I'm interested in setting up fail2ban with my Traefik deployment. I found a gist that has some snippets in it, but I'm not clear on how to use them. Can anyone fill in the blanks please? Or, is there a better way to implement fail2ban style security with Traefik?
How to implement fail2ban with Traefik
It would seem you create the files at the location specified by the first comment in the file. Ignore the botsearch one, it will just make network operation hard. The traefik_access_log needs to be replaces/set to where Traefik creates is log file. The docker tag on your question implies maybe Traefik is in docker? If so how? Is another cloud solution also in play? How fail2ban reaches the access file and network interfaces required to block. I'd create an upstream issue github.com/fail2ban/fail2ban/issues with an example from log files so it can become mainstream. –
Tortuosity
Hi Dan! Thanks for reading my question. My apologies, due to a very common use case for Traefik being for automated proxying of Docker containers, I'd carried that as an assumption, and indeed as you say it bears consideration and is fundamentally one of my quandries - are those files from the gist created on the Docker host, or inside the Traefik container? Is there a better approach to doing this the 'Docker way'? perhaps with a containerized version of fail2ban as well? –
Groundsheet
Agree. Suggest taking it up with fail2ban developers to come up with a good architecture how to work with docker containers. Be nice to them, they take a lot of flac from uptime security wantabes enough to drive some developers away. –
Tortuosity
I was able to accomplish this starting with the gist you posted. This is under the assumptions you have Traefik already working, want to block IPs that have HTTP Basic Auth failures, and ban them with iptables. There's a couple of pieces so let me start with the container configurations:
Traefik docker-compose.yaml
version: '2'
services:
traefik:
image: traefik:alpine
volumes:
- /apps/docker/traefik/traefik.toml:/traefik.toml:ro
- /apps/docker/traefik/acme:/etc/traefik/acme
- /var/log/traefik:/var/log
ports:
- 8080:8080/tcp
- 80:80/tcp
- 443:443/tcp
command:
- --web
- --accessLog.filePath=/var/log/access.log
- --accessLog.filters.statusCodes=400-499
You can see here I am writing the log file to /var/log/access.log and only getting access codes to 400-499. I am then mounting that file to my host /var/log/traefik:/var/log
Now for the fail2ban part, I am using a fail2ban docker container rather than installing on my host, but you could technically do it there too.
Fail2ban docker-compose.yaml
version: '2'
services:
fail2ban:
image: crazymax/fail2ban:latest
network_mode: "host"
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- /var/log:/var/log:ro
- /apps/docker/fail2ban/data:/data
You can see I mount the /var/log directory into the fail2ban container as read only.
Fail2ban configuration
The /apps/docker/fail2ban/data/jail.d/traefik.conf file contains:
[traefik-auth]
enabled = true
logpath = /var/log/traefik/access.log
port = http,https
The /apps/docker/fail2ban/data/filter.d/traefik-auth.conf file contains:
[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+\" 401 .+$
ignoreregex =
Extra
The default ban action is to ban via iptables. If you want to change that you can change the default banaction in the traefik.conf, for example:
[DEFAULT]
banaction = cloudflare
[traefik-auth]
enabled = true
logpath = /var/log/traefik/access.log
port = http,https
Actions are here: https://github.com/fail2ban/fail2ban/tree/0.11/config/action.d
If you need to modify one, copy the file to the /apps/docker/fail2ban/data/action.d directory and restart the container.
Thanks Devin, that's a really great writeup. My only question here would be around the blocking metric being based on basic auth failures - I see there's a bunch of literature around providing log sources for tracking metrics. –
Groundsheet
What log format are you using for traefik? json or common or it does not matter? –
Credent
I am using whatever the default is, which looks like common. –
Kunzite
Could you please explain what the
--web flag does? Is it related to the logs and fail2ban or for another Traefik configuration? Many thanks! –
Oaf --web (Deprecated) Enable Web backend with default settings (default "false") traefik.mattclemente.com –
Kunzite
I modified two things to make it work as of Nov 2020--- 1. Changed the failregex to failregex = ^<HOST> \- \S+ [.*] \"(GET|POST|HEAD).+\" 401 .+$ ---- 2. Add chain = DOCKER-USER in traefik.conf –
Vedanta
There is a nicely written blog post on how to configure Fail2ban for Traefik.
https://blog.lrvt.de/configuring-fail2ban-with-traefik/
Fail2ban will monitor Traefik's access logs and ban threat actors that trigger multiple HTTP errors like 401, 403, 404 and so on.
PS: It seems to be recommended to use Traefik's JSON log format and not CLM as it contains more detailed information and is easier to parse. Also better if you'd like to pass the logs into additional software like an ELK stack, Grafana with Loki etc.
Here an addition to the answer of @Devin B.
With his information I've got it working. With fail2ban-client status traefik-auth the banned IPs are listed, but it was still possible to access the service through that IP. Note: I do not use the fail2ban docker version, it is installed directly on the server.
To get the traffic to docker blocked the DOCKER-USER need an extra entry in the iptables. You could see the iptable with the command iptables -L and the entry is made by fail2ban automatically with following setting inside traefik.conf (or jail.local):
[traefik-auth]
enabled = true
chain = DOCKER-USER
logpath = /var/log/traefik/access.log
port = http,https
© 2022 - 2025 — McMap. All rights reserved.