Secure Your Self Hosting with Fail2Ban + Nginx Proxy Manager + Cloudflare

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys how's it going hope everybody's doing well out there today if you've been watching this channel for a while where we're talking about self-hosting and docker and things like that you'll know that i like to use a couple of services regularly to help protect my self-hosted applications when i make them available online and those two applications specifically are nginx proxy manager as my reverse proxy to also handle uh things like ssl and routing and things like that i also like to use cloudflare to handle my dns and also help prevent things like ddos attacks and uh it also helps obfuscate my ip address things like that so what we're gonna do today is add fail to ban to our setup for a little extra security but first a quick message from today's video sponsor this episode is sponsored by lenode the largest independent cloud computing provider if you don't want to or can't for whatever reason self-host applications the way we talk about on this channel lenode provides virtual servers that make it easy and affordable for you to host anything in the cloud you can set up any of the applications that they have available in their marketplace with just a few clicks or you can set up your own docker vps and install basically whatever you'd like in a docker container they have load balancers and firewalls available to help keep your apps online and safe if you run into any trouble getting set up lenode comes with amazing 24 7 customer support by phone or ticket along with hundreds of guides and tutorials to help you get started sign up today at lenovo.comtvtech and get a 100 60 day credit on your new lenod account links are in the description so as i mentioned i like to use nginx proxy manager as my reverse proxy uh because i like to have the dashboard to log into i like being able to very quickly and easily deploy uh subdomains and things like that for my self-hosting needs and of course i also like to use cloudflare i've been using cloudflare for for more than a decade now to uh help secure my my hosting whether it's uh using a third-party hosted service or while i'm self-hosting docker containers and things like that uh they've got a great amount of resources available to uh to use even on their free tier so again like i mentioned what we want to do today is actually add fail to ban uh to this setup and the idea that we're going to kind of go with here is that failed to ban will monitor nginx proxy manager logs for all of the different hosts that you have set up in nginx proxy manager and then we're going to add an actions file that will communicate with cloudflare and then as fail to ban is monitoring the logs of nginx proxy manager any time it starts to see anything that's going wrong specifically in this case we're going to be monitoring 404 errors as that's what a lot of hackers will try to use or they will just start pinging a site or a service or whatever trying to look for any kind of vulnerability if they can find a specific file they can usually figure a way to get in but first they've got to find that file and very often that will result in a lot of 404 errors while they're doing that so fail to ban in this case we'll monitor those four 404 errors and then we'll tell cloudflare to ban that iep address so i think with all of that being said let's jump over and kind of take a look at what we're going to be doing here so this is uh the portainer that i have set up for things like you can see here fail to ban nginx proxy manager guacamole those sorts of things for remote access purposes and uh basically up here at the top you can see that we've got fail to ban uh docker up here i don't know why they added pi but they did um and in fact if we come over here and click on the logs uh we can see that we've there's there's a bunch of stuff in here and what you're seeing that's blurred out is actually uh going through its paces and saying hey don't forget do not block uh this ip address and i've specified my home's ip address so that i don't get accidentally banned from my own service for some reason i actually had it happen i had to go back and correct some things but now i don't get banned from my own service so uh so basically what we're looking at here is it says hey this guy or this ip address uh pulled up too many 404 errors so we're going to ban him and then below that we've got another one where they found some 404s but not enough to trip the the little security thing there uh so that that user wasn't banned that was a one-off sometimes that happens a little further down we've got another one uh and then a little further down we've got one this is actually an ipv6 ip address and then below that we've got another ip address down here that also found a 404 error but not enough to actually uh trip the system and get them banned now if we jump over here to cloudflare uh here we can see that that i've had this up and running for a few days you can't see that but i have had this up and running for a few days now and here we can see that i have 182 items in my firewall rules that this fail-to-band docker container has communicated with cloudflare to set up so all of these that you can see here say fail to ban npm docker and then of course all of these are blocked and as i go through you'll just see that this is repeated over and over and over again some of these are ipv4 addresses some of them are ipv6 addresses um so there's just a bunch of them in here and they all say hey here's why they're on this list all of these are coming from our failed man docker image so now that we can see that everything is up and running let's uh let's kill it let's let's shut down that container let's delete all of the data out of it and uh let's go ahead and set it back up so that we can kind of go through this process firsthand and see how this works [Music] so now that we have everything cleaned up and ready to go we can actually start with the process of installing fail to ban on our docker system so what i want to do is go over here to stacks i'm going to add add a stack i'm going to paste that in there and i'll do that oh these are i have to clean this up just real quick here we are we're taking a look at this fail-to-band docker image this is crazy max's field band uh the container name that's actually why that was there i'm gonna take that off of there like so so uh failed to ban is the service the image we're gonna use is crazy mac slash bail to ban uh the latest image of that the container name will be failed to ban docker our network mode in this case will need to be host it needs to be able to look at all of the data happening on the the actual hardware so that's what it's going to do there using the host it's going to look at all of the traffic across the system here in that regard we're going to do net admin and net raw for the the capability editions there uh below that we're going to have uh three volumes one will be the actual fail to ban uh data config volume uh one will be the var log auth.log file uh so that it can keep track of authorizations going on that way and then we actually need to um map wherever our logs are for nginx proxy manager so wherever you have nginx proxy manager installed is where you need to map your uh or where you need to map in this particular volume so if i actually come back to here and do an ls here we can see that i've got um actually a data in a let's encrypt i i know because i screwed this up that data and let's encrypt are the two volumes that nginx proxy manager is using on my server uh this actually should have been tucked away in a different folder but i didn't and it's i don't want to deal with it so we're just going to use this so i know that home slash data is where i want to be here so i'm actually just going to remove this just know that this is again where you would put or wherever your data logs are for nginx proxy manager is what you're going to put here and then if i go ahead and do a cd into data and then uh a cd into logs oops cd into logs uh there are all of the logs that that are currently available on my uh nginx proxy manager docker container so uh once we've got that uh we're good to go as far as that's concerned restart always uh absolutely for security reasons restart always and then below that we've got some environmental variables here uh time zone uh go ahead and put in your time zone for me and of course that'll be you know america denver oops i could spell denver correctly um and then we've got some some stuff for logging some database stuff all for fail to ban um you should probably change that i don't think you want your database uh your your uh your logs basically for how long some or how long available go back and look i'm actually going to change that to a year so that it has a long time to go back and look or a bigger resources of things to look at to know whether or not to ban that sort of thing so i'm gonna change that uh basically below this we've got um an smtp host um they've they've got extra ss in front of here for some reason i don't know why um but basically this will be for your for your email host uh that would probably be for most of us smtp.gmail.com oops 587 will be for tls uh security for this um and then your your host name uh i just like to call this you know like npm.local and then your your email address for uh for your gmail account for your uh for your communications for your docker containers we'll go here next same thing password for that account we'll go next and then smtp underscore tls is yes because we're going to use tls encryption uh for communication to log into our gmail account for uh sending notifications and that sort of thing uh once you've got all of this set up appropriately all you got to do is scroll down click on deploy the stack and wait for it to come up so here we can see that fail demand is up and running uh well it's starting anyways let's see what we've got going on in here uh warning new database created great so that's that's actually good to go uh we're ready to move on to our next steps for this process so what we'll do is we're actually going to go back into our ssh uh sorry back into our terminal and then we're going to do like this we're going to do a cd into docker and ls and our failed event is back so we're going to do a cd into failed demand and then cd into data and here again we've got action.d db filter.d and jl.d as we saw before like i said this this container created all of those folders for us so the first thing that we want to do is let's take a look at our jl.d folder here so we're going to do a cd into jail and there's nothing in there so what we're going to do is create an npm-docker.local file here um so i'm going to do nano and i'll paste that in and this is so that it can communicate with nginx proxy manager and of course there's nothing in here so what i'm going to do is copy this of course all of this will be available in the description down below so there will be a link jump over to my website you can take a look at it there uh there's just too much to put in the description for youtube to not have a total meltdown so we're going to paste this in here and like i said up here it says an npm docker for nginx proxy manager docker enabled is true we're going to ignore some ip addresses here uh you might also want to oops add a couple of other addresses uh for the for the sake of keeping things simple uh primarily what you would want to add here though is whatever your home's ip address is or or the ip address of where you'll be accessing your server whether it's from home or from work or from whatever um you can you can actually just put it basically if you start at the end here you're just going to add a space and then you know put in your ip address there and then um you should be good to go so beyond that we've got an action basically this is going to call to the action.d folder that was in one of those previous folders that we saw and we're going to specifically look for a for a file called cl cloudflare dash api v4 that's the file that it's going to look for and that's what we're doing is we're calling that right here the chain is input below that we've got some log paths uh so this is going to be like we saw earlier when i showed you all of the that big the page that all of the the different logs on there basically we're mapping uh all of those and the first one it will just be the default host underscore access and then we've got um some additional proxy host with an asterisk in here as for access and error and here is basically what we're looking at in here and so if you if you saw um there were it was like proxy host asterisk and then and that's kind of this asterisk asterisk is meant to be a wild card for anything that happens to be in here so basically whatever number this is uh it would be you know proxy host dash asterisk underscore access dot log and proxy host asterisk underscore error dot log is what we saw in that so uh let's oops let's do this and i i just kind of wanted to show that that's the the purpose of that asterisk is to be a wild card so it will look through all of the different proxy hosts in here you could also add uh redirection hosts in there but i don't i don't really think that would be an issue since we're not really doing much with that okay so that's that's what we're looking at for these last two lines is uh is this asterisk underscore access and asterisk underscore error log files uh the max retry i've seen this by default it was three i've seen people put it as low as one i think two is fine uh you may want to play with that depending on on your system how much you're seeing in your logs that sort of thing i'm just going to leave mine for two the band time this this line right here um is is done in in seconds uh you could you know you could set it for 10 minutes or an hour i've got mine set to negative one that's a permanent ban i may change that at some point but um but basically that's uh i i just i if somebody comes here and screws up that badly i don't want them back uh i don't want them to have another chance easily without having to you know switch their their ip address so and then below that basically how far back in the logs do you want uh the system to look for for their for their tomfoolery i guess um and this is this is quite a while in seconds so it's going to go back and look this far back if they screw up more than twice they will be banned permanently that's basically what all of this here says uh so we just do you know control o and then enter in a control x and then we're ready to go for that file that file's done now we can move on to some other stuff so what we're going to do is we're going to do we're going to go back a directory then we're going to cd into filter.id and then we're going to create another npm-docker file this time it will be a configuration file so let's do an ls okay there's nothing there so we'll do nano npm docker dot com and we'll hit enter now when i mentioned that i was making this video i had somebody in the comments at least one person say i'm curious about the regex for this and honestly so was i uh i'm terrible with regex i found a um a place online where somebody had kind of put this together and this is what we're using that resource will also be available in the description down below uh but basically what we're doing here is we're looking for uh primarily 404 errors uh there's also three uh sorry we're looking for 400 errors as well as 300 errors however if there are too many 400 errors that's when we're going to take action uh that's that's basically how i'm reading this again i'm no good with with uh regex but uh that's that's kind of how i'm reading this uh if you want to add more regex to this and secure things even more you absolutely can but this is kind of the default that we're going to go with is just looking for and blocking people who get too many 404 errors on your system so once we've got this again we can do ctrl o and enter and control x and then there's one more one more file that we need to create and that is our cloudflare dash api v4 the file that we we called earlier that actions file uh so what we're going to do is we're going to cd we're going to backup directory and we're going to cd into actions.d and again there's nothing in here so we're going to create that file so again we're going to do a nano i like to use nano you can use whatever you want to use for your editor and i'm just going to edit this or create this cloudflare dash apiv4.conf file so what we're doing with this actions file here is creating a communications path between fail to ban and cloudflare uh so basically that they can work together and make sure that uh things are being banned the way they're supposed to be banned uh and that they can communicate back and forth so uh really the only thing that you need to worry about is at the very end of the the file here and that is where it says cf user uh right now it says email gmail.com uh that will be your cloudflare email address you'll go ahead and put that in and then below that you're gonna have a cf token that you'll also need to uh to replace with your cloudflare token so let's take a look at that just real quick here uh if we come up so if we come up to the top right and go to my profile and then go over here to api tokens and then what we're looking for right here is this global api key we're going to click on view there [Music] and then this is the api key that you're going to put in to your ssh here of course i've got that blurred you won't see it there uh but basically that's gonna go right here uh once you've got that done uh you can press ctrl o and enter in control x um and then uh we can move on to the last actual step here so let's go ahead and clear our screen here uh what we want to do next is actually do a cd slash uh or a cd space slash to go back to the very root of everything and what we want to do here is actually look for our nginx.conf file so we're going to do a couple of things here first thing we're going to do is uh do a find space dot dash name nginx.conf and basically what we're going to get here is a bunch of overlays that don't really tell us much of anything so we're just going to use this as reference for the moment so the next thing we want to do is actually figure out which overlays associated with which docker container because each one of these var lib docker overlay 2 is associated with a container on our server so