Fail2Ban not working? Create ban but still can log in/faill attempt

Nextcloud version (eg, 20.0.5): 22.2.3
Operating system and version (eg, Ubuntu 20.04): Centos 7
Apache or nginx version (eg, Apache 2.4.25): 2.4.6
PHP version (eg, 7.4): 7.4

The issue you are facing:

I installed and configured Fail2ban with this article https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html#setup-fail2ban

Service is running, it read from logs, also when I try multiple failed logins, it correctly add IP on blacklist and then unban. But, even if the IP address is banned, I can login or try another attempts.

Any suggestions?

Is this the first time you’ve seen this error? (Y/N): y

The output of your fail2ban:

2022-01-19 14:10:33,120 fail2ban.actions        [22945]: NOTICE  [nextcloud] Unban 10.2.90.20
2022-01-19 14:11:41,377 fail2ban.filter         [22945]: INFO    [nextcloud] Found 10.2.90.20 - 2022-01-19 14:11:41
2022-01-19 14:11:41,390 fail2ban.observer       [22945]: INFO    [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:11:41, 1 # -> 2
2022-01-19 14:19:49,043 fail2ban.filter         [22945]: INFO    [nextcloud] Found 10.2.90.20 - 2022-01-19 14:19:48
2022-01-19 14:19:49,090 fail2ban.observer       [22945]: INFO    [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:19:48, 1 # -> 2
2022-01-19 14:19:49,843 fail2ban.actions        [22945]: NOTICE  [nextcloud] Ban 10.2.90.20
2022-01-19 14:19:49,855 fail2ban.observer       [22945]: INFO    [nextcloud] IP 10.2.90.20 is bad: 1 # last 2022-01-19 14:09:33 - incr 0:01:00 to 0:05:00
2022-01-19 14:19:49,856 fail2ban.observer       [22945]: NOTICE  [nextcloud] Increase Ban 10.2.90.20 (2 # 0:05:00 -> 2022-01-19 14:24:48)
2022-01-19 14:19:52,851 fail2ban.filter         [22945]: INFO    [nextcloud] Found 10.2.90.20 - 2022-01-19 14:19:52
2022-01-19 14:19:52,895 fail2ban.observer       [22945]: INFO    [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:19:52, 2 # -> 3, Ban
2022-01-19 14:19:53,059 fail2ban.actions        [22945]: NOTICE  [nextcloud] 10.2.90.20 already banned
2022-01-19 14:19:56,458 fail2ban.filter         [22945]: INFO    [nextcloud] Found 10.2.90.20 - 2022-01-19 14:19:56
2022-01-19 14:19:56,473 fail2ban.observer       [22945]: INFO    [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:19:56, 2 # -> 3, Ban
2022-01-19 14:19:57,073 fail2ban.actions        [22945]: NOTICE  [nextcloud] 10.2.90.20 already banned
2022-01-19 14:19:58,663 fail2ban.filter         [22945]: INFO    [nextcloud] Found 10.2.90.20 - 2022-01-19 14:19:58
2022-01-19 14:19:58,699 fail2ban.observer       [22945]: INFO    [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:19:58, 2 # -> 3, Ban
2022-01-19 14:19:59,081 fail2ban.actions        [22945]: NOTICE  [nextcloud] 10.2.90.20 already banned
2022-01-19 14:20:01,469 fail2ban.filter         [22945]: INFO    [nextcloud] Found 10.2.90.20 - 2022-01-19 14:20:01
2022-01-19 14:20:01,499 fail2ban.observer       [22945]: INFO    [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:20:01, 2 # -> 3, Ban
2022-01-19 14:20:01,685 fail2ban.actions        [22945]: NOTICE  [nextcloud] 10.2.90.20 already banned
2022-01-19 14:20:02,272 fail2ban.filter         [22945]: INFO    [nextcloud] Found 10.2.90.20 - 2022-01-19 14:20:02
2022-01-19 14:20:02,318 fail2ban.observer       [22945]: INFO    [nextcloud] Found 10.2.90.20, bad - 2022-01-19 14:20:02, 2 # -> 3, Ban
2022-01-19 14:20:02,892 fail2ban.actions        [22945]: NOTICE  [nextcloud] 10.2.90.20 already banned

