Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables-common not working #6

Open
Aurel004 opened this issue Oct 23, 2022 · 23 comments
Open

iptables-common not working #6

Aurel004 opened this issue Oct 23, 2022 · 23 comments

Comments

@Aurel004
Copy link

Hi,

After hours of debugging, I finally managed to make "DROP" default.
To make it work, the file now needs to be named iptables.local and not iptables-common.local anymore

Thank you
@LIvewire18
Copy link

Thank you SOOOO much! I spent hours trying to track down why the synology wasn't banning even though the rules were all there. This needs to be updated on the main page to save people the headache.

sosandroid added a commit that referenced this issue Dec 14, 2022
@sosandroid
Iptable change on latest Synology firmwares
f0d9b9b 
View issue #6
@sosandroid
Copy link
Owner

Added the file to make it easier

@MilesTEG1
Copy link

Hello :)
Thanks for this tip !
It permit to go from :
image

To this (where my IP is masked) :
image

But, even if the IP seems to be banned from Fail2ban, and appears in iptables, I can access from it to my services, like gitea or calibre-web.

I'm pretty sure that's a DSM update who break things... but when... ?

Before, IP were correctly banned, and from this IP, I can't access any services on my NAS.

Is there a way to correct this behavior ?

@Hacker1245
Copy link

Same issue as the above poster on DSM 7.2-64570 Update 3. The IPs get set to drop in iptables, but I can still access stuff.

@SergeySergeevitch
Copy link

2023/11/21 22:03:09 stdout Server ready
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,486 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/vaultwarden.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,486 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/vaultwarden.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,486 fail2ban.configreader [1]: INFO Loading configs for filter.d/vaultwarden under /etc/fail2ban
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,485 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables.conf', '/etc/fail2ban/action.d/iptables.local', '/etc/fail2ban/action.d/iptables-allports.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,485 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables.local']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,484 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,484 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-allports.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,483 fail2ban.configreader [1]: INFO Loading configs for action.d/iptables-allports under /etc/fail2ban
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,483 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/vaultwarden-admin.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,483 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.local']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,481 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,481 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/vaultwarden-admin.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,481 fail2ban.configreader [1]: INFO Loading configs for filter.d/vaultwarden-admin under /etc/fail2ban
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,478 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/vaultwarden-admin.conf', '/etc/fail2ban/jail.d/vaultwarden.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,478 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.d/vaultwarden.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,478 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.d/vaultwarden-admin.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,478 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-overrides.local']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,477 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,477 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/paths-debian.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,474 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/jail.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,473 fail2ban.configreader [1]: INFO Loading configs for jail under /etc/fail2ban
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,470 fail2ban [1]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /data/fail2ban.log
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,470 fail2ban [1]: INFO Using socket file /var/run/fail2ban/fail2ban.sock
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,470 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,470 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2023/11/21 22:03:09 stderr 2023-11-21 22:03:09,469 fail2ban.configreader [1]: INFO Loading configs for fail2ban under /etc/fail2ban
2023/11/21 22:03:09 stdout Add custom filter vaultwarden.conf...
2023/11/21 22:03:09 stdout WARNING: vaultwarden.conf already exists and will be overriden
2023/11/21 22:03:09 stdout Add custom filter vaultwarden-admin.conf...
2023/11/21 22:03:09 stdout WARNING: vaultwarden-admin.conf already exists and will be overriden
2023/11/21 22:03:09 stdout Checking for custom filters in /data/filter.d...
2023/11/21 22:03:09 stdout Add custom action iptables.local...
2023/11/21 22:03:09 stdout WARNING: iptables.local already exists and will be overriden
2023/11/21 22:03:09 stdout Add custom action iptables-common.local...
2023/11/21 22:03:09 stdout WARNING: iptables-common.local already exists and will be overriden
2023/11/21 22:03:09 stdout Checking for custom actions in /data/action.d...
2023/11/21 22:03:09 stdout Setting Fail2ban configuration...
2023/11/21 22:03:09 stdout Initializing files and folders...
2023/11/21 22:03:09 stdout WARNING: SSMTP_HOST must be defined if you want fail2ban to send emails
2023/11/21 22:03:09 stdout Setting SSMTP configuration...

@ngthwi
Copy link

ngthwi commented Apr 24, 2024
edited
Loading

Hello,

Thanks for your time and work.
Can anyone confirm it still works with DSM 7.2?

I have copied iptables.local
The IP is banned but I can still access the server...

Here's fail2ban.log

2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- exec: { iptables -w -C f2b-bitwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-bitwarden || true; iptables -w -A f2b-bitwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-bitwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-bitwarden; }
done
2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- returned 4
2024-04-24 07:40:57,608 fail2ban.actions        [756]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'xxx.xxx.xxx.xxx', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fe721dce480>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fe721dcec00>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'

Thanks for your help.