what we're going to do is actually do a search uh basically run a command that will kind of associate overlays with uh containers so i'll go and paste that in there and here we can see uh how each one of these is related and what we're looking for right here is this npm underscore app underscore one uh that is right here so what we're going to do is we're going to do a cd into there and if we take a look what i like to do is actually kind of look at the last four or five characters of that so c4h8c1 and then we can kind of look right here so we know it's this one right here uh but we also know it's the merged so this is the file that we want to edit here so that didn't work so let's do a cd etc slash nginx uh like so and then we can do a nano nginx conf like so okay what we want to do next is actually scroll down uh until we find right here where it says real ip determination um what we're going to do is actually come down here uh first thing where it says real ip header and then x real ip we're going to go over here and we're just going to comment that out uh leaving that in there causing me some issues we're just going to comment that out for right now and we're going to then copy this over here we're gonna come back up i like to put it right uh basically right here the formatting doesn't really matter but oh hey it worked uh so basically what we're doing here is we're setting real ips from these are all cloudflare ip addresses uh that we can actually find uh over here um and basically they've got all their ipv4 and ipv6 addresses here you can download these as text uh or or take a look at these as a text format uh just to make things easier so you don't have to retype them and whatnot um but basically now we've got all of our cloudflare ip addresses basically what we're doing is saying hey ignore the the cloudflare ip address we want to know the real ip address of that visitor because if we don't do this step it will just try to ban cloudflare ip addresses and that just doesn't work real well that's going to ban a lot of people that don't need to be banned so uh so now that we've got this we can do control o and enter and control x now in theory that's all we should have to do at this point so what we want to do next let's come back over here to portainer uh let's take a look in here nothing here has really changed so we're going to go ahead and restart uh this container now that we've got all of this done and i will go ahead and take a look at the logs and here we can see that i've got a bunch of my ip address in there and it's going back and re-banning all of these people it's actually communicating with cloudflare and pulling all of the previously banned ip addresses that i had set up and it's kind of going through here re re-importing all of this stuff in real time so if we scroll up we can see all of these or this one is already banned um of course that's that's my ip address i have to be real careful about marking that out later uh but here you can see all of this stuff that it has done to to recommunicate with uh with nginx proxy manager to make sure that things are banned appropriately and then again if i come back over to here here we can see that actually since then we've actually added we were at 182 before now we're at 183 so in the meantime somebody else has done something stupid on my server and deserve to get banned so it's a bit of a process to get uh fail to ban up and running to work with nginx proxy manager and cloudflare so the original write-up that i saw was for nginx proxy manager and failed man uh i was able to then kind of go back and do some reverse engineering to add cloudflare back into the mix so that we can get uh cloudflare to work with our setup here and be even more effective in doing what it already does very very well so uh this has been one of those videos i've been wanting to make for a really really long time but unfortunately i just i didn't have the my brain wasn't wrapping around uh how this works and how to get everything to work together um so i'm actually pretty happy that this is working obviously you know we can see here that it is actually working it is banning people appropriately of course you can change some of those settings for you know how long do you want somebody to band uh how many tries do you want to give them before they're banned you know how how many tries in a given amount of time should they get before they're banned there's a lot of different things that you can look up and uh and modify there if you want to do that again all of this will be uh documented in uh a web link in the description down below uh with additional resources to go out and find more information if you're curious about how to modify things update things what different things mean all of that will be available like i said in a link in the description down below so hopefully you guys found this video helpful it really would mean a lot to me if you give this video a thumbs up uh it's it's one of those things that's been asked for for a long time and i finally got it here we are uh so hopefully you found the video uh helpful if nothing else uh i will have more videos coming up i've got some more casa os videos coming up uh all kinds of good stuff coming so don't forget to get subscribed uh if you're interested in more content like this also if you want to support the channel and get early access to some of my content that is available over on patreon uh there's a link of course for that in the description down below as well if you want to support the channel that way but i think with all of that being said i'm gonna go ahead and wrap this up so as always thanks for your time i always appreciate your support and i'll talk to the next video

Info

Channel: DB Tech

Views: 44,919

Rating: undefined out of 5

Keywords: DB Tech, DBTech, Docker tutorial, fail2ban, docker fail2ban, nginx proxy manager fail2ban, nginx proxy manager and fail2ban, nginx proxy manager cloudflare fail2ban, cloudflare fail2ban, npm fail2ban, self hosting fail2ban, how to set up fail2ban, set up fail2ban in docker

Id: Ha8NIAOsNvo

Channel Id: undefined

Length: 23min 36sec (1416 seconds)

Published: Thu Jan 20 2022