Home

I’ve been doing some selfhosting and want to setup fail2ban for my exposed apps, but am unsure if that should be setup on my router (OpenWRT), on each server that may be exposed, or just in the Caddy container?

My setup right now is: TP-Link router with OpenWRT Lenovo M910q with Proxmox, which hosts the following: - Caddy in a container for reverse proxies to hosted apps - Home Assistant OS in VM#1 - Other apps in docker containers on VM#2

Don’t modify containers. Send their logs to fail2ban and block things at the edge.

I’m still not sure what this means. Run fail2ban on the router or on each VM? Caddy does have a fail2ban module if it makes more sense to run there?

If the router is the single point if entry at your edge then I’d run fail2ban on it assuming it can see the traffic

Honest question: Why fail2ban? Have you considered crowdsec ?

I used to use the former; I’ve found the latter to be easier to maintain and I like that it shares threats real-time

Run it in some place where it can easily read the logs of your apps.

I’ll give it a look. No real reason for fail2ban specifically, it’s just often mentioned as an easy process for beginners.

Honest question: Why fail2ban? Have you considered crowdsec ?

Why not both?

Thank you! I’ll start there and check that I can easily access the logs.

Thank you both, I’m starting to get it.

The simple, maybe unhelpful answer is that fail2ban needs to have two things at once: the logs, and a way to block the network traffic.

Where exactly you want those things to coincide is really up to you, there might only be one point that simultaneously has access to both those things, or there might be multiple points depending on how your systems and services and network is configured, or if you’re in a bad situation you might find you don’t really have any single point where both those things are simultaneously possible, in which case you’ll need to reconfigure something until you do have at least one point where both those things are again coincident.

As far as best practices, I can’t really say for sure, but I know that one of the more convenient ways to run it is usually on the same system, I usually run it outside of docker, on the host, which can pretty easily get access to the container’s logs if necessary, and let fail2ban block traffic on the whole system. For me, any system running any publicly accessible network services that allow password login gets a fail2ban instance.

A whole-network approach where you block the traffic on the firewall is fine too, if that’s what you prefer and what you want to work towards, but it’s probably going to be significantly more complex to set up because now you need to either figure out how to get fail2ban to be able to access your firewall or a way for your firewall to get the logs it needs.

I didn’t like crowdsec because of the limits on the free account. For example, I got way more than the 500 max monthly alerts just with one application being protected. So it was difficult to analyze threats. It was easier to set up though. And both serve slightly different use cases.

You can analyze with either the CLI or log files piped into something like OpenObserve which is what I do. You don’t technically need their dashboard.

Crowdsec does everything fail2ban does so not much point.

On the computer

In my thinking, redundancy, defense in depth…..maybe? May be overkill. I run them both with no issues.

Linuxserver SWAG container has fail2ban and Nginx built into the same container. It can read your nginx logs and modify the servers firewall rules to ban them.