Fail2ban filter #3721

New Issue

OVERLORD · 2026-02-05T07:14:02+03:00

OVERLORD commented

2026-02-05 07:14:02 +03:00

Originally created by @jerome6994 on GitHub (Mar 30, 2023).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

Good evening
I come looking for some help
I have swag with fail2ban
I can't find the right filter for fail2ban and send IPs to jail properly

Do you have the model of the filter?
Does bookstack embed a fail2ban solution that I haven't seen the settings?

Thank you in advance for your help

jerome

Exact BookStack Version

BookStack v23.02.2

Log Content

No response

PHP Version

No response

Hosting Environment

VM proxmox with Docker portainer

Originally created by @jerome6994 on GitHub (Mar 30, 2023). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario Good evening I come looking for some help I have swag with fail2ban I can't find the right filter for fail2ban and send IPs to jail properly Do you have the model of the filter? Does bookstack embed a fail2ban solution that I haven't seen the settings? Thank you in advance for your help jerome ### Exact BookStack Version BookStack v23.02.2 ### Log Content _No response_ ### PHP Version _No response_ ### Hosting Environment VM proxmox with Docker portainer

OVERLORD added the 🐕 Support label 2026-02-05 07:14:02 +03:00

OVERLORD closed this issue

2026-02-05 07:14:09 +03:00

OVERLORD commented

2026-02-05 07:14:13 +03:00

@ssddanbrown commented on GitHub (Mar 30, 2023):

Hi @jerome6994,
Just to confirm, since you'll have a lot of layers at play, where exactly does your swag/fail2ban setup exist in relation to BookStack? And what container are you using for BookStack?
Also, what events are you trying to trigger upon for fail2ban?

BookStack does not have any fail2ban embedded at all, the only related thing we have is the failed access log message which would typically log to webserver logs, which may be within a different container to your fail2ban setup unless there's a lot of log file juggling going on.

@ssddanbrown commented on GitHub (Mar 30, 2023): Hi @jerome6994, Just to confirm, since you'll have a lot of layers at play, where exactly does your swag/fail2ban setup exist in relation to BookStack? And what container are you using for BookStack? Also, what events are you trying to trigger upon for fail2ban? BookStack does not have any fail2ban embedded at all, the only related thing we have is the [failed access log message](https://www.bookstackapp.com/docs/admin/security/#failed-access-logging) which would typically log to webserver logs, which may be within a different container to your fail2ban setup unless there's a lot of log file juggling going on.

OVERLORD commented

2026-02-05 07:14:19 +03:00

@jerome6994 commented on GitHub (Mar 30, 2023):

Hi @ssddanbrown

My swag/fail2ban is in docker A and boockstack in docker B
Both docker are on the same proxmox server

I want to trigger fail2ban on a login attempt with password error more than twice in a row
It's not a big security but it's already a start

@jerome6994 commented on GitHub (Mar 30, 2023): Hi @ssddanbrown My swag/fail2ban is in docker A and boockstack in docker B Both docker are on the same proxmox server I want to trigger fail2ban on a login attempt with password error more than twice in a row It's not a big security but it's already a start

OVERLORD commented

2026-02-05 07:14:22 +03:00

@ssddanbrown commented on GitHub (Mar 30, 2023):

My swag/fail2ban is in docker A and boockstack in docker B

In that case, you'd probably need to edit the nginx config for the bookstack container (The linuxserver bookstack iamge does pass this through for editing), to log errors to a custom location, which is volume mounted across both systems, so that you can scan for that log in fail2ban. Never tried that myself though and seems complex/sketchy.

You might be better off, if possible, just watching for POST requests to the /login path at the swag/fail2ban layer, and ban on what looks like unreasonable frequency for normal login attempts. Not as accurate but will be a lot less complex.

@ssddanbrown commented on GitHub (Mar 30, 2023): > My swag/fail2ban is in docker A and boockstack in docker B In that case, you'd probably need to edit the nginx config for the bookstack container (The linuxserver bookstack iamge does pass this through for editing), to log errors to a custom location, which is volume mounted across both systems, so that you can scan for that log in fail2ban. Never tried that myself though and seems complex/sketchy. You might be better off, if possible, just watching for `POST` requests to the `/login` path at the swag/fail2ban layer, and ban on what looks like unreasonable frequency for normal login attempts. Not as accurate but will be a lot less complex.

OVERLORD commented

2026-02-05 07:14:24 +03:00

@ssddanbrown commented on GitHub (Apr 6, 2023):

Since there's been no follow-up I'm going to close this off.

@ssddanbrown commented on GitHub (Apr 6, 2023): Since there's been no follow-up I'm going to close this off.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#3721