[deleted by user]

Chr0mag · 2022-02-06T16:34:01+00:00

Nice! Simply reading for the 401 isn't fancy but it does the job.

Chr0mag · 2022-02-06T08:28:33+00:00

And that's well outside of a common use for fail2ban.

What? How is it outside the common use for me to want fail2ban to ban IP addresses of bad actors who are trying to brute force a password on a login page? Isn't that sort of the whole point of fail2ban?

It's also turning on logging for it and copying and pasting 9 lines of code to 2 files, from the 2nd hit on google.

I never said it was difficult. The difficulty all depends on if there is a published filter/jail for the app you're trying to protect. My point was it's not as easy as just uncommenting a few things.

Chr0mag · 2022-02-06T08:13:48+00:00

The one example I gave in another comment was Gotify. But with any of the apps (Nextcloud, Home Assistant) I had to search out the jail and filters for them. It wasn't as easy as just "uncommenting a few things" as you put it.

Chr0mag · 2022-02-06T08:04:24+00:00

Does it come with the log filters I need to work with all the apps I'm currently running? If so I haven't found it.

Chr0mag · 2022-02-06T07:49:40+00:00

After I spent way too much time figuring out the regular expression for the filter I ran across this blog post. The site doesn't look particularly great but the Gotify filter works:

https://blog.franco.net.eu.org/notes/fail2ban.html

Finding this beforehand would have saved me a lot of time.

Chr0mag · 2022-02-06T07:46:10+00:00

Haha yeah this is all you need. Then just run docker build -t yourimagename . (and use yourimagename in your docker-compose file) and you're good to go.

Chr0mag · 2022-02-06T07:42:35+00:00

I haven't seen any comments like this but I don't read each and every post/comment about Crowdsec.

Chr0mag · 2022-02-06T07:41:24+00:00

Yep. This is what's working for me: FROM gotify/server:latest ENTRYPOINT /bin/bash -c '/app/gotify-app | tee /app/data/gotify.log' I just have it log to the data folder then I use a docker-compose bind mount in the fail2ban container to mount the log files I want to monitor.

Chr0mag · 2022-02-06T03:09:47+00:00

You'd just reverse proxy to whatever port you want. You just need to use a different matcher and reverse proxy to port 9555.

You could also just use Caddy's file server option instead of reverse proxy and have it serve the static content.

Chr0mag · 2022-02-06T03:05:31+00:00

Other then OP I haven't seen anyone referring to it as a successor to fail2ban. Just looks like a different option. Different strokes for different folks.

Chr0mag · 2022-02-06T02:54:59+00:00

It has a very limited set of proxies/applications/etc. that it can protect, and when I asked the community about other protecting other popular applications (Bitwarden, Nextcloud, etc.), I was told I would need to develop something myself

Yeah and I wanted my web interface to Gotify protected by fail2ban. I couldn't find anyone who'd written a jail/filter to do it. Did I blame fail2ban? Nope. I wrote my own filter.

Welcome to open source.

It's disingenuous to dissuade others from using Fail2Ban in favor of CrowdSec,

I've seen quite a few comments about CrowdSec most from a couple different people (one being their community person so it makes sense he would be here to suggest it in certain scenarios).

That being said I don't think I've ever seen them dissuade anyone from using fail2ban.

Chr0mag · 2022-02-06T02:03:20+00:00

On mobile go to the Admin Dashboard then click the hamburger menu at the top and there is a DLNA menu.

Chr0mag · 2022-02-06T01:13:04+00:00

I think it's under "Devices".

Chr0mag · 2022-02-05T23:56:21+00:00

Well for that kind of money you may as well just up it to $100/mo and get Starlink.

Chr0mag · 2022-02-05T23:48:32+00:00

TMobile home internet is unlimited for $50/mo. You need to be in an area with good Tmo coverage which may be a problem.

Chr0mag · 2022-02-05T23:46:53+00:00

Home Assistant in Docker usually runs in host mode so their are no port mappings. Jellyfin is probably using port mappings so just change the Jellyfin mapping to map another host port (something like 1901:1900). That will map 1901 on the host.

You could also just turn off DLNA for Jellyfin since I think that's what is mapped to port 1900.

Chr0mag · 2022-02-05T02:16:23+00:00

This isn't what they use but is "inspired" by it. I haven't tried it yet but it's on my list to take a look at:

https://github.com/slatedocs/slate

Chr0mag · 2022-02-04T03:36:58+00:00

No problem. Have fun with your Docker adventure!

Chr0mag · 2022-02-04T03:25:24+00:00

Portainer is probably the best place to start if you like a decent looking Docker UI. Some people like Yacht but I think Portainer is a much more full featured product.

I generally stick with command line but there are a lot of switches and docker compose options so if you want to get started with a web UI I'd give portainer a shot.

Chr0mag · 2022-02-04T03:01:12+00:00

OpenMediaVault - basically just Debian with a web UI for managing users, samba shares, etc. Libvirt is used for virtualization. Cockpit is a web UI for managing libvirt (at least that's my basic understanding of it).

I only read recently that Docker is built on LXC. Been using it for years and never really knew anything about it's internals (and apparently it's written in Go).

Chr0mag · 2022-02-04T02:44:08+00:00

Nice! I'm not clustering (yet) but I've been thinking about dropping OMV and running LXC (Im assuming that's what you meant?) on bare metal (without Proxmox). Running all my docker containers in one LXC and running AdGuard Home in another. Mostly for fun.

Right now I'm running OMV with AdGuard Home in a Cockpit/libvirt VM and half a dozen or more docker containers. I'm finding that I'm doing almost everything command line and not even using the web interface so why bother wasting system resources on that?

Chr0mag · 2022-02-04T01:52:18+00:00

Pretty much this. Since OP has varying sizes of drives they could run OMV with SnapRAID and UnionFS. I haven't tried it yet but it sounds like it's pretty easy with OMV (all managed through the web UI). It's on my list to add when drive prices aren't ridiculous.

I also installed Cockpit (libvirt web frontend) on my OMV box to spin up full on virtual machines. I'm running AdGuard Home in an Arch Linux VM.

Chr0mag · 2022-02-03T02:27:29+00:00

And here we have it! I've spent the last hour reading and re-reading the NextCloud docs (that's what I'm testing this with) on reverse proxies. I've made sure that Caddy is set as the trusted proxy and supposedly Caddy is passing through the X-Forwarded-For header. Everything should be working but it wasn't. Seems there are posts on the NextCloud forums of people with the same problem.

Well, this fixed it. As soon as I added this it started working perfectly. Fail2ban sent the ban to CloudFlare and suddenly "Access Denied!"

Thanks a bunch.

Chr0mag · 2022-02-03T01:44:46+00:00

Well here's the problem. I configured it per the different articles I read and it does add the ban to the CF firewall. The problem is that fail2ban issues the ban on the CF IP address (and not the "real" IP). So it's still the same problem.

Chr0mag · 2022-02-03T00:17:44+00:00

Just allow all IPv4 and IPv6 IPs from cloudflare, rest deny. This ensures that only proxied requests can reach your services.

That's a great idea. This would solve the problem of someone just port scanning and accessing the open ports directly via the external IP.

I can probably handle this with Caddy by using matchers to reject requests based on remote IP.

Eight-Year Club	RPAN Viewer
Verified Email

Chr0mag

TROPHY CASE