Securing self hosted app with Fail2Ban, Traeffik @ Cédric Walter | Sunday, Feb 11, 2024 | 2 minutes read | 420 Words | Update at Saturday, Nov 23, 2024

Immich in docker

Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components (ie: Docker) and generally configures itself dynamically as services are added or removed.

Fail2ban is an open-source intrusion prevention software framework that protects computer servers from brute-force attacks. It works by monitoring log files for various services (such as SSH, FTP, Apache, Nginx, etc.) and dynamically blocking IP addresses that repeatedly fail authentication attempts or exhibit other suspicious behavior.

Securing Jellyfin with Traeffik

https://jellyfin.org/docs/general/networking/traefik2

Securing Jellyfin with fail2ban

Non docker setup, Ubuntu

vi /etc/fail2ban/jail.d/jellyfin.local
[jellyfin]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = jellyfin
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /var/log/jellyfin/jellyfin*.log
vi /etc/fail2ban/filter.d/jellyfin.conf
[Definition]
failregex = ^.*Authentication request for .* has been denied \(IP: "<ADDR>"\)\.

Reload Fail2ban

sudo systemctl restart fail2ban

then watch fail2ban logs

watch -n1 sudo fail2ban-client status jellyfin

see https://jellyfin.org/docs/general/networking/fail2ban/

Securing Caibre-Web with fail2ban

You need to parse calibre-web.log

[2024-02-11 12:51:50,400]  WARN {cps.web:1409} Login failed for user "3f4f4f34f34" IP-address: 2a02:3478:e34c:5404:0:65bc:ea84:123d, 111.111.111.8

use journald logging driver for calibre-web:

services:
  calibre-web:
    logging:
      driver: "journald"
      options:
        tag: "calibre-web"

Create a filter for fail2ban:

sudo vi /etc/fail2ban/filter.d/calibre.local
[Definition]
failregex = calibre-server.*Login failed for user.+IP-address:\s?<ADDR>
journalmatch = CONTAINER_TAG=calibre-server

Create a jail:

sudo vi /etc/fail2ban/jail.d/calibre.local
[calibre]
enabled  = true
filter   = calibre
logpath  = /var/log/calibre/access.log

Restart the fail2ban service and the immich-server container

sudo service fail2ban reload

then watch fail2ban logs

watch -n1 sudo fail2ban-client status calibre

Securing Immich with fail2ban

Immich is a High performance self-hosted photo and video backup solution, self-hosted photo and video backup solution directly from your mobile phone.

sudo apt install fail2ban

use journald logging driver for immich-server:

services:
  immich-server:
    logging:
      driver: "journald"
      options:
        tag: "immich-server"

Create a filter for fail2ban:

$ sudo vi /etc/fail2ban/filter.d/immich.local
[Definition]
failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
journalmatch = CONTAINER_TAG=immich-server

Create a jail:

$ sudo vi /etc/fail2ban/jail.d/immich.local
[immich]
enabled = true
filter = immich
backend = systemd
chain = DOCKER-USER

Restart the fail2ban service and the immich-server container

sudo service fail2ban

then watch fail2ban logs

watch -n1 sudo fail2ban-client status immich

Try to log in ONCE with wrong credentials. If the failed counter goes up, it worked!

Debug tips

  1. set banaction and banaction_allports to dummy while debugging. This way, fail2ban will not actually ban the ip, but only show it into fail2ban-client status.
  2. use sudo fail2ban-regex systemd-journal immich to test if the regex is working. Read the man of fail2ban-regex, it has useful options.

thanks to https://github.com/immich-app/immich/discussions/3243#discussioncomment-6681948

Related content

© 1997 - 2024 Cédric Walter blog

Powered by Open Sources technologies

avatar

Cédric WalterA true selfless act always sparks another

6s A1 Acedeck Achat Acide-Hyaluronique Acma Adaptability Advocate-for-Change Ai Airplane Algorand Alice-Hlidkova-Author Alpine Alps Alternative Altruism-vs-Commercialization Antique-Scooters Antiseptic-Rinse Apache Apple Apps-De-Messagerie Arcade Arcade-Gaming Armattan Art Artemis Artemis-Viper Artistic-Expression Atlassian Authenticity-in-Writing Authenticity-Matters Avis Bag Bambulab Bash Bean Bennu Bernardet Bestwishes Betaflight Betruger Beware Bien-Vivre Bien-Être Bien-Être-Physique Bike Bio Bioethics Bitcoin Blessures-Sportives Blockchain Blockchain-Consensus-Encyclopedia Blockchain-Systems Blog Book-Review Books Bots Bought Box Brand-Authenticity Brand-Integrity Brand-Protection Breaking-Barriers Business-Management Business-Milestones Business-Strategy Business-Success Business-Transformation Businessbooks Byzantine-Fault-Tolerance Calculator Calibre Calibre-Web Camera Case-Studies Cc2500 Cgm-Next Challenges Changement-De-Vie Channel-Setup Cheaper Cherry-Blossoms Chiffrement Chirurgie-Orthopédique Choosing-Fbl-Gyro Ci/Cd Classic-Games Classic-Scooters Classic-Vespa Climb Climbing Codefest Collectible-Scooters Collectibles Collection Collector Color Communication Competition Confidentialité Consensus-Algorithms Consensus-Mechanisms Console Consommation-Responsable Consumer-Awareness Containerization Contest Control-Surfaces Controller Copy Corticostéroïdes Counterfeit-Awareness Counterfeit-Culture Counterfeit-Market Counterfeit-vs-Authentic Covid19 Creating Croissance-Personnelle Cryptocurrency Cultural-Experience Cultural-Richness Curve-Adjustments Customer-Discovery Cve-Issues Dance-Dreams Death Decentralization Decentralized Dental-Hygiene Dependency Design Development Devfest Devops Distributed-Ledger-Technology Diverse-Perspectives Diy-Dental Diy-Health Dji Docker Docker-Compose Docker-Hosting Docker-Networking Docker-Registry Docker-Security Dont-Buy Dotnet Download Downloading Dreams-and-Reality Drone Ducati Dynamic-Ip Désencombrement Développement-Personnel Développement-Spirituel Ecology Edgetx Elrs Elta Emotional-Challenges Emotional-Hurdles Empowering-Narrative Endpoints Engelberg Ensitm Entrepreneurial-Lessons Entrepreneurial-Mindset Entrepreneurs Entrepreneurship Entrepreneurship-Books Essaim Essentially Ethereum Ethical-Dilemmas Evoque Execution Exercices-De-Renforcement Exercise-Form Expérience-Utilisateur Facebook Failure-Analysis Failure-Stigma Failure-to-Success Fake Fake-Apparel Fake-Brands Fake-Goods Family Family-Building Family-Dynamics Fashion-Ethics Fashion-Fraud Fbl-Controllers Fbl-System-Compatibility Fbl-System-Features Fbl-System-Reviews Federated Fertility-Struggles Finance Finance-Books Finances-Personnelles Financial-Modeling Financiallanning Firearm Firmware-Customization Firmware-Issues Fissure-Horizontale Fitness-Routine Fitness-Tips Flexibilité Flight-Controller Flybarless-Advantages Flybarless-Systems Fonctionnalités-Avancées Foss Fpv Frame France Freestyle Fresh-Breath Friendship-Goals Front Gallery Game-Music Gameplay-Mechanics Gamer-Community Games Gaming-Culture Gaming-Enthusiast Gaming-History Gaming-Legacy Gaming-Nostalgia Generative-Ai Genou Gestion-De-Ladouleur Gestion-Du-Temps Git Global-Impact Google Green-Tea Green-Tea-Mouthwash Growth-Hacking-Books Growth-Mindset Guide Hackathon Hackday Hackfest Health-and-Wellness Helicopter Helicopter-Community Helicopter-Gyro Helicopter-Tuning Herbal-Mouthwash Hewlettpackard Historical-Scooters Hobbies Hobby Hobbyist-Blog Holidays Holistic-Oralcare Hollidays Home-Remedy Home-Workouts Homelab Homemade-Oralcare Honda Honesty Honey Hornet How-To HowTo Https Hugo Human-Connection Hygiene-Routine Icecream Iconic-Scooters Iflight Iflightnazgulevoque Im Imessage Immich Indoor Industrial-Shit Industry