@Marsupoil76
Copy link

Marsupoil76 commented May 4, 2024
edited
Loading

Hi all, Same history in Version: 7.2.1-69057 Update 5 on my Syno
2024/05/05 00:06:25 stdout 2024-05-05 00:06:25,320 fail2ban.filter [1]: INFO [vaultwarden-admin] Found 37.170.151.69 - 2024-05-05 00:06:25 2024/05/05 00:06:23 stdout 2024-05-05 00:06:23,678 fail2ban.actions [1]: ERROR Failed to execute ban jail 'vaultwarden-admin' action 'iptables-allports' info 'ActionInfo({'ip': '37.170.151.69', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f130e351d00>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f130e352480>})': Error starting action Jail('vaultwarden-admin')/iptables-allports: 'Script error' 2024/05/05 00:06:23 stdout 2024-05-05 00:06:23,678 fail2ban.utils [1]: ERROR 7f130e973770 -- returned 4 2024/05/05 00:06:23 stdout 2024-05-05 00:06:23,678 fail2ban.utils [1]: ERROR 7f130e973770 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'

@vivoras
Copy link

vivoras commented May 8, 2024

I have the same problem on DSM 7.2.1-69057 Update 5

2024-05-07 18:09:20,883 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-vaultwarden || true; iptables -w -A f2b-vaultwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; }
done
2024-05-07 18:09:20,884 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-07 18:09:20,884 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-07 18:09:20,884 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-07 18:09:20,884 fail2ban.utils          [1]: ERROR   7f0a12df16b0 -- returned 4
2024-05-07 18:09:20,884 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'XX.XX.XX.XX', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f0a12d85e40>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f0a12d865c0>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error'

@ngthwi
Copy link

ngthwi commented May 8, 2024
edited
Loading

Hello,

Thanks for your time and work. Can anyone confirm it still works with DSM 7.2?

I have copied iptables.local The IP is banned but I can still access the server...

Here's fail2ban.log

2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- exec: { iptables -w -C f2b-bitwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-bitwarden || true; iptables -w -A f2b-bitwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-bitwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-bitwarden; }
done
2024-04-24 07:40:57,607 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-04-24 07:40:57,608 fail2ban.utils          [756]: ERROR   7fe721dda3a0 -- returned 4
2024-04-24 07:40:57,608 fail2ban.actions        [756]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'xxx.xxx.xxx.xxx', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fe721dce480>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fe721dcec00>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'

Thanks for your help.

I finally got it to work.
My mistake... I attempted to use the conf files on a swag fail2ban instance...
I tried a dedicated container as described here and it works straight out of the box.

@Marsupoil76
Copy link

Marsupoil76 commented May 8, 2024
edited
Loading

soory for my ENG
can you tel me more about your solution,
my is hosted in a separed container( with NET-ADMIN and SYS-ADMIN) betwin Vaultwarden, F2B see Vaultwarden logs, and wen it see ip it try to ban but it cannot,

@ngthwi
Copy link

ngthwi commented May 8, 2024

soory for my ENG can you tel me more about your solution, my is hosted in a separed container( with NET-ADMIN and SYS-ADMIN) betwin Vaultwarden, F2B see Vaultwarden logs, and wen it see ip it try to ban but it cannot,

Did you create a fail2ban container as described here? https://github.com/sosandroid/docker-fail2ban-synology#installation

@vivoras
Copy link

vivoras commented May 8, 2024

I have a separate container following the instructions at https://github.com/sosandroid/docker-fail2ban-synology#installation

The error is still the same...

2024-05-08 17:22:00,792 fail2ban.utils          [1]: ERROR   7f52298856b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-vaultwarden || true; iptables -w -A f2b-vaultwarden -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; }
done
2024-05-08 17:22:00,792 fail2ban.utils          [1]: ERROR   7f52298856b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-08 17:22:00,792 fail2ban.utils          [1]: ERROR   7f52298856b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-08 17:22:00,793 fail2ban.utils          [1]: ERROR   7f52298856b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024-05-08 17:22:00,793 fail2ban.utils          [1]: ERROR   7f52298856b0 -- returned 4
2024-05-08 17:22:00,793 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'XX.XX.XX.XX', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f522981de40>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f522981e5c0>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error'

Just in case, I have deleted the container completely and recreated it. The only thing I have done afterwards is delete the bitwarden.conf and bitwarden-admin.conf files from the jail.d and filter.d folders because I use vaultwarden

@ngthwi
Copy link

ngthwi commented May 8, 2024

Have you put the file iptables.local in action.d?