Also get it right from iptables

[root@example ]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-nextcloud  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-nextcloud (1 references)
target     prot opt source               destination
REJECT     all  --  10.2.90.20           0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

And from fail2ban status:

[root@example]# fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     4
|  `- File list:        /path/to/nextcloud.log
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   10.2.90.20

The output of nextcloud.local:

[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 60
bantime.increment = true
bantime.factor = 1
bantime.multipliers = 1 5 30 60 300 720 1440 2880
findtime = 600
logpath = /path/to/nextcloud.log

The output of nextcloud.conf:

[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

Sorry for another topic, last one I had in concept for a long time and forgot to add it.

Thank you for your help.

Hi!
I’m sorry but your problem is not about Nextcloud. It concerns Fail2ban or rather iptables in your case.

I have the same configuration as you, and the bans are effective I just redo the test.

:white_check_mark: We can see in your log that the ban is triggered, so the fail2ban rule of the Nextcloud documentation is correct and functional.

:white_check_mark: Your fail2ban log says that the IP is already banned, so fail2ban is also doing its job.

Your problem is in iptables for me. Can you give the result of “iptables -S” after a ban?

I am not an iptables expert but the problem really seems to be there :+1:

Hoping to help you.
Have a nice evening.

Hello,

I’d like to report a similar issue. I just did a fresh install of nextcloud (23.0.0) in a docker.

I have setup fail2ban according to the docs:

/etc/fail2ban/filter.d/nextcloud.conf:

[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

/etc/fail2ban/jail.d/nextcloud.local:

[nextcloud]
backend = auto
enabled = true
port = 80,443,8086
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /home/pi/nextCloud/ncdata/data/nextcloud.log

sudo fail2ban-client status nextcloud:

Status for the jail: nextcloud
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     7
|  `- File list:        /home/pi/nextCloud/ncdata/data/nextcloud.log
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   my-phone's-external-IP 192.168.178.30

sudo iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-nextcloud  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,8086

Chain f2b-nextcloud (1 references)
target     prot opt source               destination
REJECT     all  --  46.114.108.61        0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

sudo iptables -S

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N f2b-nextcloud
-A INPUT -p tcp -m multiport --dports 80,443,8086 -j f2b-nextcloud
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-8f13680f7841 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-8f13680f7841 -j DOCKER
-A FORWARD -i br-8f13680f7841 ! -o br-8f13680f7841 -j ACCEPT
-A FORWARD -i br-8f13680f7841 -o br-8f13680f7841 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-885392c9bc90 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-885392c9bc90 -j DOCKER
-A FORWARD -i br-885392c9bc90 ! -o br-885392c9bc90 -j ACCEPT
-A FORWARD -i br-885392c9bc90 -o br-885392c9bc90 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9443 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.30.0.3/32 ! -i br-885392c9bc90 -o br-885392c9bc90 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.30.0.5/32 ! -i br-885392c9bc90 -o br-885392c9bc90 -p tcp -m tcp --dport 2342 -j ACCEPT
-A DOCKER -d 172.30.0.4/32 ! -i br-885392c9bc90 -o br-885392c9bc90 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.30.0.6/32 ! -i br-885392c9bc90 -o br-885392c9bc90 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-8f13680f7841 ! -o br-8f13680f7841 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-885392c9bc90 ! -o br-885392c9bc90 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-8f13680f7841 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-885392c9bc90 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A f2b-nextcloud -s my-phone's-external-IP/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-nextcloud -j RETURN

I have tried accessing via both https://cloud.domain.com and localIP:Port, same result. Both get jailed, but I can access the website and login to both. NC is running behind a reverse proxy when accessing it via https://cloud.domain.com

Hi @AriaTwoFive and @Koky999

I’m no expert when it comes to IP tables. But it probably has something to do with the Docker rules being checked before the Fail2ban rules.