Injections-Intra-Articulaires Injury-Prevention Innovation Innovation-Books Innovation-Journey Instagram Intégration-Apple Ios Japan-Travel Japanese-Cuisine Jar Java Jdk11 Jellyfin Joint-Health Junit Jupiter Kitchen Knee-Rehabilitation Knee-Stability Knockoff-Alert Kyoto Lacoste Lacoste-Counterfeit Lambretta Landmarks Leadership Leadership-Books Lean-Startup Learning-From-Failure Leg-Day Leg-Workouts Legal-Complexities Legit-Fashion Let's-Encrypt Libération Life-Transformations Link Linux Llm Local-Traditions M2evo Macos Magical-Adventure Magician-Lord Main Maison Make Manurhin Manurhin-Sm75 Mapping Marathon Market-Research Marketing-Books Maven Me Medical Medical-Advancements Messagerie Messenger Metakernel Miami-Entertainment Mid-Century-Scooters Migration Mindset-Shifts Minimalisme Minimum-Viable-Product Minty-Fresh Mixer-Settings Mk3 Mk4 Mobilité Model-Setup Modern-Family Modern-Motherhood Moon Moral-Encounters Motherhood-Dilemmas Moto Motorcycle Mount Mountain Mountains Mouth-Rinse Mouthwash-Ingredients Mouthwash-Recipe Mulhouse Muscle-Activation Music Mvs Mycollection Ménisque NASA Natural-Mouthwash Nature Nazgul Neo-Geo-Aes Neogeo Network New-Bookrelease Nginx-Proxy North-Face North-Face-Replica Nostalgic-Scooters Nv14 Objectifs Offroad Old-School-Scooters Omphobby Open-Source Open-Source-Rc Opensource Opentx Openvpn Oral-Care Oral-Health Organizer Osaka Oss Overcoming-Challenges P1p P1s Parental-Rights Parenthood-Reflections Parts Passion Patella-Health Persistence Personal-Relationships Photos Physical-Therapy Physiothérapie Pivot-Strategy Pixel-Art Planet Plasma-Riche-en-Plaquettes Platform Plex Pluto Ppl Pretty-Girl-Complex Privacy Private-Pilot-License Product-Market-Fit Productivity-Books Proof-of-Stake Proof-of-Work Protect-Your-Style Protection-Des-Données Prusa Prusa-Research Public-Image Quadcopter Quadriceps-Strength Quiz Radio-Control Radio-Programming Radiomaster Rare-Scooters Raspberrypi Raspbian Rates-Configuration Rc Rc-Community Rc-Configuration Rc-Firmware Rc-Helicopter Rc-Helicopter-Electronics Rc-Helicopter-Enthusiasts Rc-Helicopter-Setup Rc-Helicopter-Technology Rc-Helicopter-Tips Rc-Helicopters Rc-Modeling Rc-Simulator Realdebrid Realflight Receiver Reflex-Xtr Refreshing-Breath Rehabilitation-Exercises Relations-Personnelles Relationship-Complexities Released Remote Remote-Control-Flying Reproductive-Ethics Resilience-in-Business Resilient-Women Restored-Scooters Retro-Gaming Retro-Gaming-Community Retro-Gaming-Console Retro-Scooters Reverse-Proxy Rhythms-of-Life Risk-Management Robotic Router Rx Réadaptation Rééducation Sab Sab-Raw-420 Sab-Raw-580 Sab-Raw-700 Sales-Books Sans-Publicité Santé-Articulaire Santé-Mentale Scooter-Enthusiast Scooter-Memorabilia Scooters Security-Nightmare Self-Leveling-Helicopter Server-Configuration Servo-Config Signal Simplification Skateboarding Skydiving Snk Snk-Corporation Snk-Neo-Geo Soap Social-Issues Solex Space Spams Sport Ssl-Termination Ssl/Tls Startup-Books Startup-Failure Static-Code-Generator Steam Strategic-Networking Streaming Strength-Training Success-Stories Sun Support Surrogacy-Agency Surrogacy-Journey Surrogacy-Narratives Swiftui Swiss Switzerland Sécurité Team Team-Building Team-Dynamics Technologie Teeth-Cleaning Telegram Temples-and-Shrines Tendermint Terrot Thérapie-Physique Tokyo Torvol Traefik Traitement-Des-Fissures Transmitter Transmitter-Firmware Travel Travel-Tips Trouver-Du-Sens Tunnel Turning-Setbacks-Into-Success Tutorial Tx Unconventional-Strategies Vacation Velosolex Vespa Viaferrata Video Video-Game-Review Vie-Numérique Vintage Vintage-Scooters Vintage-Two-Wheelers Vintage-Vespa Vintagegaming Vmo-Exercises Warez Web-Security Whatsapp Wind Winner Winterthur Women-Supporting-Women Wordpress Workout-Progression X1c Zurich Zyxel Zyxel-Avoid Zyxel-Not-Serious-With-Security Zyxel-Outdated Zyxel-Router-Not-Good Écosystème-Apple Équilibre
Me

