Setting up fail2ban with passbolt (Newbie question)

Well I guess an newbie question once again … I had a lot of unsuccessfully login attempts. So I installed fail2ban on my server to handle this situation. Now I am not able to connect to passbolt anymore, when the firewall is running. Could somebody please help me on how to set fail2ban up in a way, so I can access passbolt from e.g. the smartphone, laptop, etc.? I want to stress that this is completely new terrain for me… :frowning: A wink in the direction on how to set it up would be nice, or how I should understand the information given here Passbolt Help | Firewall rules Just adding in the jail file something like

enabled = true
port = http,https
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

doesnt seem to do the trick :frowning:

Sry, for the noob question…

Hi @SgtFuturess

Fail2ban by default has a SSH listener:


# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

What you need in order to not get blocked is to set your static ip:
ignoreip = <your ip address(es) here> separated by spaces

I think the default setting is to not block anything local:
ignoreip = ::1

If you are trying to access SSH from anywhere, the default settings won’t block you unless you have a failed attempt. At that point, whatever your bantime is set to in seconds, will be how long you are blocked. So, if you are coming from a changing ip, either allow for a retry in the [sshd] block, or don’t fail the login.

1 Like

Hey @garrett

thanks for your response :slight_smile: I think I cant get quite my head around this… Passbolt is running on a server, hosted by a provider. This server has a IP-Address… Is this the ip I should give to fail2ban? If so it doesnt work. Also adding my DNS-address or my current ip doesnt work. In my naive view it should go something like when I try to open passbolt through the browser, a connection is established to the server, where passbolt is running? This ip should a) be the same as the server is running so local or the static ip of the server or b) my current ip from this pc? In both cases it doesnt work. Seems I am missing something or have completely wrong?

@SgtFuturess fail2ban is not part of the Passbolt app, but I can try to help. :slightly_smiling_face:

Fail2ban watches logs and views the ip addresses while considering the rules is running with. So, the answer to your question is “it depends”.

For something like SSH logs, the ip addresses shown in the logs are the remote machines attempting access. The public ip address of the server is not going to show up in these logs because it’s not trying to access itself via SSH.

Also, fail2ban is a service that runs on the server. After any changes to the configuration it must be restarted for those changes to take effect.

Here’s a pretty good guide

Thanks @garrett also for answering an not so specific passbolt question :smiley: The guide send me in the right direction and it seemed for me a lot of firewall knowledge was missing… I set up my rules accordingly to the tutorial and now I am able to access Passbolt again :slight_smile:

1 Like