@vivoras
Copy link

vivoras commented May 8, 2024

Yes of course, I have not modified the action.d folder

This is the iptables.local file:

[Init]
blocktype = DROP
[Init?family=inet6]
blocktype = DROP

@Marsupoil76
Copy link

Marsupoil76 commented May 8, 2024
edited
Loading

Same Pb for me
Docker in Privilegied and Host Network
F2B Logs :

`

2024/05/08 20:03:55 stdout 2024-05-08 18:03:55,813 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 18:03:55
2024/05/08 20:03:54 stdout 2024-05-08 18:03:54,586 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 18:03:54
2024/05/08 20:03:54 stdout 2024-05-08 18:03:53,672 fail2ban.actions        [1]: WARNING [vaultwarden] 78.243.145.140 already banned
2024/05/08 20:03:53 stdout 2024-05-08 18:03:53,314 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 18:03:53
2024/05/08 20:03:51 stdout 2024-05-08 18:03:51,953 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 18:03:51
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': '78.243.145.140', 'family': 'inet4', 'fid': <function Actions.ActionInfo. at 0x7f868deade40>, 'raw-ticket': <function Actions.ActionInfo. at 0x7f868deae5c0>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error'
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.utils          [1]: ERROR   7f868df156b0 -- returned 4
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.utils          [1]: ERROR   7f868df156b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.utils          [1]: ERROR   7f868df156b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,354 fail2ban.utils          [1]: ERROR   7f868df156b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument'
2024/05/08 20:00:46 stdout done
2024/05/08 20:00:46 stdout { iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; }
2024/05/08 20:00:46 stdout for proto in $(echo 'tcp' | sed 's/,/ /g'); do
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,353 fail2ban.utils          [1]: ERROR   7f868df156b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-vaultwarden || true; iptables -w -A f2b-vaultwarden -j RETURN; }
2024/05/08 20:00:46 stdout 2024-05-08 18:00:46,332 fail2ban.actions        [1]: NOTICE  [vaultwarden] Ban 78.243.145.140
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,881 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:47
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,880 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:46
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,880 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:45
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,880 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:43
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,879 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:41
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,878 fail2ban.filter         [1]: INFO    [vaultwarden] Found 78.243.145.140 - 2024-05-08 16:00:39
2024/05/08 20:00:45 stdout 2024-05-08 18:00:45,878 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for optional: [Errno -2] Name does not resolve
2024/05/08 20:00:43 stdout 2024-05-08 18:00:43,264 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for #: [Errno -2] Name does not resolve
2024/05/08 20:00:43 stdout Server ready
`

-----My action.d-----

[Init]
blocktype = DROP
[Init?family=inet6]
blocktype = DROP
-----My filter.d----
vaultwarden.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.Username or password is incorrect. Try again. IP: . Username:.$
ignoreregex =
-----My jail.d-----
vaultwarden.conf

[DEFAULT]

ignoreip = 172.16.0.0/12 192.168.10.0/16 10.6.0.0/8 # optional
#Ban for 30 days
bantime = 2592000
findtime = 86400
maxretry = 4
banaction = iptables-allports
ignoreself = false

[vaultwarden]

enabled = true
port = 80,443,3012 # alternative: anyport
filter = vaultwarden
logpath = /logs/vaultwarden.log
-------- My iptable.local ---------
[Init]
blocktype = DROP
[Init?family=inet6]
blocktype = DROP

