2024-06-19, 03:30 PM
Hi all,
I have Jellyfin deployed successfully and now am exposing my server on the internet for family and friends. I want to harden it with Fail2Ban. My configuration is as follows.
Ngnix Proxy Mgr.
Docker container
192.168.1.108
Configuration is exactly like the JF guide
Takes connections in on port 80, forwards them to 8096 on the next machine (192.168.1.106)
Sets headers in Custom Locations
Jellyfin Server
Docker container (official)
192.168.1.106:8096
Network settings configured for Known Proxy
Fail2Ban
Docker container (crazy max)
192.168.1.106
Jail matches JF guide, chain is DOCKER-USER (and I have tried FORWARD as well)
Behavior
F2B detects IPs attempting to brute force the server and bans them. Makes expected updates to IPTables on the host (*.106). Does this by creating its own chain and adding IPs. However, the IP is never blocked and it appears that all packets are flowing to 0.0.0.0. For the life of me, I cannot figure out why. Does anyone have any insight?
Thanks!
IP TABLES OUTPUT (Note the packets next to 0.0.0.0; the IPs listed are via VPN, so no private info in this post):
Chain f2b-jellyfin (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT 0 -- * * 84.247.59.144 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.127 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 85.203.15.105 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 85.203.15.103 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.9 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.50 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.49 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.45 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.39 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.38 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.29 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.217 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.21 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.20 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.18 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.17 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.143 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.124 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.123 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.118 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.112 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.111 0.0.0.0/0 reject-with icmp-port-unreachable
345 563268 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
I have Jellyfin deployed successfully and now am exposing my server on the internet for family and friends. I want to harden it with Fail2Ban. My configuration is as follows.
Ngnix Proxy Mgr.
Docker container
192.168.1.108
Configuration is exactly like the JF guide
Takes connections in on port 80, forwards them to 8096 on the next machine (192.168.1.106)
Sets headers in Custom Locations
Jellyfin Server
Docker container (official)
192.168.1.106:8096
Network settings configured for Known Proxy
Fail2Ban
Docker container (crazy max)
192.168.1.106
Jail matches JF guide, chain is DOCKER-USER (and I have tried FORWARD as well)
Behavior
F2B detects IPs attempting to brute force the server and bans them. Makes expected updates to IPTables on the host (*.106). Does this by creating its own chain and adding IPs. However, the IP is never blocked and it appears that all packets are flowing to 0.0.0.0. For the life of me, I cannot figure out why. Does anyone have any insight?
Thanks!
IP TABLES OUTPUT (Note the packets next to 0.0.0.0; the IPs listed are via VPN, so no private info in this post):
Chain f2b-jellyfin (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT 0 -- * * 84.247.59.144 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.127 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 85.203.15.105 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 85.203.15.103 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.9 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.50 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.49 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.45 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.39 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.38 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.29 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.217 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.21 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.20 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.18 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.17 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.143 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.124 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.123 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.118 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.112 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 0 -- * * 84.247.59.111 0.0.0.0/0 reject-with icmp-port-unreachable
345 563268 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0