Fail2ban filter for sabnzbd?

[zonky]

Just wondering if anyone has written a fail2ban filter for sabnzbd they could share?

[zonky]

Ok- so i've written a simple fail2ban script as a starting point for others to follow.

My config- i have sabnzbd listening on a public address, fronted by a Nginx reverse proxy, with Letsencrypt cert.

Sabnzbd is setup to require forms auth in Sabnzbd. I want to protect against password enumeration, and enumeration of api keys. Yes, my password choice is already strong, and api keys are complex, but if you're not learning, you're standing still so....

Because its using a reverse proxy, i have to get nginx setup to pass on the client IP (otherwise sabnzbd will only see the local address - so here's my nginx sites config:

Code: Select all

server {
        # SABNZBD Congig for reverse proxy
        listen 443 ssl; # managed by Certbot
        server_name sitename.domain.tld
        ssl_certificate /etc/letsencrypt/live/sitename.domain.tld/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/sitename.domain.tld/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        root /var/www;
	location /{
                proxy_pass http://127.0.0.1:5211/; # Local sabnzbdplus ip and non SSL port
		    }
        }
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;	
	server {
		if ($host = sitename.domain.tld) {
		return 301 https://$host$request_uri;
		} # managed by Certbot
		listen 80 ;
		server_name sitename.domain.tld;
		return 404; # managed by Certbot
}

Obv sub your url for the sitename.domain.tld above. Note that also, i have sabnzbd configured on a different listening port, 5211, rather than the standard. You'd need to change that for your situation.

Then on to fail2ban.

I have this added to my jail.local:

Code: Select all

[sabnzbd]
enabled  = true
port     = http,https
filter   = sabnzbd
logpath  = /home/sabnzbduser/.sabnzbd/logs/sabnzbd.log
maxretry = 4
findtime = 3600
bantime = 172800

Replace the sabnzbduser with the username running your sabnzbd daemon.

Now, on to the filter.d for sabnzbd:

Code: Select all

#
# Fail2Ban for SABNZBD via NGINX Reverse Proxy
#


[Definition]
failregex = ^.*Unsuccessful login attempt from 127.0.0.1 \(X-Forwarded-For: <HOST>.*$
	    ^.*API key incorrect, Use the API key from Config-\>General in your 3rd party program: 127.0.0.1 \(X-Forwarded-For: <HOST>.*$

That's it- pretty simple. So now if an IP address tries to login and fails 4 times within an hour, it's banned via iptables for 48 hours.

Obv some limitations to this approach you need to be aware of:

Multiple filters are supported in fail2ban after 0.8ish- i am running this on 22.04 server without issue- modern distros will be fine.
The log lines are correct as the current package in the repo that i've added. They could change, and the test may fail. Test after upgrades!

Hope someone finds this useful.