Docker with env : NET-ADMIN and NET-RAW -
F2B Log :
`

2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': '78.243.145.140', 'family': 'inet4', 'fid':  at 0x7ff9b648de40>, 'raw-ticket':  at 0x7ff9b648e5c0>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error' -- | -- | -- 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- returned 4 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument' 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument' 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,962 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- stderr: 'iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument' 2024/05/08 20:27:28 | stdout | done 2024/05/08 20:27:28 | stdout | { iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } \|\| { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; } 2024/05/08 20:27:28 | stdout | for proto in $(echo 'tcp' \| sed 's/,/ /g'); do 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,961 fail2ban.utils          [1]: ERROR   7ff9b64f56b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } \|\| { iptables -w -N f2b-vaultwarden \|\| true; iptables -w -A f2b-vaultwarden -j RETURN; } 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,945 fail2ban.actions        [1]: NOTICE  [vaultwarden] Restore Ban 78.243.145.140 2024/05/08 20:27:28 | stdout | Server ready 2024/05/08 20:27:28 | stdout | 2024-05-08 18:27:27,858 fail2ban.jail           [1]: INFO    Jail 'vaultwarden' started 2024/05/08 20:27:27 | stdout | 2024-05-08 18:27:27,857 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for optional: [Errno -2] Name does not resolve 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,349 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for #: [Errno -2] Name does not resolve 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,342 fail2ban.jail           [1]: INFO    Jail 'vaultwarden-admin' started 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,339 fail2ban.filter         [1]: INFO    Added logfile: '/logs/vaultwarden.log' (pos = 36395, hash = 3b7aacdf09134cd8aa20a589568f117a3bb79908) 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,339 fail2ban.filter         [1]: INFO      encoding: UTF-8 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,339 fail2ban.actions        [1]: INFO      banTime: 2592000 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,339 fail2ban.filter         [1]: INFO      findtime: 86400 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,338 fail2ban.filter         [1]: INFO      maxRetry: 4 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,337 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,336 fail2ban.jail           [1]: INFO    Jail 'vaultwarden' uses pyinotify {} 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,336 fail2ban.jail           [1]: INFO    Creating new jail 'vaultwarden' 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,336 fail2ban.filter         [1]: INFO    Added logfile: '/logs/vaultwarden.log' (pos = 36395, hash = 3b7aacdf09134cd8aa20a589568f117a3bb79908) 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,335 fail2ban.filter         [1]: INFO      encoding: UTF-8 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,335 fail2ban.actions        [1]: INFO      banTime: 2592000 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,335 fail2ban.filter         [1]: INFO      findtime: 86400 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,335 fail2ban.filter         [1]: INFO      maxRetry: 4 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,330 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,329 fail2ban.jail           [1]: INFO    Jail 'vaultwarden-admin' uses pyinotify {} 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,322 fail2ban.jail           [1]: INFO    Creating new jail 'vaultwarden-admin' 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,321 fail2ban.database       [1]: INFO    Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3' 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,313 fail2ban.observer       [1]: INFO    Observer start... 2024/05/08 20:27:25 | stdout | 2024-05-08 18:27:25,312 fail2ban.server         [1]: INFO    Starting Fail2ban v1.1.0 `

@ngthwi
Copy link

ngthwi commented May 8, 2024

I have the issue now as well.
I updated the container and image: crazymax/fail2ban:latest is currently 1.1.0
If I revert back my docker compose to image: crazymax/fail2ban:1.0.2, it's working again.

@Marsupoil76
Copy link

Marsupoil76 commented May 8, 2024
edited
Loading

I have the issue now as well. I updated the container and image: crazymax/fail2ban:latest is currently 1.1.0 If I revert back my docker compose to image: crazymax/fail2ban:1.0.2, it's working again.

Dude !!!! you'r sooo true.. Works !!! .

@ngthwi
Copy link

ngthwi commented May 8, 2024

I've opened an issue in crazy-max/docker-fail2ban

@vivoras
Copy link

vivoras commented May 8, 2024

@ngthwi You're the best! Thank you so much!!!

@ngthwi
Copy link

ngthwi commented May 20, 2024

It's fixed, you can therefore pull image: crazymax/fail2ban:latest again

@sosandroid
Copy link
Owner

Thank you for this follow up

@fbdb
Copy link
Contributor

fbdb commented May 23, 2024

Hello,

For a long time, I was not using the crazy-max/docker-fail2ban image as instructed by this repo, but instead I was using swag. But this repository and its hacks helped me to configure swag's fail2ban to make it work with my synology, so thank you for that.

Unfortunately, recently I upgraded my swag container to the latest image (which hadn't been upgraded for a while), and since then, I get the same error.

Can anyone confirm it still works with DSM 7.2?

I'm still on DSM 7.1 (I know, shame on me, I should upgrade), so I don't think it's related to a new DSM upgrade.

I tried however to recreate my swag container with an older image (2.8.0, which is 4 month old), but strangely, the error is still there.

Furthermore, I tried as well to create a whole new separated fail2ban container, as advised by this repo and in this issue's comments: f2b successfully detects the login attempts, and "bans", however I'm not really banned, as shown in those logs, I can still connect:

2024-05-22 22:34:05,294 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:05
2024-05-22 22:34:08,659 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:08
2024-05-22 22:34:09,530 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:09
2024-05-22 22:34:10,233 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:10
2024-05-22 22:34:10,642 fail2ban.actions        [1]: NOTICE  [vaultwarden] Ban 149.102.245.141
2024-05-22 22:34:10,939 fail2ban.filter         [1]: INFO    [vaultwarden] Found 149.102.245.141 - 2024-05-22 22:34:17

I tried with the crazy-max/docker-fail2ban:latest image and with the crazy-max/docker-fail2ban:1.0.2 image as well, but both don't "really ban" the IPs.

I'm not sure what I did wrong. The only thing that I changed is to only keep the vaultwarden.conf file in the filter.d/ folder, and same for the folder jail.d/ (only vaultwarden.conf was kept).

Any ideas ?

@Techal62
Copy link

Hello, I have the same problem, have you finally found a solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests