Hello,
I’m trying to enable fail2ban for my nginx basic auth.
Following the docs (System Security Software Options - DietPi.com Docs), is should be as simple as:
modifying the /etc/fail2ban/jail.conf file, and setting enable = true under the [software] name.
The jail.conf file does however only contain the following lines: https://github.com/MichaIng/DietPi/blob/dc487cab3aa46fdeda81277edf7afc9c6845f44e/dietpi/dietpi-software#L7925-L7943
[DEFAULT]
enabled = true
ignoreip = 127.0.0.1/8
ignorecommand =
backend = systemd
mode = normal
filter = %(__name__)s[mode=%(mode)s]
findtime = 600
maxretry = 3
bantime = 600
banaction = route
action = %(banaction)s[blocktype=blackhole]
[dropbear]
[sshd]
# Mode: normal (default), ddos, extra or aggressive (combines all)
# See "filter.d/sshd.conf" for details.
#mode = normal
As you can see, there is no [nginx-http-auth] header. I’ve tried adding it to the file myself as:
[nginx-http-auth]
# mode = normal
port = http,https
logpath = /var/log/nginx/error.log
enabled = true
However, when I fail the http auth through the nginx webserver, entries are added to the /var/log/nginx/error.log, but no ban is triggered and the fail2ban log file /var/log/fail2ban.log remains empty.
When I fail ssh logins, bans are triggered - so the fail2ban sshd service is working as intended.
This is the output of fail2ban status:
dietpi@DietPi:~$ sudo service fail2ban status
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-01-02 18:12:51 GMT; 1h 40min ago
Docs: man:fail2ban(1)
Main PID: 14563 (fail2ban-server)
Tasks: 9 (limit: 4532)
CPU: 17.638s
CGroup: /system.slice/fail2ban.service
└─14563 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Jan 02 18:12:51 DietPi fail2ban-server[14563]: fail2ban.filter [14563]: INFO maxRetry: 3
Jan 02 18:12:51 DietPi fail2ban-server[14563]: fail2ban.filter [14563]: INFO findtime: 600
Jan 02 18:12:51 DietPi fail2ban-server[14563]: fail2ban.actions [14563]: INFO banTime: 60
Jan 02 18:12:51 DietPi fail2ban-server[14563]: fail2ban.filtersystemd [14563]: NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
Jan 02 18:12:51 DietPi fail2ban-server[14563]: fail2ban.jail [14563]: INFO Jail 'dropbear' started
Jan 02 18:12:51 DietPi fail2ban-server[14563]: fail2ban.jail [14563]: INFO Jail 'sshd' started
Jan 02 18:12:51 DietPi fail2ban-server[14563]: fail2ban.filtersystemd [14563]: NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
Jan 02 18:12:51 DietPi fail2ban-server[14563]: fail2ban.jail [14563]: INFO Jail 'nginx-http-auth' started
Jan 02 18:12:51 DietPi fail2ban-server[14563]: Server ready
This is the status of the fail2ban-client:
dietpi@DietPi:~$ sudo fail2ban-client status
Status
|- Number of jail: 3
`- Jail list: dropbear, nginx-http-auth, sshd
And the status of the fail2ban-client nginx-http-auth jail:
dietpi@DietPi:~$ sudo fail2ban-client status nginx-http-auth
Status for the jail: nginx-http-auth
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches:
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
I hope you’re able to help.
Best regards, pepsi.