0

docker-fail2ban

? Fail2ban Docker image based on Alpine Linux

Github 資源庫
主要指標

Github星跟蹤圖

About

? Fail2ban Docker image based on Alpine Linux.
If you are interested, check out my other ? Docker images!

? Want to be notified of new releases? Check out ? Diun (Docker Image Update Notifier) project!

Docker

Multi-platform image

Following platforms for this image are available:

$ docker run --rm mplatform/mquery crazymax/fail2ban:latest
Image: crazymax/fail2ban:latest
 * Manifest List: Yes
 * Supported platforms:
   - linux/amd64
   - linux/arm/v6
   - linux/arm/v7
   - linux/arm64
   - linux/386
   - linux/ppc64le
   - linux/s390x

Environment variables

  • TZ: The timezone assigned to the container (default UTC)
  • F2B_LOG_TARGET: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT (default STDOUT)
  • F2B_LOG_LEVEL: Log level output (default INFO)
  • F2B_DB_PURGE_AGE: Age at which bans should be purged from the database (default 1d)
  • F2B_IPTABLES_CHAIN: Specifies the iptables chain to which the Fail2Ban rules should be added (default DOCKER-USER)
  • SSMTP_HOST: SMTP server host
  • SSMTP_PORT: SMTP server port (default 25)
  • SSMTP_HOSTNAME: Full hostname (default $(hostname -f))
  • SSMTP_USER: SMTP username
  • SSMTP_PASSWORD: SMTP password
  • SSMTP_TLS: SSL/TLS (default NO)

Volumes

  • /data: Contains customs jails, actions and filters and Fail2ban persistent database

Use this image

Docker Compose

Docker compose is the recommended way to run this image. Copy the content of folder examples/compose in /var/fail2ban/ on your host for example. Edit the compose and env files with your preferences and run the following commands :

docker-compose up -d
docker-compose logs -f

Command line

You can also use the following minimal command :

docker run -d --name fail2ban --restart always \
  --network host \
  --cap-add NET_ADMIN \
  --cap-add NET_RAW \
  -v $(pwd)/data:/data \
  -v /var/log:/var/log:ro \
  crazymax/fail2ban:latest

Notes

DOCKER-USER chain

In Docker 17.06 and higher through docker/libnetwork#1675, you can add rules to a new table called DOCKER-USER, and these rules will be loaded before any rules Docker creates automatically. This is useful to make iptables rules created by Fail2Ban persistent.

If you have an older version of Docker, you may just change F2B_IPTABLES_CHAIN to FORWARD. This way, all Fail2Ban rules come before any Docker rules but these rules will now apply to ALL forwarded traffic.

More info : https://docs.docker.com/network/iptables/

DOCKER-USER and INPUT chains

If your Fail2Ban container is attached to DOCKER-USER chain instead of INPUT, the rules will be applied only to containers. This means that any packets coming into the INPUT chain will bypass these rules that now reside under the FORWARD chain.

This implies that sshd jail for example will not work as intended. You can create another Fail2Ban container. Take a look at this example.

Use fail2ban-client

Fail2ban commands can be used through the container. Here is an example if you want to ban an IP manually :

docker exec -t <CONTAINER> fail2ban-client set <JAIL> banip <IP>

Global jail configuration

You can provide customizations in /data/jail.d/*.local files.

For example to change the default bantime for all jails, send an e-mail with whois report and relevant log lines to the destemail:

[DEFAULT]
bantime = 1h
destemail = root@localhost
sender = root@$(hostname -f)
action = %(action_mwl)s

:warning: If you want email to be sent after a ban, you have to configure SSMTP env vars

FYI, here is the order jail configuration would be loaded:

jail.conf
jail.d/*.conf (in alphabetical order)
jail.local
jail.d/*.local (in alphabetical order)

A sample configuration file is available on the official repository.

Custom jails, actions and filters

Custom jails, actions and filters can be added respectively in /data/jail.d, /data/action.d and /data/filter.d. If you add an action/filter that already exists, it will be overriden.

:warning: Container has to be restarted to propagate changes

Jail examples

Jail examples can be found in examples/jails to work with this image.

How can I help ?

All kinds of contributions are welcome :raised_hands:! The most basic way to show your support is to star :star2: the project, or to raise issues :speech_balloon: You can also support this project by becoming a sponsor on GitHub :clap: or by making a Paypal donation to ensure this journey continues indefinitely! :rocket:

Thanks again for your support, it is much appreciated! :pray:

License

MIT. See LICENSE for more details.

主要指標

概覽
名稱與所有者crazy-max/docker-fail2ban
主編程語言Dockerfile
編程語言Dockerfile (語言數: 2)
平台
許可證MIT License
所有者活动
創建於2018-04-24 19:14:31
推送於2025-02-16 17:56:06
最后一次提交2025-02-16 18:56:01
發布數34
最新版本名稱1.1.0-r3 (發布於 )
第一版名稱0.10.3.1-RC1 (發布於 )
用户参与
星數697
關注者數13
派生數84
提交數250
已啟用問題?
問題數101
打開的問題數7
拉請求數56
打開的拉請求數0
關閉的拉請求數22
项目设置
已啟用Wiki?
已存檔?
是復刻?
已鎖定?
是鏡像?
是私有?