Hi Peter, thanks for the reply. Unfortunatly i forgot something i changed the ip for datapeotection the ip 192.168.10.10 is actually the ip which is accessing the webserver. so it shows the correct ip, just not in my posting as i changed the ip it is really the ip i need to block greetings Marcel -- Diese Nachricht wurde von meinem Android Mobiltelefon mit WEB.DE Mail gesendet. Am 19.10.23, 18:35 schrieb Peter Heirich <maillist.fail2...@mail.heirich.name>:
I think, you are not aware, what 192.168.10.y means.
this is the IP-address seen inside the docker container. This IP is created by NAT on your host.
If you block them, you are not blocking access from outside to your host, but blocking the way back from docker container to your host internal. This is output from nginx inside docker, not input.
Of course, you can manualy set up a more sophisticated version, but consider this:
docker-daemon is changeging the iptables. if you start runing a docker container, usualy iptables is used to add rules to setup NAT.
there is a --ip-tables option to dockerd, which prevents the iptables rules from changeing by dockerd, but in most cases i tried, that causes malfunction.
if you are runing firewalld there is a zone docker added IIRC, but i not realy know about.
My advise would be, not to verify the log of nginx inside the docker.
nginx is able to run as a reverse proxy. You probably shhould choose a setup
outside --> nginx (reverse proxy) --> NAT --> docker --> nginx (webserver)
such a setup is often used for large sites. On them not only 1 nginx(webserver) instances is runing, but a lot of them on different hosts.
In most cases, creating a webside by php, perl or other script language need a lot of time. Only to get the answer from a webserver and deliver this to outside is just some kind of copy. however, because caching within reverse proxy, static objects, like .jpg are cached there. So the real webserver has not to serve ( depends on cache-header config), but only once a day or week.
However, the logs of the reverse proxy contains the real outside addresses in log and of course the 404 answer generated by real webserver.
From this point of view it is just a normal setup runing nginx as webserver, but using "proxy-pass" instead "try-files" within the location rule.
Peter
Am 19.10.2023 um 13:49 schrieb Marcel Blenkers:
Hello everyone,
i am in the need for some help, as i want to create a new filter.
Setup:
We are running a nginx-Server in a docker-container and on the system itself a fail2ban-installation.
The Docker-Container writes via syslog-module into a file the content of the nginx-Logs and we want to check those logs for repeating 404-error and block those ips, which are creating those entries
The Logfile looks like this:
Oct 16 15:49:02 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +0000] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0" "-"
Oct 16 15:49:03 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +0000] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0" "-"
Oct 16 15:49:04 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +0000] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0" "-"
Oct 16 15:49:04 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:48:56 +0000] "GET /en_UK/theme_clarico/static/src/fileadmin/package/fonts/open-sans/Open_Sans_800.ttf HTTP/1.1" 404 2646 "/web/content/3223-5ddd78d/1/web.assets_frontend.1.css" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0" "-"
As you can see, we need to block the IP 192.168.10.10 or any other ip which are found on that position.
I tried:
failregex = ^.+?(?=: ) <HOST>.*"(GET|POST).*" (403|404) .*$
or
failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
complete file:
# Fail2Ban filter to match web requests for selected URLs that don't exist
#
[INCLUDES]
# Load regexes for filtering
before = botsearch-common.conf
[Definition]
failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
ignoreregex =
# DEV Notes:
# Based on apache-botsearch filter
#
# Author: Frantisek Sumsal
fail2ban-regex:
Running tests
=============
Use failregex filter file : nginx-docker, basedir: /etc/fail2ban
Use log file : /root/nginx.log.2
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [994] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-
Lines: 994 lines, 0 ignored, 0 matched, 994 missed
[processed in 0.06 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 994 lines
Could someone please point me in the right direction for the failregex?
Thanks in advance!
Greetings
Marcel
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
|
