fail2ban is registering but not blocking specific ip address

[FDF1337]

Behaviour

Steps to reproduce this issue

1. Try to login in vaultwarden with wrong user/password credentials from private ip-address 172.18.0.1

Expected behaviour

The ipaddress 172.18.0.1 should be banned and new connections should not be possible anymore for a defined time

Actual behaviour

The ipaddress 172.18.0.1 is being registered in the fail2ban log
The command docker exec -ti fail2ban fail2ban-client status shows the following entries

Status
|- Number of jail:      2
`- Jail list:   vaultwarden, vaultwarden-admin

The command docker exec -ti fail2ban iptables -nvL shows the following entries:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 f2b-vaultwarden  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain f2b-vaultwarden (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       172.18.0.1           0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Configuration

• Docker version (type docker --version):
  Docker version 20.10.12, build e91ed57
• Docker compose version if applicable (type docker-compose --version) :
  docker-compose version 1.29.2, build unknown
• Platform (Debian 9, Ubuntu 18.04, ...):
  Raspian/armv7l
• System info (type uname -a):
  Linux raspberrypi 5.10.63-v7l+ #1496 SMP Wed Dec 1 15:58:56 GMT 2021 armv7l GNU/Linux
• Include all necessary configuration files : docker-compose.yml, .env, ...

docker-compose.yml

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - SIGNUPS_ALLOWED=false
      - INVITATIONS_ALLOWED=false
      - WEBSOCKET_ENABLED=true
      - ADMIN_TOKEN=XXXXXXXX
      - LOG_LEVEL=INFO
      - LOG_FILE=/data/vaultwarden_access.log
    volumes:
      - ./vw-data:/data
  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - 8080:80  # Needed for the ACME HTTP-01 challenge.
      - 8443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./caddy-config:/config
      - ./caddy-data:/data
    environment:
      - DOMAIN=https://mydomain.com    # Your domain.
      - EMAIL=my_email@gmail.com       # The email address to use for ACME registration.
      - LOG_FILE=/data/caddy_access.log
  fail2ban:
    container_name: fail2ban
    restart: always
    image: crazymax/fail2ban:latest
    environment:
      - TZ=Europe/Zurich
      - F2B_DB_PURGE_AGE=30d
      - F2B_LOG_TARGET=/data/fail2ban.log
      - F2B_LOG_LEVEL=DEBUG
      - F2B_IPTABLES_CHAIN=INPUT
      - SSMTP_HOST=smtp.gmail.com
      - SSMTP_PORT=587
      - SSMTP_HOSTNAME=raspberrypi
      - SSMTP_USER=my_email@gmail.com
      - SSMTP_PASSWORD=XXXXXXXX
      - SSMTP_TLS=YES
      - SSMTP_STARTTLS=YES
    volumes:
      - ./fail2ban-data:/data
      - ./vw-data:/vaultwarden:ro
    network_mode: "host"
    privileged: true
    cap_add:
      - NET_ADMIN
      - NET_RAW

Docker info

Output of command docker info

 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.7.1-docker)

Server:
 Containers: 3
  Running: 3
  Paused: 0
  Stopped: 0
 Images: 3
 Server Version: 20.10.12
 Storage Driver: fuse-overlayfs
 Logging Driver: json-file
 Cgroup Driver: none
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
 runc version: v1.0.2-0-g52b36a2
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  rootless
 Kernel Version: 5.10.63-v7l+
 Operating System: Raspbian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: armv7l
 CPUs: 4
 Total Memory: 3.749GiB
 Name: raspberrypi
 ID: QS44:BQ23:MLSO:S3QA:YEMR:NTHW:NMXN:4W3F:DFNM:UMMT:Q5UC:2S4L
 Docker Root Dir: /home/docker/.local/share/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.

Logs

fail2ban.log

2021-12-15 15:36:43,641 fail2ban.server         [1]: INFO    --------------------------------------------------
2021-12-15 15:36:43,641 fail2ban.server         [1]: INFO    Starting Fail2ban v0.11.2
2021-12-15 15:36:43,642 fail2ban.server         [1]: DEBUG   Creating PID file /var/run/fail2ban/fail2ban.pid
2021-12-15 15:36:43,645 fail2ban.observer       [1]: INFO    Observer start...
2021-12-15 15:36:43,646 fail2ban.server         [1]: DEBUG   Starting communication
2021-12-15 15:36:43,663 fail2ban.database       [1]: INFO    Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3'
2021-12-15 15:36:43,666 fail2ban.jail           [1]: INFO    Creating new jail 'vaultwarden-admin'
2021-12-15 15:36:43,697 fail2ban.jail           [1]: INFO    Jail 'vaultwarden-admin' uses pyinotify {}
2021-12-15 15:36:43,698 fail2ban.filter         [1]: DEBUG   Setting usedns = warn for FilterPyinotify(Jail('vaultwarden-admin'))
2021-12-15 15:36:43,698 fail2ban.filter         [1]: DEBUG   Created FilterPyinotify(Jail('vaultwarden-admin'))
2021-12-15 15:36:43,710 fail2ban.filterpyinotify[1]: DEBUG   Created FilterPyinotify
2021-12-15 15:36:43,710 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend
2021-12-15 15:36:43,711 fail2ban.filter         [1]: DEBUG   Setting usedns = warn for FilterPyinotify(Jail('vaultwarden-admin'))
2021-12-15 15:36:43,711 fail2ban.server         [1]: DEBUG     failregex: '^.*Invalid admin token\\. IP: <ADDR>.*$'
2021-12-15 15:36:43,727 fail2ban.filter         [1]: INFO      maxRetry: 3
2021-12-15 15:36:43,728 fail2ban.filter         [1]: INFO      findtime: 14400
2021-12-15 15:36:43,729 fail2ban.actions        [1]: INFO      banTime: 14400
2021-12-15 15:36:43,730 fail2ban.filter         [1]: INFO      encoding: UTF-8
2021-12-15 15:36:43,731 fail2ban.filter         [1]: INFO    Added logfile: '/vaultwarden/vaultwarden_access.log' (pos = 3232, hash = bc79ca20b6d34e090dd6147924702c6ad462a135)
2021-12-15 15:36:43,731 fail2ban.filterpyinotify[1]: DEBUG   New <Watch wd=1 path=/vaultwarden mask=1073745280 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb5eea070> dir=True >
2021-12-15 15:36:43,732 fail2ban.filterpyinotify[1]: DEBUG   Added monitor for the parent directory /vaultwarden
2021-12-15 15:36:43,732 fail2ban.filterpyinotify[1]: DEBUG   New <Watch wd=2 path=/vaultwarden/vaultwarden_access.log mask=2 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb5eea070> dir=False >
2021-12-15 15:36:43,733 fail2ban.filterpyinotify[1]: DEBUG   Added file watcher for /vaultwarden/vaultwarden_access.log
2021-12-15 15:36:43,734 fail2ban.filterpyinotify[1]: MSG     Log absence detected (possibly rotation) for /vaultwarden/vaultwarden_access.log, reason: INITIAL of /vaultwarden/vaultwarden_access.log
2021-12-15 15:36:43,734 fail2ban.CommandAction  [1]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
2021-12-15 15:36:43,734 fail2ban.CommandAction  [1]: DEBUG     Set actionstart = '<iptables> -N f2b-vaultwarden-admin\n<iptables> -A f2b-vaultwarden-admin -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-vaultwarden-admin'
2021-12-15 15:36:43,734 fail2ban.CommandAction  [1]: DEBUG     Set actionstop = '<iptables> -D INPUT -p tcp -j f2b-vaultwarden-admin\n<iptables> -F f2b-vaultwarden-admin\n<iptables> -X f2b-vaultwarden-admin'
2021-12-15 15:36:43,735 fail2ban.CommandAction  [1]: DEBUG     Set actionflush = '<iptables> -F f2b-vaultwarden-admin'
2021-12-15 15:36:43,735 fail2ban.CommandAction  [1]: DEBUG     Set actioncheck = "<iptables> -n -L INPUT | grep -q 'f2b-vaultwarden-admin[ \\t]'"
2021-12-15 15:36:43,735 fail2ban.CommandAction  [1]: DEBUG     Set actionban = '<iptables> -I f2b-vaultwarden-admin 1 -s <ip> -j <blocktype>'
2021-12-15 15:36:43,735 fail2ban.CommandAction  [1]: DEBUG     Set actionunban = '<iptables> -D f2b-vaultwarden-admin -s <ip> -j <blocktype>'
2021-12-15 15:36:43,735 fail2ban.CommandAction  [1]: DEBUG     Set port = '80,443,8081,8080,8443'
2021-12-15 15:36:43,736 fail2ban.CommandAction  [1]: DEBUG     Set protocol = 'tcp'
2021-12-15 15:36:43,736 fail2ban.CommandAction  [1]: DEBUG     Set chain = '<known/chain>'
2021-12-15 15:36:43,736 fail2ban.CommandAction  [1]: DEBUG     Set name = 'vaultwarden-admin'
2021-12-15 15:36:43,736 fail2ban.CommandAction  [1]: DEBUG     Set actname = 'iptables-allports'
2021-12-15 15:36:43,736 fail2ban.CommandAction  [1]: DEBUG     Set blocktype = 'DROP'
2021-12-15 15:36:43,736 fail2ban.CommandAction  [1]: DEBUG     Set returntype = 'RETURN'
2021-12-15 15:36:43,737 fail2ban.CommandAction  [1]: DEBUG     Set lockingopt = '-w'
2021-12-15 15:36:43,737 fail2ban.CommandAction  [1]: DEBUG     Set iptables = 'iptables <lockingopt>'
2021-12-15 15:36:43,737 fail2ban.CommandAction  [1]: DEBUG     Set blocktype?family=inet6 = 'DROP'
2021-12-15 15:36:43,737 fail2ban.CommandAction  [1]: DEBUG     Set iptables?family=inet6 = 'ip6tables <lockingopt>'
2021-12-15 15:36:43,737 fail2ban.CommandAction  [1]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
2021-12-15 15:36:43,738 fail2ban.CommandAction  [1]: DEBUG     Set actionstart = 'printf %b "Subject: [Fail2Ban] vaultwarden-admin: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@$(hostname -f)>\nTo: my_email@gmail.com\\n\nHi,\\n\nThe jail vaultwarden-admin has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@$(hostname -f)" "my_email@gmail.com"'
2021-12-15 15:36:43,738 fail2ban.CommandAction  [1]: DEBUG     Set actionstop = 'printf %b "Subject: [Fail2Ban] vaultwarden-admin: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@$(hostname -f)>\nTo: my_email@gmail.com\\n\nHi,\\n\nThe jail vaultwarden-admin has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@$(hostname -f)" "my_email@gmail.com"'
2021-12-15 15:36:43,738 fail2ban.CommandAction  [1]: DEBUG     Set actioncheck = ''
2021-12-15 15:36:43,738 fail2ban.CommandAction  [1]: DEBUG     Set actionban = '( printf %b "Subject: [Fail2Ban] vaultwarden-admin: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@$(hostname -f)>\nTo: my_email@gmail.com\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against vaultwarden-admin.\\n\\n\nHere is more information about <ip> :\\n"\nwhois <ip> || echo "missing whois program";\nprintf %b "\\nLines containing failures of <ip> (max 1000)\\n";\nlogpath="/vaultwarden/vaultwarden_access.log"; grep -m 1000 -wF "<ip>" $logpath | tail -n 1000;\nprintf %b "\\n\nRegards,\\n\nFail2Ban" ) | /usr/sbin/sendmail -f "root@$(hostname -f)" "my_email@gmail.com"'
2021-12-15 15:36:43,739 fail2ban.CommandAction  [1]: DEBUG     Set actionunban = ''
2021-12-15 15:36:43,739 fail2ban.CommandAction  [1]: DEBUG     Set norestored = True
2021-12-15 15:36:43,739 fail2ban.CommandAction  [1]: DEBUG     Set sender = 'root@$(hostname -f)'
2021-12-15 15:36:43,739 fail2ban.CommandAction  [1]: DEBUG     Set dest = 'my_email@gmail.com'
2021-12-15 15:36:43,739 fail2ban.CommandAction  [1]: DEBUG     Set logpath = '/vaultwarden/vaultwarden_access.log'
2021-12-15 15:36:43,739 fail2ban.CommandAction  [1]: DEBUG     Set chain = '<known/chain>'
2021-12-15 15:36:43,740 fail2ban.CommandAction  [1]: DEBUG     Set name = 'vaultwarden-admin'
2021-12-15 15:36:43,740 fail2ban.CommandAction  [1]: DEBUG     Set actname = 'sendmail-whois-lines'
2021-12-15 15:36:43,740 fail2ban.CommandAction  [1]: DEBUG     Set mailcmd = '/usr/sbin/sendmail -f "<sender>" "<dest>"'
2021-12-15 15:36:43,740 fail2ban.CommandAction  [1]: DEBUG     Set sendername = 'Fail2Ban'
2021-12-15 15:36:43,740 fail2ban.CommandAction  [1]: DEBUG     Set greplimit = 'tail -n <grepmax>'
2021-12-15 15:36:43,741 fail2ban.CommandAction  [1]: DEBUG     Set grepmax = '1000'
2021-12-15 15:36:43,741 fail2ban.CommandAction  [1]: DEBUG     Set grepopts = '-m <grepmax>'
2021-12-15 15:36:43,741 fail2ban.jail           [1]: INFO    Creating new jail 'vaultwarden'
2021-12-15 15:36:43,741 fail2ban.jail           [1]: INFO    Jail 'vaultwarden' uses pyinotify {}
2021-12-15 15:36:43,742 fail2ban.filter         [1]: DEBUG   Setting usedns = warn for FilterPyinotify(Jail('vaultwarden'))
2021-12-15 15:36:43,742 fail2ban.filter         [1]: DEBUG   Created FilterPyinotify(Jail('vaultwarden'))
2021-12-15 15:36:43,748 fail2ban.filterpyinotify[1]: DEBUG   Created FilterPyinotify
2021-12-15 15:36:43,748 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend
2021-12-15 15:36:43,749 fail2ban.filter         [1]: DEBUG   Setting usedns = warn for FilterPyinotify(Jail('vaultwarden'))
2021-12-15 15:36:43,749 fail2ban.server         [1]: DEBUG     failregex: '^.*Username or password is incorrect\\. Try again\\. IP: <ADDR>\\. Username:.*$'
2021-12-15 15:36:43,752 fail2ban.filter         [1]: INFO      maxRetry: 3
2021-12-15 15:36:43,753 fail2ban.filter         [1]: INFO      findtime: 14400
2021-12-15 15:36:43,753 fail2ban.actions        [1]: INFO      banTime: 14400
2021-12-15 15:36:43,754 fail2ban.filter         [1]: INFO      encoding: UTF-8
2021-12-15 15:36:43,754 fail2ban.filter         [1]: INFO    Added logfile: '/vaultwarden/vaultwarden_access.log' (pos = 3232, hash = bc79ca20b6d34e090dd6147924702c6ad462a135)
2021-12-15 15:36:43,754 fail2ban.filterpyinotify[1]: DEBUG   New <Watch wd=1 path=/vaultwarden mask=1073745280 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb5eea070> dir=True >
2021-12-15 15:36:43,755 fail2ban.filterpyinotify[1]: DEBUG   Added monitor for the parent directory /vaultwarden
2021-12-15 15:36:43,755 fail2ban.filterpyinotify[1]: DEBUG   New <Watch wd=2 path=/vaultwarden/vaultwarden_access.log mask=2 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb5eea070> dir=False >
2021-12-15 15:36:43,755 fail2ban.filterpyinotify[1]: DEBUG   Added file watcher for /vaultwarden/vaultwarden_access.log
2021-12-15 15:36:43,756 fail2ban.filterpyinotify[1]: MSG     Log absence detected (possibly rotation) for /vaultwarden/vaultwarden_access.log, reason: INITIAL of /vaultwarden/vaultwarden_access.log
2021-12-15 15:36:43,756 fail2ban.CommandAction  [1]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
2021-12-15 15:36:43,756 fail2ban.CommandAction  [1]: DEBUG     Set actionstart = '<iptables> -N f2b-vaultwarden\n<iptables> -A f2b-vaultwarden -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-vaultwarden'
2021-12-15 15:36:43,756 fail2ban.CommandAction  [1]: DEBUG     Set actionstop = '<iptables> -D INPUT -p tcp -j f2b-vaultwarden\n<iptables> -F f2b-vaultwarden\n<iptables> -X f2b-vaultwarden'
2021-12-15 15:36:43,757 fail2ban.CommandAction  [1]: DEBUG     Set actionflush = '<iptables> -F f2b-vaultwarden'
2021-12-15 15:36:43,757 fail2ban.CommandAction  [1]: DEBUG     Set actioncheck = "<iptables> -n -L INPUT | grep -q 'f2b-vaultwarden[ \\t]'"
2021-12-15 15:36:43,757 fail2ban.CommandAction  [1]: DEBUG     Set actionban = '<iptables> -I f2b-vaultwarden 1 -s <ip> -j <blocktype>'
2021-12-15 15:36:43,757 fail2ban.CommandAction  [1]: DEBUG     Set actionunban = '<iptables> -D f2b-vaultwarden -s <ip> -j <blocktype>'
2021-12-15 15:36:43,757 fail2ban.CommandAction  [1]: DEBUG     Set port = '80,443,8081,8080,8443'
2021-12-15 15:36:43,757 fail2ban.CommandAction  [1]: DEBUG     Set protocol = 'tcp'
2021-12-15 15:36:43,758 fail2ban.CommandAction  [1]: DEBUG     Set chain = '<known/chain>'
2021-12-15 15:36:43,758 fail2ban.CommandAction  [1]: DEBUG     Set name = 'vaultwarden'
2021-12-15 15:36:43,758 fail2ban.CommandAction  [1]: DEBUG     Set actname = 'iptables-allports'
2021-12-15 15:36:43,758 fail2ban.CommandAction  [1]: DEBUG     Set blocktype = 'DROP'
2021-12-15 15:36:43,758 fail2ban.CommandAction  [1]: DEBUG     Set returntype = 'RETURN'
2021-12-15 15:36:43,758 fail2ban.CommandAction  [1]: DEBUG     Set lockingopt = '-w'
2021-12-15 15:36:43,759 fail2ban.CommandAction  [1]: DEBUG     Set iptables = 'iptables <lockingopt>'
2021-12-15 15:36:43,759 fail2ban.CommandAction  [1]: DEBUG     Set blocktype?family=inet6 = 'DROP'
2021-12-15 15:36:43,759 fail2ban.CommandAction  [1]: DEBUG     Set iptables?family=inet6 = 'ip6tables <lockingopt>'
2021-12-15 15:36:43,759 fail2ban.CommandAction  [1]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
2021-12-15 15:36:43,760 fail2ban.CommandAction  [1]: DEBUG     Set actionstart = 'printf %b "Subject: [Fail2Ban] vaultwarden: started on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@$(hostname -f)>\nTo: my_email@gmail.com\\n\nHi,\\n\nThe jail vaultwarden has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@$(hostname -f)" "my_email@gmail.com"'
2021-12-15 15:36:43,760 fail2ban.CommandAction  [1]: DEBUG     Set actionstop = 'printf %b "Subject: [Fail2Ban] vaultwarden: stopped on <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@$(hostname -f)>\nTo: my_email@gmail.com\\n\nHi,\\n\nThe jail vaultwarden has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@$(hostname -f)" "my_email@gmail.com"'
2021-12-15 15:36:43,760 fail2ban.CommandAction  [1]: DEBUG     Set actioncheck = ''
2021-12-15 15:36:43,760 fail2ban.CommandAction  [1]: DEBUG     Set actionban = '( printf %b "Subject: [Fail2Ban] vaultwarden: banned <ip> from <fq-hostname>\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban <root@$(hostname -f)>\nTo: my_email@gmail.com\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against vaultwarden.\\n\\n\nHere is more information about <ip> :\\n"\nwhois <ip> || echo "missing whois program";\nprintf %b "\\nLines containing failures of <ip> (max 1000)\\n";\nlogpath="/vaultwarden/vaultwarden_access.log"; grep -m 1000 -wF "<ip>" $logpath | tail -n 1000;\nprintf %b "\\n\nRegards,\\n\nFail2Ban" ) | /usr/sbin/sendmail -f "root@$(hostname -f)" "my_email@gmail.com"'
2021-12-15 15:36:43,760 fail2ban.CommandAction  [1]: DEBUG     Set actionunban = ''
2021-12-15 15:36:43,761 fail2ban.CommandAction  [1]: DEBUG     Set norestored = True
2021-12-15 15:36:43,761 fail2ban.CommandAction  [1]: DEBUG     Set sender = 'root@$(hostname -f)'
2021-12-15 15:36:43,761 fail2ban.CommandAction  [1]: DEBUG     Set dest = 'my_email@gmail.com'
2021-12-15 15:36:43,761 fail2ban.CommandAction  [1]: DEBUG     Set logpath = '/vaultwarden/vaultwarden_access.log'
2021-12-15 15:36:43,761 fail2ban.CommandAction  [1]: DEBUG     Set chain = '<known/chain>'
2021-12-15 15:36:43,761 fail2ban.CommandAction  [1]: DEBUG     Set name = 'vaultwarden'
2021-12-15 15:36:43,762 fail2ban.CommandAction  [1]: DEBUG     Set actname = 'sendmail-whois-lines'
2021-12-15 15:36:43,762 fail2ban.CommandAction  [1]: DEBUG     Set mailcmd = '/usr/sbin/sendmail -f "<sender>" "<dest>"'
2021-12-15 15:36:43,762 fail2ban.CommandAction  [1]: DEBUG     Set sendername = 'Fail2Ban'
2021-12-15 15:36:43,762 fail2ban.CommandAction  [1]: DEBUG     Set greplimit = 'tail -n <grepmax>'
2021-12-15 15:36:43,762 fail2ban.CommandAction  [1]: DEBUG     Set grepmax = '1000'
2021-12-15 15:36:43,762 fail2ban.CommandAction  [1]: DEBUG     Set grepopts = '-m <grepmax>'
2021-12-15 15:36:43,763 fail2ban.jail           [1]: DEBUG   Starting jail 'vaultwarden-admin'
2021-12-15 15:36:43,763 fail2ban.filterpyinotify[1]: DEBUG   [vaultwarden-admin] filter started (pyinotifier)
2021-12-15 15:36:43,765 fail2ban.filterpyinotify[1]: MSG     Log presence detected for file /vaultwarden/vaultwarden_access.log
2021-12-15 15:36:43,766 fail2ban.jail           [1]: INFO    Jail 'vaultwarden-admin' started
2021-12-15 15:36:43,766 fail2ban.jail           [1]: DEBUG   Starting jail 'vaultwarden'
2021-12-15 15:36:43,767 fail2ban.filter         [1]: DEBUG   Seek to find time 1639564603.7675607 (2021-12-15 11:36:43), file size 3404
2021-12-15 15:36:43,773 fail2ban.filter         [1]: DEBUG   Position 3232 from 3404, found time 1639575403.0 (2021-12-15 14:36:43) within 1 seeks
2021-12-15 15:36:43,774 fail2ban.filterpyinotify[1]: DEBUG   [vaultwarden] filter started (pyinotifier)
2021-12-15 15:36:43,775 fail2ban.filterpyinotify[1]: MSG     Log presence detected for file /vaultwarden/vaultwarden_access.log
2021-12-15 15:36:43,777 fail2ban.filter         [1]: DEBUG   Seek to find time 1639564603.7758288 (2021-12-15 11:36:43), file size 3404
2021-12-15 15:36:43,778 fail2ban.filter         [1]: DEBUG   Position 3232 from 3404, found time 1639575403.0 (2021-12-15 14:36:43) within 1 seeks
2021-12-15 15:36:43,801 fail2ban.jail           [1]: INFO    Jail 'vaultwarden' started
2021-12-15 15:36:43,803 fail2ban.transmitter    [1]: DEBUG   Status: ready
2021-12-15 15:36:44,837 fail2ban.utils          [1]: DEBUG   b63f9198 -- returned successfully 0
2021-12-15 15:36:45,864 fail2ban.utils          [1]: DEBUG   b5c10d10 -- returned successfully 0
2021-12-15 15:36:45,865 fail2ban.actions        [1]: NOTICE  [vaultwarden] Restore Ban 172.18.0.1
2021-12-15 15:36:45,905 fail2ban.utils          [1]: DEBUG   b645c770 -- returned successfully 0
2021-12-15 15:36:45,932 fail2ban.utils          [1]: DEBUG   b5eeda18 -- returned successfully 0
2021-12-15 15:36:45,958 fail2ban.utils          [1]: DEBUG   b63e82a0 -- returned successfully 0
2021-12-15 15:36:45,959 fail2ban.actions        [1]: DEBUG   Banned 1 / 1, 1 ticket(s) in 'vaultwarden'```

docker logs fail2ban

Setting timezone to Europe/Zurich...
Setting SSMTP configuration...
Initializing files and folders...
Setting Fail2ban configuration...
Checking for custom actions in /data/action.d...
  Add custom action iptables-common.local...
Checking for custom filters in /data/filter.d...
  Add custom filter vaultwarden-admin.local...
  Add custom filter vaultwarden.local...
2021-12-15 15:36:43,215 fail2ban.configreader   [1]: INFO    Loading configs for fail2ban under /etc/fail2ban
2021-12-15 15:36:43,219 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-12-15 15:36:43,223 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-12-15 15:36:43,225 fail2ban                [1]: INFO    Using socket file /var/run/fail2ban/fail2ban.sock
2021-12-15 15:36:43,225 fail2ban                [1]: INFO    Using pid file /var/run/fail2ban/fail2ban.pid, [DEBUG] logging to /data/fail2ban.log
2021-12-15 15:36:43,237 fail2ban.configreader   [1]: INFO    Loading configs for jail under /etc/fail2ban
2021-12-15 15:36:43,239 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/jail.conf']
2021-12-15 15:36:43,274 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/paths-debian.conf']
2021-12-15 15:36:43,278 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf']
2021-12-15 15:36:43,285 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/paths-overrides.local']
2021-12-15 15:36:43,287 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/jail.d/jail.conf']
2021-12-15 15:36:43,288 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/jail.d/vaultwarden-admin.local']
2021-12-15 15:36:43,292 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/jail.d/vaultwarden.local']
2021-12-15 15:36:43,294 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/jail.conf', '/etc/fail2ban/jail.d/vaultwarden-admin.local', '/etc/fail2ban/jail.d/vaultwarden.local']
2021-12-15 15:36:43,340 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/vaultwarden-admin under /etc/fail2ban
2021-12-15 15:36:43,349 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/filter.d/vaultwarden-admin.local']
2021-12-15 15:36:43,353 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf']
2021-12-15 15:36:43,362 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.local']
2021-12-15 15:36:43,367 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/vaultwarden-admin.local']
2021-12-15 15:36:43,381 fail2ban.configreader   [1]: INFO    Loading configs for action.d/iptables-allports under /etc/fail2ban
2021-12-15 15:36:43,384 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-allports.conf']
2021-12-15 15:36:43,388 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
2021-12-15 15:36:43,396 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
2021-12-15 15:36:43,399 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
2021-12-15 15:36:43,403 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/iptables-common.local', '/etc/fail2ban/action.d/iptables-common.local', '/etc/fail2ban/action.d/iptables-allports.conf']
2021-12-15 15:36:43,409 fail2ban.configreader   [1]: INFO    Loading configs for action.d/sendmail-whois-lines under /etc/fail2ban
2021-12-15 15:36:43,414 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/action.d/sendmail-whois-lines.conf']
2021-12-15 15:36:43,420 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/action.d/sendmail-common.conf']
2021-12-15 15:36:43,427 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/action.d/sendmail-common.local']
2021-12-15 15:36:43,430 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/action.d/mail-whois-common.conf']
2021-12-15 15:36:43,436 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/action.d/mail-whois-common.local']
2021-12-15 15:36:43,439 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/action.d/helpers-common.conf']
2021-12-15 15:36:43,444 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/action.d/sendmail-common.conf', '/etc/fail2ban/action.d/mail-whois-common.conf', '/etc/fail2ban/action.d/helpers-common.conf', '/etc/fail2ban/action.d/sendmail-whois-lines.conf']
2021-12-15 15:36:43,453 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/vaultwarden under /etc/fail2ban
2021-12-15 15:36:43,463 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/filter.d/vaultwarden.local']
2021-12-15 15:36:43,467 fail2ban.configparserinc[1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/vaultwarden.local']
Server ready

I'm not sure if i choosed the correct setting for F2B_IPTABLES_CHAIN (INPUT) as i don't understand it well. But i also tried with the value "DOCKER-USER" but unfortunately without success.
Furthermore one really important thing is to mention, that docker is running in rootless mode.

As till now, i was not able to install the plugin https://github.com/mastercactapus/caddy-proxyprotocol i still get the private ip address from the docker host itself when trying to login with wrong credentials which will cause a DOS at this time.
But at the end, i would like to ban the right ip address which i'll try to implement when i could fixed this issue.

Thank you for your support!

[786534786]

Exactly the same for me. Fail2ban registers it, but the block doesn't work.

Both with chain = DOCKER-USER and chain = INPUT.

Also the latest release 0.11.2-r4 makes no difference.

[FDF1337]

Hi 786534786

Few weeks ago i finally found the solution to solve the problem.
Take a look on the following website: https://docs.docker.com/engine/security/rootless/

...
docker run -p does not propagate source IP addresses

This is because Docker with rootless mode uses RootlessKit’s builtin port driver by default.

The source IP addresses can be propagated by creating ~/.config/systemd/user/docker.service.d/override.conf with the following content:

[Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"

And then restart the daemon:
systemctl --user daemon-reload
systemctl --user restart docker

This solved my problem :)

Greetings

[786534786]

Thank you FDF1337 for your detailed reply.

Regardless of your solution.

It is now also clear to me that if docker is not running with rootless mode, it also makes no difference. While this was previously the case.

[Timereacer]

Hello @786534786,
I have the same issue. I am using the official Docker package from the Synology package center.
My Vaultwarden (vaultwarden/server:latest) is generating the logs, fail2ban is noticing the login attempts and baning the real IP.
But it seems that the IP gets not passed on to the iptables or the Synology firewall.

Have you been able to fix the issue?

[786534786]

No unfortunately not yet.

[evrydayzawrkday]

Following, have a very similar issue I opened today within the Vaultwarden github.

[Gugu04]

I have the same problem but I don't understand why with SSH it works correctly.
If I add some other service it doesn't work for me.

[Monoboy4ik]

Hello @786534786, I have the same issue. I am using the official Docker package from the Synology package center. My Vaultwarden (vaultwarden/server:latest) is generating the logs, fail2ban is noticing the login attempts and baning the real IP. But it seems that the IP gets not passed on to the iptables or the Synology firewall.

Have you been able to fix the issue?

have too on synology

[jetblack0]

The reason is that Docker masquerades the source IP address to hit your containers by adding rules to the forward chain, which is processed before the input chain. Change your configuration to add rules to the forward chain should solve this issue, i.e., chain = FORWARD.