Cédric Walter is a French-Swiss entrepreneur, investor, and software engineer based in Zurich, Switzerland. He spent his career developing software applications for Swiss insurance companies to handle billions of dollars in premiums. He cofounded Innoveo AG and as the software architect developed the no-code platform designed to reduce the manual coding that powers many software apps. As an active participant in the European hacking community, he works on many open source projects including blockchain. Cédric is a winner of SBHack19/21 and HackZurich 2021. His expertise include designing back end, event-based, and blockchain systems. Cédric is also the founded Disruptr GmbH, a software development company that offers full spectrum of services for businesses of all sizes. JAVA full-stack developer since 2000, in Blockchain since 2017, Certified Scrum Master 2012, Corda Certified Developer in 2019, Ethereum smart contract expert in the SWISS Blockchain Security working group Hackathons

  • HackZurich 2022 – Level Up in top 25 finalist among 134 submissions
  • SBHACK21 – SwiFi winner of best Solution on Algorand, overall Winner 3rd Prize, CV Labs Fast Track Ticket
  • HackZurich 2020 Europe’s Biggest Hackathon winner in category Migros
  • SBHACK19 – LendIt winner of Swiss biggest Blockchain Hackathon Member of the Bitcoin Association Switzerland and Cryptovalley association Switzerland, Github https://github.com/cedricwalter 99.9% most of my career code is unfortunately NOT on github 😵 PGP: DF52 ADDA C81A 08A6

PGP: DF52 ADDA C81A 08A6

Copyright information

All editorial content and graphics on our sites are protected by U.S. copyright, international treaties, and other applicable copyright laws and may not be copied without the express permission of Cedric Walter, which reserves all rights. Reuse of any of Cedric Walter editorial content and graphics for any purpose without The author ’s permission is strictly prohibited.

DO NOT copy or adapt the HTML or other code that this site creates to generate pages. It also is covered by copyright.

Reproduction without explicit permission is prohibited. All Rights Reserved. All photos remain copyright © their rightful owners. No copyright infringement is intended.

Disclaimer: The editor(s) reserve the right to edit any comments that are found to be abusive, offensive, contain profanity, serves as spam, is largely self-promotional, or displaying attempts to harbour irrelevant text links for any purpose.

Others

If you like my work or find it helpful, please consider buying me a cup of coffee ☕️. It inspires me to create and maintain more projects in the future. 🦾

It is better to attach some information or leave a message so that I can record the donation 📝 , thank you very much 🙏.

Reproduction without explicit permission is prohibited. All Rights Reserved. All photos remain copyright © their rightful owners. No copyright infringement is intended.