the container: docker restart organizr

Using the linuxserver/swag container

The Fail2ban filter folder is in /<appdatafolder>/swag/fail2ban/filter.d

For this to work you need the SWAG container to be able to read the organizr-<date>.log file in the Organizr container.

Mount the Organizr log like this:

-v <path/to/organizr/config/db/logs:/organizrlog:ro

And set the log path in the Fail2Ban jail.local file to /organizrlog/organizr*.log


The fail2ban.log file should output something like this:

2017-08-08 21:51:13,777 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:51:12
2017-08-08 21:51:18,811 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:51:18
2017-08-08 21:51:43,965 fail2ban.filter [262]: INFO [organizr-auth] Ignore by ip
2017-08-08 21:51:51,008 fail2ban.filter [262]: INFO [organizr-auth] Ignore by ip
2017-08-08 21:51:57,045 fail2ban.filter [262]: INFO [organizr-auth] Ignore by ip
2017-08-08 21:52:03,080 fail2ban.filter [262]: INFO [organizr-auth] Ignore by ip
2017-08-08 21:53:25,578 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:53:24
2017-08-08 21:53:31,617 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:53:30
2017-08-08 21:53:36,650 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:53:36
2017-08-08 21:53:42,688 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:53:41
2017-08-08 21:53:48,726 fail2ban.filter [262]: INFO [organizr-auth] Found - 2017-08-08 21:53:47
2017-08-08 21:53:48,733 fail2ban.actions [262]: NOTICE [organizr-auth] Ban

If you managed to ban yourself or a friend banned themself you can run one of these commands:

fail2ban-client unban <ip>
docker exec letsencrypt fail2ban-client unban <ip>

Thanks to rix1337 for the fail2ban config:

Last updated