I found this…

https://docs.docker.com/network/iptables/#add-iptables-policies-before-dockers-rules

… and this:

https://serverfault.com/questions/1043964/fail2ban-iptables-entries-to-reject-https-not-stopping-requests-to-docker-contai

Maybe it is of any help to put you at least in the right direction.

1 Like

Hi @bb77
My installatation is not running in Docker, but is also behind reverse proxy. Maybe this can be the issues? But don’t understand if iptables show REJECT with banned IP adress that it still allow to acces it.

But according to the IP tables rules you posted, docker is installed on your system…

Sorry not sure about that… But is it possible that the reverse proxy is running in a Docker container?

As I said, I’m not an expert when it comes to iptables, I use UFW as a frontend to iptables. But firewalls in general do process rules in a cerrtain order. if a request hits an allow rule that it matches, the allow rule wins. Or more precisely, the subsequent deny rules will then not be processed anymore.

@Koky999
I never installed Fail2Ban and also do not need it for my Nextclouds.
Read Hardening and security guidance and set them perhaps without Fail2Ban.

@devnull
Still not ideal when iptables rules don’t work imho… :wink:

@Koky999
Imho you have three possibilities…

  1. Learn how IP-Tables works and configure all parts involved (Docker, Proxy etc…) proparly, in order that the iptables rules get processed correctly. Maybe the links in my first post can help you with that…

  2. Install UFW and use that instead of iptables directly. On my server, without a reverse proxy but with Collabora in a docker container, fail2ban works “out of the box” together with UFW.

  3. Don’t use fail2ban at all as @devnull suggested and trust the integrated bruteforce protection of Nextcloud.

Option three is generally ok. However, personally I would defently want to have firewall rules in place on my server, because I wouldn’t want that every application or Docker container I might run in the future, is directly accessible on the port it is running on, even if it is only accessible from the LAN. That’s why I use UFW, which is way easier to manage than iptables directly. But this is of course up to you, how much you wanna lock down your server. As long as you only forward port 80 and 443 from the internet, there is at least no direct threat from the outside world either way.

@Koky999 @bb77

I think a server does not need a firewall for manage incoming traffic. For the firewall you must allow the needed ports e.g. 80/443 TCP. And then i hope that not the network but the service (e.g. apache2, nginx, nextcloud, …) manage the access not on network-layer but on application-layer.

Outgoing traffic e.g. if you have got a malware is another thing. There is it perhaps useful to disallow all traffic to outside (malware is calling home for remote maintenance trojan). But with Windows 10, I don’t know anyone who has blocked their internet access because of this. :wink: But malware is much more likely to occur under windows than under linux. :wink: :wink: Have you got Fail2Ban also on your Windows desktop installed? :wink: :wink: :wink:

I manage it mainly in my pfsense. Have several subnets. But in addition, I also manage some things via UFW so that not every device that is on the same subnet can access every other device. Generally speaking security measures should have multiple layers. And just as you should follow the principle of least privilege when it comes to permissions, you should only allow connections on the network that are needed. Which concrete actions do make sense and which ones rather not would be a longer discussion and depends on many factors. Also there is usually more than one right way of doing things. :slight_smile:

About the UFW. The UFW is inactive after installing it. And as long as you have physical access to the server you can’t really lock yourself out. Anyways… The main reason why I mentioned the UFW is because I believe it could possibly solve the Fail2ban issue @Koky999 is expiriencing. Imho it would be at least worth a try…

Hi, the issue is your network setup with Docker, it bypasses your f2p-nextcloud chain because of earlier NAT rules I believe.
Known topic.

1 Like

This helped me, it seems to work fine.