Unwanted ip ban from fail2ban # Ban d'ip non souhaité de fail2ban

RemyL · September 30, 2019, 12:03pm

Hi everybody,

Here is my Yunohost configuration:

I installed yunohost on my old laptop. I first installed debian then yunohost on top of it
YunoHost version: 3.6.4.6

Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
If yes, please explain:
I installed kodi before installing yunohost on devian so i use the server as mediacenter and server

Installed apps

VPN client/ Transmission/ Roundcube/ Nextcloud/ Jirafeau/ H5AI

I mainly use H5AI because i use it as extenal website to provide files to my students ('im a teacher). I use nextcloud to add files to H5AI apps.

Description of my issue

So here is my issue, as i said i’m mainly using H5AI so i don’t know if the issue happened only for this app or for all.

I noticed that it often happens that i can connect to my website, then i have a timeout issue and the website is no more accessible. I also noticed that is related to ip blocking.
Indeed by checking fail2ban logs i noticed that ip is banned (and get unbanned few minutes later so i can access the website again).

I can provide fail2ban logs but i think it will not be that useful. Moreover i don’t know what files i can provide you to try to solve this issue.

It can be link to this topic: Étrange : Yunohost inaccessible depuis certaines connexions but there was no solution

Have a nice day verybody
Rémy

En français

Bonjour à tous,

Ma configuration yunohost:

J’ai installé yunohost que un ordinateur portable. J’ai d’abord installé debian puis yunohost
YunoHost version: 3.6.4.6

Mofifications apportés ? : Oui

Après avoir installé debian j’ai installé kodi puis yunohost. Ainsi j’utilise l’ordinateur comme serveur et comme mediacenter.

Installed apps

VPN client/ Transmission/ Roundcube/ Nextcloud/ Jirafeau/ H5AI

J’utilise principalement H5AI afin de pouvoir fournir des cours en ligne. J’utilsie nextcloud afin de pouvoir ajouter des documents dans H5AI

Description du problème

Tout d’abord, mon problème apparaît en accédant au site H5AI mais je ne sais pas si celui-ci peut apparaître sur les autre applications (les utilisant beaucoup moins)

Je peux tout d’abord accéder au serveur et à mon site web sans souci, néanmoins assez souvent au bout de quelques minutes je perd l’accès à celui-ci. J’ai noté que le problème était dû au blocage de l’adresse ip utilisée pour accéder au site (plusieurs adresses ip sont concernées). Le problème vient du fait que fail2ban ban ces même adresses (Puis je peux accéder au site quelques minutes plus tard une fois les ip débloquées).

Je peux fournir les logs de fail2ban mais je ne pense pas que cela soit utile. De plus je ne sais pas quels autres logs pourraient vous aiguiller.

C’est peut-être lié à ce problème: Étrange : Yunohost inaccessible depuis certaines connexions but there was no solution

Bonne journée à tous,
Rémy

decentral1se · September 30, 2019, 12:34pm

Hey @RemyL, it’s a common issue and we recently change the logic behind fail2ban so as to allow more failures to be allowed. This reduces the chances to be banned. You may also want to look into the ignoreip option which allows your IP to be “whitelisted”. See https://www.fail2ban.org/wiki/index.php/Whitelist.

Aleks · September 30, 2019, 12:37pm

Also relevant : How to avoid beeing banned by fail2ban for ever

RemyL · September 30, 2019, 4:36pm

Hi, thank you for your answer.

Do you know when the changed will be applied ?
Moreover, it does not happen for only one ip but for all ips so i can’t whitelist all the ips of the people that want to go to my website.

Mad · September 30, 2019, 8:20pm

You have to know, why you had been banned. There is a reason. Most likely a nextcloud client tries to access your cloud with no or bad password.

For to avoid this for a test it may be useful to ignore this ip by hand.

You will find your clients public ip by calling ifconfig.me from your browser. Then put a file /etc/fail2ban/jail.d/ignore.conf

And in it your ip:

ignoreip = 1.2.6.4

restart fail2ban with

sudo systemctl restart fail2ban

pitchum · September 30, 2019, 9:36pm

Whitelisting a bunch of IP addresses is tedious and most probably a bad idea in the long run.

It would be useful to understand why fail2ban is so quick to ban users of H5AI so that you can adapt the rules applied.
In a nutshell, fail2ban looks for repeating patterns (filters) in a given log file, and when a pattern occurs more than N times (maxretry) from the same IP address in a short time period (findtime) it considers that address as an attacker and bans it for a given duration (bantime).

You can change one or many of these things:

the filters are defined in /etc/fail2ban/filters.d/ (you have to understand the regexp syntax if you want to customize them)
the maxretry, findtime and bantime can be modified in /etc/fail2ban/jail.d/*

First you need to identify which jail is responsible for the overblocking.
You can find the jail name in /var/log/fail2ban.log, this is a name in brackets.
If you want to list the last jails that were repsponsible for the banning of a given IP (x.x.x.x) type this:

ls -1tr /var/log/fail2ban.log* | tail | xargs zcat -f | grep 'Ban x.x.x.x' | tail

Imagine the jail is nginx-http-auth, find the config file for this jail (in /etc/fail2ban/jail.d/*) and edit the corresponding section like this:

[nginx-http-auth]
enabled = true
maxretry = 50
findtime= 1m
bantime=3h

With the above example your IP get banned for 3 hours if you match the filter patterns more than 50 times in 1 minute. This is only an example.
After that you need to restart fail2ban:

systemctl restart fail2ban

That was the easy part of customisation. If you really need to go further by modifiying the regular expressions used in filters, tell me. I’ll try to guide you through using the command fail2ban-regex to test your filters before modifying the existing ones for real.

RemyL · October 1, 2019, 5:06am

Hi everybody and hi pitchum, it’s been a while,
Thanks again fir the help you provided me in the past.

Here is what i will do, first i will reproduce the issue to find out the jail where ip are banned (i remember that there is recidive but i guess that this one is caused by a too much ban from the other).

Moreover i’m not sur if the ip get only banned through h5ai and i will check that too. You also need to know that for my h5ai website i added a nginx configuration to access it with a user and password. Actually ip get banned even when user and password are correct but it may be the problem (well i prefer to mention it so that you have all informations).

Edit 1:
So this morning i tried to reproduce the issue but couldn’t (it’s a bit weird because usually it happens often and it is easy to reproduce). What it did was: i connected to my younohost instance (main page with all the apps). I used nextcloud and roundcube but had no problem then i connected to h5ai website and everything worked well.
I will do more test along the day to try to reproduce the issue.

Edit 2:
So i reproduced the issue, but it happens after a long time when i tried to acces a folder with .html files in it. I will try to remove those and see if it can be linked to that.

Thank you all
Have a nice day

RemyL · October 1, 2019, 8:59am

I also need to add that i can’t reproduce the issue using my smartphone with data (4G) i will try to see if it is linked t the fact that i use it whit the phone or that i use data.

system · October 16, 2019, 9:05am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.