Selfhosted

57963 readers

659 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Where to install fail2ban? (lemmy.world)

submitted 14 hours ago by anticonnor@lemmy.world to c/selfhosted@lemmy.world

16 comments fedilink hide all child comments

I've been doing some selfhosting and want to setup fail2ban for my exposed apps, but am unsure if that should be setup on my router (OpenWRT), on each server that may be exposed, or just in the Caddy container?

My setup right now is: TP-Link router with OpenWRT Lenovo M910q with Proxmox, which hosts the following:

Caddy in a container for reverse proxies to hosted apps
Home Assistant OS in VM#1
Other apps in docker containers on VM#2

you are viewing a single comment's thread
view the rest of the comments

[–] cecilkorik@piefed.ca 16 points 13 hours ago

The simple, maybe unhelpful answer is that fail2ban needs to have two things at once: the logs, and a way to block the network traffic.

Where exactly you want those things to coincide is really up to you, there might only be one point that simultaneously has access to both those things, or there might be multiple points depending on how your systems and services and network is configured, or if you're in a bad situation you might find you don't really have any single point where both those things are simultaneously possible, in which case you'll need to reconfigure something until you do have at least one point where both those things are again coincident.

As far as best practices, I can't really say for sure, but I know that one of the more convenient ways to run it is usually on the same system, I usually run it outside of docker, on the host, which can pretty easily get access to the container's logs if necessary, and let fail2ban block traffic on the whole system. For me, any system running any publicly accessible network services that allow password login gets a fail2ban instance.

A whole-network approach where you block the traffic on the firewall is fine too, if that's what you prefer and what you want to work towards, but it's probably going to be significantly more complex to set up because now you need to either figure out how to get fail2ban to be able to access your firewall or a way for your firewall to get the logs it needs.