this post was submitted on 23 Jun 2023
2 points (100.0% liked)

Selfhosted

258 readers
1 users here now

founded 1 year ago
MODERATORS
[email protected]
2
Fail2Ban working - too well (feddit.de)
submitted 1 year ago by [email protected] to c/[email protected]
0 comments fedilink hide all child comments
 

Hey guys. I've been spending the last few months setting up my home server. Lot's of troubleshooting was needed, since I am somewhat of a beginner.

Now fail2ban works really well. In fact, it works too well. I've banned myself on some occasions. Here is how I set it up:

I have a filter/jail, that looks for forcefull browsing using the nginx proxy manager access logs. I've used the following filter:

[INCLUDES]

[Definition]

failregex = ^.* (405|404|403|401|\-) (405|404|403|401) - .* \[Client <HOST>\] \[Length .*\] .* \[Sent-to <F-CONTAINER>.*</F-CONTAINER>\] <F-USERAGENT>".*"</F-USERAGENT> .*$

ignoreregex = ^.* (404|\-) (404) - .*".*(\.png|\.txt|\.jpg|\.ico|\.js|\.css|\.ttf|\.woff|\.woff2)(/)*?" \[Client <HOST>\] \[Length .*\] ".*" .*$

This fishes out all those errors - so far, so good. The problem is, that for some reason, my nextcloud install throws a lot of those errors every now and then. I have no clue why. Everything works, file transfers, browsing the web ui, settings - no trouble. Still, those errors show up in the npm log, for example:

[22/Jun/2023:18:44:24 +0200] - 404 404 - GET https ###SERVERURL### "/remote.php/dav/files/Pete90/Upload/Scan/Z/2023-06-22%2011-27%201.pdf" [Client ###IP### [Length 218] [Gzip -] [Sent-to ###SERVERLANIP###] "Mozilla/5.0 (Android) Nextcloud-android/3.25.0" "-"

This must habe been the android nextcloud app, as it was automatically uploading some files.

Now here is where I need help. I've started adding things to the ignoreregex and this works as a workaround. But new error types show up every now and then which I have not added an ignoreregex for. This seems inefficient:

|.*PROPFIND.*files/Pete90.*Gzip.*|/ocs/v2.php/apps/text/workspace\?path=.2F|.*(?:/index.php/.well-known/nodeinfo|/index.php/.well-known/webfinger)|.*/core/preview.*$    ADD MORE LIKE THIS |.*REGEXYOUWANTTOIGNORE.*$

What would you do, to prevent this? Is there something wrong with my nextcloud setup? Can I find a more general regex than the ones I used? Simply exclude nextcloud from the forcefull browsing filter (I've setup a different filter/jail for nextcloud itself). Any input is appreciated!

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here