Fail2ban jail for vaultwarden without iptables

huidbui25 · 13 August 2023 15:12

Hi!

I’ve just installed Fail2Ban and configured a jail for vaultwarden. But testing it turned out that Fail2Ban misses the iptables command:

Aug 13 16:55:19 DietPi fail2ban-server[3803]: fail2ban.filter         [3803]: INFO    [vaultwarden] Found 192.168.66.13 - 2023-08-13 16:55:19
Aug 13 16:55:19 DietPi fail2ban-server[3803]: fail2ban.filter         [3803]: INFO    [vaultwarden] Found 192.168.66.13 - 2023-08-13 16:55:19
Aug 13 16:55:19 DietPi fail2ban-server[3803]: fail2ban.actions        [3803]: NOTICE  [vaultwarden] Ban 192.168.66.13
Aug 13 16:55:19 DietPi fail2ban-server[3803]: fail2ban.utils          [3803]: ERROR   7f8d5759b0 -- exec: { iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-vaultwarden || true; iptables -w -A f2b-vaultwarden -j RETURN; }
Aug 13 16:55:19 DietPi fail2ban-server[3803]: for proto in $(echo 'tcp' | sed 's/,/ /g'); do
Aug 13 16:55:19 DietPi fail2ban-server[3803]: { iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; }
Aug 13 16:55:19 DietPi fail2ban-server[3803]: done
Aug 13 16:55:19 DietPi fail2ban-server[3803]: fail2ban.utils          [3803]: ERROR   7f8d5759b0 -- stderr: '/bin/sh: 1: iptables: not found'
Aug 13 16:55:19 DietPi fail2ban-server[3803]: fail2ban.utils          [3803]: ERROR   7f8d5759b0 -- stderr: '/bin/sh: 1: iptables: not found'
Aug 13 16:55:19 DietPi fail2ban-server[3803]: fail2ban.utils          [3803]: ERROR   7f8d5759b0 -- stderr: '/bin/sh: 3: iptables: not found'
Aug 13 16:55:19 DietPi fail2ban-server[3803]: fail2ban.utils          [3803]: ERROR   7f8d5759b0 -- returned 127
Aug 13 16:55:19 DietPi fail2ban-server[3803]: fail2ban.utils          [3803]: INFO    HINT on 127: "Command not found".  Make sure that all commands in "{ iptables -w -C f2b-vaultwarden -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-vaultwarden || true; iptables -w -A f2b-vaultwarden -j RETURN; }\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\n{ iptables -w -C INPUT -p $proto -j f2b-vaultwarden >/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -j f2b-vaultwarden; }\ndone" are in the PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ). You may want to start "fail2ban-server -f" separately, initiate it with "fail2ban-client reload" in another shell session and observe if additional informative error messages appear in the terminals.
Aug 13 16:55:19 DietPi fail2ban-server[3803]: fail2ban.actions        [3803]: ERROR   Failed to execute ban jail 'vaultwarden' action 'iptables-allports' info 'ActionInfo({'ip': '192.168.66.13', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f8d520e00>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f8d521580>})': Error starting action Jail('vaultwarden')/iptables-allports: 'Script error'

Further above you mention you’d be using something called Blackhole routing for blocking. No clue what that is. How can I make that work for my Fail2Ban (installed by dietpi-software) or should I install iptables instead?

Joulinar · 13 August 2023 17:53

Simply install iptables

BTW: the topic is more than 4 years old. Better to start a new one

Jappe · 13 August 2023 20:02

This is my working /etc/fail2ban/jail.d/vaultwarden.conf for vaultwarden:

[vaultwarden]
enable=true
daemon = _vault
port =80,443,8001
filter = vaultwarden
banaction = route
action = %(banaction)s[blocktype=blackhole]
maxretry = 3
bantime = 14400
findtime = 14400
mode=normal
backend=systemd