I think, you are not aware, what 192.168.10.y means.
this is the IP-address seen inside the docker container. This IP is
created by NAT on your host.
If you block them, you are not blocking access from outside to your
host, but blocking the way back from docker container to your host
internal. This is output from nginx inside docker, not input.
Of course, you can manualy set up a more sophisticated version, but
consider this:
docker-daemon is changeging the iptables. if you start runing a docker
container, usualy iptables is used to add rules to setup NAT.
there is a --ip-tables option to dockerd, which prevents the iptables
rules from changeing by dockerd, but in most cases i tried, that causes
malfunction.
if you are runing firewalld there is a zone docker added IIRC, but i not
realy know about.
My advise would be, not to verify the log of nginx inside the docker.
nginx is able to run as a reverse proxy. You probably shhould choose a setup
outside --> nginx (reverse proxy) --> NAT --> docker --> nginx (webserver)
such a setup is often used for large sites. On them not only 1
nginx(webserver) instances is runing, but a lot of them on different hosts.
In most cases, creating a webside by php, perl or other script language
need a lot of time. Only to get the answer from a webserver and deliver
this to outside is just some kind of copy. however, because caching
within reverse proxy, static objects, like .jpg are cached there. So the
real webserver has not to serve ( depends on cache-header config), but
only once a day or week.
However, the logs of the reverse proxy contains the real outside
addresses in log and of course the 404 answer generated by real webserver.
From this point of view it is just a normal setup runing nginx as
webserver, but using "proxy-pass" instead "try-files" within the
location rule.
Peter
Am 19.10.2023 um 13:49 schrieb Marcel Blenkers:
Hello everyone,
i am in the need for some help, as i want to create a new filter.
Setup:
We are running a nginx-Server in a docker-container and on the system
itself a fail2ban-installation.
The Docker-Container writes via syslog-module into a file the content
of the nginx-Logs and we want to check those logs for repeating
404-error and block those ips, which are creating those entries
The Logfile looks like this:
Oct 16 15:49:02 localhost cabc0b82e7f9[424]: 192.168.10.10 - -
[16/Oct/2023:13:49:02 +0000] "GET
/de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404
3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0)
Gecko/20100101 Firefox/116.0" "-"
Oct 16 15:49:03 localhost cabc0b82e7f9[424]: 192.168.10.10 - -
[16/Oct/2023:13:49:02 +0000] "GET
/de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404
3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0)
Gecko/20100101 Firefox/116.0" "-"
Oct 16 15:49:04 localhost cabc0b82e7f9[424]: 192.168.10.10 - -
[16/Oct/2023:13:49:02 +0000] "GET
/de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404
3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0)
Gecko/20100101 Firefox/116.0" "-"
Oct 16 15:49:04 localhost cabc0b82e7f9[424]: 192.168.10.10 - -
[16/Oct/2023:13:48:56 +0000] "GET
/en_UK/theme_clarico/static/src/fileadmin/package/fonts/open-sans/Open_Sans_800.ttf
HTTP/1.1" 404 2646
"/web/content/3223-5ddd78d/1/web.assets_frontend.1.css" "Mozilla/5.0
(X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0" "-"
As you can see, we need to block the IP 192.168.10.10 or any other ip
which are found on that position.
I tried:
failregex = ^.+?(?=: ) <HOST>.*"(GET|POST).*" (403|404) .*$
or
failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block>
\S+\" 404 .+$
complete file:
# Fail2Ban filter to match web requests for selected URLs that don't exist
#
[INCLUDES]
# Load regexes for filtering
before = botsearch-common.conf
[Definition]
failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block>
\S+\" 404 .+$
ignoreregex =
# DEV Notes:
# Based on apache-botsearch filter
#
# Author: Frantisek Sumsal
fail2ban-regex:
Running tests
=============
Use failregex filter file : nginx-docker, basedir: /etc/fail2ban
Use log file : /root/nginx.log.2
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [994] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
Year)?
`-
Lines: 994 lines, 0 ignored, 0 matched, 994 missed
[processed in 0.06 sec]
Missed line(s): too many to print. Use --print-all-missed to print
all 994 lines
Could someone please point me in the right direction for the failregex?
Thanks in advance!
Greetings
Marcel
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
