naseweis
August 12, 2024, 4:16pm
1
I"am running caddy inside a docker container. But there is no log folder iside of /data. I want to set up fail2ban to protect my reverse proxy from DDOS attacks
No Error Message
v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
How I installed and ran Caddy:
I installed it with docker-compose:
version: "3.8"
services:
caddy:
image: caddy:alpine
restart: unless-stopped
container_name: caddy
volumes:
- /opt/caddy/Caddyfile:/etc/caddy/Caddyfile
- /opt/caddy/certs:/certs
- /opt/caddy/config:/config
- /opt/caddy/data:/data
- /opt/caddy/sites:/srv
network_mode: "host"
Alma Linux 9 VM, Docker Container
No Command
https://nextcloud.naseweis.io:443 {
header Strict-Transport-Security max-age=31536000;
reverse_proxy localhost:11000
}
https://naseweis.io:443 {
header Strict-Transport-Security max-age=31536000;
reverse_proxy localhost:8000
}
https://www.naseweis.io:443 {
header Strict-Transport-Security max-age=31536000;
reverse_proxy localhost:8000
}
Howdy @naseweis , welcome to the Caddy community.
You can find basic application logs with docker compose logs <service>. I note your service is just called caddy.
That said, if you’re trying to get fail2ban working, you’re in for a bit of a ride. Firstly you’d want access logs, specifically, which you’d need to configure with the log directive (or global option). The default output of Caddy won’t be useful for this purpose, though.
Fail2ban needs unstructured logs. Generally, it needs unstructured access logs in Common Log Format, or something close enough that you can use regex. Fail2ban doesn’t support structured logs.
Caddy emits access logs in structured JSON format. Caddy no longer supports unstructured logs (by default).
That means, in order to get unstructured, common log formatted, access logs out of Caddy - you’ll need to use a non-standard plugin: GitHub - caddyserver/transform-encoder: Log encoder module for custom log formats
Once you’ve got that plugin, you can configure your logs and make the decision yourself as to exactly where you want to place them for fail2ban to find.
2 Likes
Forza
August 13, 2024, 9:19am
3
I also think that the Transform plugin is the best option, though Fail2Ban could probably use regex to parse the json lines as well.
Another option might be to use jq to parse the json log and output the fields required by fail2ban in a separate log file.
I wrote a script using jq that reads the Caddy json logs and outputs them as plain text. Perhaps this can be adapted for use with Fail2Ban?
If you to filter the json log on http status codes you could do something like this:
# logparse -s "status _ datetime _ client_ip _ uri" wiki.tnonline.net.log | grep ^404
404 2024-08-13 02:09:15 172.71.94.69 /w/Wp-content/plugins/fix/up.php
404 2024-08-13 02:09:15 172.71.98.137 /tdwtmehm.php?Fox=d3wL7
404 2024-08-13 02:09:16 172.71.98.11 /wp-content/themes/seotheme/db.php?u
I haven’t added an option to continously parse a log or support pipes, but I’d be happy to take suggestions or merge requests.
There is a GitHub issue for native json support in Fail2Ban: [RFE]: JSON parsing support in filter configuration for structured log output? · Issue #3526 · fail2ban/fail2ban · GitHub
3 Likes
naseweis
August 15, 2024, 2:47pm
4
Hey,
thx for you"re answers. They where rly helpful!
I made a tutorial how to make an xCaddy Container and Protect it with fail2ban
In uncertain times, where cyber attacks have become the norm, it is even more important to protect your systems against brute force attacks. In this article I will show you how you can protect your docker container from cyber attacks with the...
1 Like
system
September 14, 2024, 2:48pm
5
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.