actionunban = ipset del -exist f2b-bad-auth-bots <ip>/24
Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
6. In the mailu docker-compose set the logging driver of the Admin container to journald; and set the tag to mailu-admin
..code-block:: bash
@ -594,90 +617,37 @@ The above will block flagged IPs for a week, you can of course change it to your
options:
tag: mailu-admin
5. Add the /etc/fail2ban/filter.d/bad-auth-sso.conf
7. Add the /etc/fail2ban/filter.d/bad-auth.conf
..code-block:: bash
# Fail2Ban configuration file
[Definition]
failregex = : Login failed for .*? from <HOST>\.$
failregex = : Authentication attempt from <HOST> has been rate-limited\.$
ignoreregex =
journalmatch = CONTAINER_TAG=mailu-admin
6. Add the /etc/fail2ban/jail.d/bad-auth-sso.conf
6. Add the /etc/fail2ban/jail.d/bad-auth.conf
..code-block:: bash
[bad-auth-sso]
[bad-auth]
enabled = true
backend = systemd
filter = bad-auth-sso
filter = bad-auth
bantime = 604800
findtime = 300
maxretry = 10
findtime = 900
maxretry = 15
action = docker-action
The above will block flagged IPs for a week, you can of course change it to your needs.
7. Add the /etc/fail2ban/filter.d/bad-auth-api.conf
7. Add the following to /etc/fail2ban/action.d/docker-action.conf
..code-block:: bash
# Fail2Ban configuration file
[Definition]
failregex = Invalid API token provided by <HOST>\.$
ignoreregex =
journalmatch = CONTAINER_TAG=mailu-admin
8. Add the /etc/fail2ban/jail.d/bad-auth-api.conf
..code-block:: bash
[bad-auth-api]
enabled = true
backend = systemd
filter = bad-auth-api
bantime = 604800
findtime = 300
maxretry = 10
action = docker-action
The above will block flagged IPs for a week, you can of course change it to your needs.
9. Add the /etc/fail2ban/action.d/docker-action.conf
actionban = iptables -I f2b-bad-auth 1 -s <ip> -j DROP
actionunban = iptables -D f2b-bad-auth -s <ip> -j DROP
Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
Option 2: Use ipset together with iptables
IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system.
See ipset homepage for details on ipset, https://ipset.netfilter.org/.
ipset and iptables provide one big advantage over just using iptables: This setup reduces the overall iptable rules.
There is just one rule for the bad authentications and the IPs are within the ipset.
Specially in larger setups with a high amount of brute force attacks this comes in handy.
Using iptables with ipset might reduce the system load in such attacks significantly.
..code-block:: bash
[Definition]
@ -695,7 +665,7 @@ Using iptables with ipset might reduce the system load in such attacks significa
Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
10. Configure and restart the Fail2Ban service
8. Configure and restart the Fail2Ban service
Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration.