Securing self hosted app with Fail2Ban, Traeffik

Sunday, Feb 11, 2024 | 2 minute read | Updated at Wednesday, May 13, 2026

Securing self hosted app with Fail2Ban, Traeffik

Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components (ie: Docker) and generally configures itself dynamically as services are added or removed.

Fail2ban is an open-source intrusion prevention software framework that protects computer servers from brute-force attacks. It works by monitoring log files for various services (such as SSH, FTP, Apache, Nginx, etc.) and dynamically blocking IP addresses that repeatedly fail authentication attempts or exhibit other suspicious behavior.

Securing Jellyfin with Traeffik

https://jellyfin.org/docs/general/networking/traefik2

Securing Jellyfin with fail2ban

Non docker setup, Ubuntu

vi /etc/fail2ban/jail.d/jellyfin.local
[jellyfin]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = jellyfin
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /var/log/jellyfin/jellyfin*.log
vi /etc/fail2ban/filter.d/jellyfin.conf
[Definition]
failregex = ^.*Authentication request for .* has been denied \(IP: "<ADDR>"\)\.

Reload Fail2ban

sudo systemctl restart fail2ban

then watch fail2ban logs

watch -n1 sudo fail2ban-client status jellyfin

see https://jellyfin.org/docs/general/networking/fail2ban/

Securing Caibre-Web with fail2ban

You need to parse calibre-web.log

[2024-02-11 12:51:50,400]  WARN {cps.web:1409} Login failed for user "3f4f4f34f34" IP-address: 2a02:3478:e34c:5404:0:65bc:ea84:123d, 111.111.111.8

use journald logging driver for calibre-web:

services:
  calibre-web:
    logging:
      driver: "journald"
      options:
        tag: "calibre-web"

Create a filter for fail2ban:

sudo vi /etc/fail2ban/filter.d/calibre.local
[Definition]
failregex = calibre-server.*Login failed for user.+IP-address:\s?<ADDR>
journalmatch = CONTAINER_TAG=calibre-server

Create a jail:

sudo vi /etc/fail2ban/jail.d/calibre.local
[calibre]
enabled  = true
filter   = calibre
logpath  = /var/log/calibre/access.log

Restart the fail2ban service and the immich-server container

sudo service fail2ban reload

then watch fail2ban logs

watch -n1 sudo fail2ban-client status calibre

Securing Immich with fail2ban

Immich is a High performance self-hosted photo and video backup solution, self-hosted photo and video backup solution directly from your mobile phone.

sudo apt install fail2ban

use journald logging driver for immich-server:

services:
  immich-server:
    logging:
      driver: "journald"
      options:
        tag: "immich-server"

Create a filter for fail2ban:

$ sudo vi /etc/fail2ban/filter.d/immich.local
[Definition]
failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
journalmatch = CONTAINER_TAG=immich-server

Create a jail:

$ sudo vi /etc/fail2ban/jail.d/immich.local
[immich]
enabled = true
filter = immich
backend = systemd
chain = DOCKER-USER

Restart the fail2ban service and the immich-server container

sudo service fail2ban

then watch fail2ban logs

watch -n1 sudo fail2ban-client status immich

Try to log in ONCE with wrong credentials. If the failed counter goes up, it worked!

Debug tips

  1. set banaction and banaction_allports to dummy while debugging. This way, fail2ban will not actually ban the ip, but only show it into fail2ban-client status.
  2. use sudo fail2ban-regex systemd-journal immich to test if the regex is working. Read the man of fail2ban-regex, it has useful options.

thanks to https://github.com/immich-app/immich/discussions/3243#discussioncomment-6681948

© 1997 - 2026 Cédric Walter blog

🌱 Powered by Hugo with theme Dream.

Others

If you like my work or find it helpful, please consider buying me a cup of coffee ☕️. It inspires me to create and maintain more projects in the future. 🦾

It is better to attach some information or leave a message so that I can record the donation 📝 , thank you very much 🙏.

Copyright information

All editorial content and graphics on our sites are protected by U.S. copyright, international treaties, and other applicable copyright laws and may not be copied without the express permission of Cedric Walter, which reserves all rights. Reuse of any of Cedric Walter editorial content and graphics for any purpose without The author ’s permission is strictly prohibited.

DO NOT copy or adapt the HTML or other code that this site creates to generate pages. It also is covered by copyright.

Reproduction without explicit permission is prohibited. All Rights Reserved. All photos remain copyright © their rightful owners. No copyright infringement is intended.

Disclaimer: The editor(s) reserve the right to edit any comments that are found to be abusive, offensive, contain profanity, serves as spam, is largely self-promotional, or displaying attempts to harbour irrelevant text links for any purpose.

About me

Cédric Walter is a French-Swiss software engineer based in Zurich, Switzerland. PGP: DF52 ADDA C81A 08A6