[Request] Add Fail2Ban

[lordraiden]

Please consider fail2ban
https://www.fail2ban.org/wiki/index.php/Main_Page

and a 2 step verification method
https://www.authelia.com/ 
https://github.com/clems4ever/authelia

BTW your software is being a total sucess here https://forums.unraid.net/topic/76460-support-djoss-nginx-proxy-manager/

[vrelk]

I agree on the fail2ban, I can see 2fa being good if it is going to be externally available.
Big thing if you implement f2b, make sure it will pay attention to the forwarded-for IP. That way you don't end up blocking cloudflare.

I switched away from that docker container actually simply because it wasn't up-to-date enough for me. I needed the latest features such as the ability to forward HTTPS enabled sites.

[jc21]

@lordraiden Thanks for the heads up, makes sense why so many issues being logged in the last 2 weeks! F2B is definitely a good improvement to be considered.

@vrelk Upstream SSL hosts support is done, in the next version I'll release today. Is that the only thing you needed that the docker version couldn't do?

[vrelk]

@jc21 I guess I should have specified that I was referring to the docker container linked in the first post (unRAID). It is a few months out of date. My switch was from the jlesage fork to yours.

[macshack76]

please add fail2ban. otherwise you have a great software!

[WesSec]

+1 for f2b!

[lordraiden]

@jc21
Is there any new about the fail2ban addition?

[1337hium]

also voting for fail2ban 👍
Would be great

[Fiala06]

Would also like fail2ban!

[maximberezin97]

Would be great to have fail2ban built in like the linuxserver/letsencrypt Docker container!

Would also love to see fail2ban, or in the meantime, if anyone has been able to get it working manually and can share their setup/script

[Elmardus]

Is there a (manual) way to use Nginx-proxy-manager reverse proxies in combination with Authelia 2FA? I love the proxy manager's interface and ease of use, and would like to use it together with a authentication service.

[jsternadel]

+1 for both fail2ban and 2fa support. I would rank fail2ban as a primary concern and 2fa as a nice to have. With both of those features added i think this solution would be ready for smb production environments.

[neander]

+1 for fail2ban support.

[slobberbone]

+1 for fail2ban too !

[WesSec]

Some update on fail2ban, since I don't see this happening anytime soon, I created a fail2ban filter myself. Create a file called "nginx-docker" in /etc/fail2ban/filder.d with the following contents

[INCLUDES]  

[Definition]  

failregex = ^<HOST>.+" (4\d\d|3\d\d) (\d\d\d|\d) .+$
            ^.+ 4\d\d \d\d\d - .+ \[Client <HOST>\] \[Length .+\] ".+" .+$

This will jail all requests that return a 4xx/3xx code on the main ip or a 400 on the specified hosts in the docker (no 300 here because of redirects used to force HTTPS)

enable the jail in the jail.local file:

[nginx-docker]
enabled = true
logpath = <docker-config-location>/nginx-proxy-manager/data/logs/default_host.log
          <docker-config-location>/nginx-proxy-manager/data/logs/proxy_host-*.log
maxretry = 3
bantime  = 360
findtime = 60

The only issue is that docker sort of bypasses all iptables entries, fail2ban makes the entry but those are ignored by docker, resulting in having the correct rule in iptables or ufw, but not actually blocking the IP. Maybe someone in here has a solution for this.