• Stars
    star
    542
  • Rank 81,982 (Top 2 %)
  • Language
    Dockerfile
  • License
    MIT License
  • Created over 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Fail2ban Docker image

Latest Version Build Status Docker Stars Docker Pulls
Become a sponsor Donate Paypal

About

Fail2ban Docker image to ban hosts that cause multiple authentication errors.

Note

Want to be notified of new releases? Check out 🔔 Diun (Docker Image Update Notifier) project!


Build locally

git clone https://github.com/crazy-max/docker-fail2ban.git
cd docker-fail2ban

# Build image and output to docker (default)
docker buildx bake

# Build multi-platform image
docker buildx bake image-all

Image

Registry Image
Docker Hub crazymax/fail2ban
GitHub Container Registry ghcr.io/crazy-max/fail2ban

Following platforms for this image are available:

$ docker run --rm mplatform/mquery crazymax/fail2ban:latest
Image: crazymax/fail2ban:latest
 * Manifest List: Yes
 * Supported platforms:
   - linux/amd64
   - linux/arm/v6
   - linux/arm/v7
   - linux/arm64
   - linux/386
   - linux/ppc64le
   - linux/s390x

Environment variables

  • TZ: The timezone assigned to the container (default UTC)
  • F2B_LOG_TARGET: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT (default STDOUT)
  • F2B_LOG_LEVEL: Log level output (default INFO)
  • F2B_DB_PURGE_AGE: Age at which bans should be purged from the database (default 1d)
  • SSMTP_HOST: SMTP server host
  • SSMTP_PORT: SMTP server port (default 25)
  • SSMTP_HOSTNAME: Full hostname (default $(hostname -f))
  • SSMTP_USER: SMTP username
  • SSMTP_PASSWORD: SMTP password
  • SSMTP_TLS: Use TLS to talk to the SMTP server (default NO)
  • SSMTP_STARTTLS: Specifies whether ssmtp does a EHLO/STARTTLS before starting SSL negotiation (default NO)

Note

SSMTP_PASSWORD_FILE can be used to fill in the value from a file, especially for Docker's secrets feature.

Volumes

  • /data: Contains customs jails, actions and filters and Fail2ban persistent database

Usage

Docker Compose

Docker compose is the recommended way to run this image. Copy the content of folder examples/compose in /var/fail2ban/ on your host for example. Edit the Compose and env files with your preferences and run the following commands:

$ docker-compose up -d
$ docker-compose logs -f

Command line

You can also use the following minimal command :

$ docker run -d --name fail2ban --restart always \
  --network host \
  --cap-add NET_ADMIN \
  --cap-add NET_RAW \
  -v $(pwd)/data:/data \
  -v /var/log:/var/log:ro \
  crazymax/fail2ban:latest

Upgrade

Recreate the container whenever I push an update:

$ docker-compose pull
$ docker-compose up -d

Notes

DOCKER-USER chain

In Docker 17.06 and higher through docker/libnetwork#1675, you can add rules to a new table called DOCKER-USER, and these rules will be loaded before any rules Docker creates automatically. This is useful to make iptables rules created by Fail2Ban persistent.

If you have an older version of Docker, you may just change the chain definition for your jail to chain = FORWARD. This way, all Fail2Ban rules come before any Docker rules but these rules will now apply to ALL forwarded traffic.

More info : https://docs.docker.com/network/iptables/

DOCKER-USER and INPUT chains

If your Fail2Ban container is attached to DOCKER-USER chain instead of INPUT, the rules will be applied only to containers. This means that any packets coming into the INPUT chain will bypass these rules that now reside under the FORWARD chain.

This is why the sshd jail contains a chain = INPUT in its definition and traefik jail contains chain = DOCKER-USER.

Jails examples

Here are some examples using the DOCKER-USER chain:

And others using the INPUT chain:

Use iptables tooling without nftables backend

As you may know, nftables is available as a modern replacement for the kernel's iptables subsystem on Linux.

This image still uses iptables to preserve backwards compatibility but an issue is opened about its implementation.

If your system's iptables tooling uses the nftables backend, this will throw the error stderr: 'iptables: No chain/target/match by that name.'. You need to switch the iptables tooling to 'legacy' mode to avoid these problems. This is the case on at least Debian 10 (Buster), Ubuntu 19.04, Fedora 29 and newer releases of these distributions by default. RHEL 8 does not support switching to legacy mode, and is therefore currently incompatible with this image.

On Ubuntu or Debian:

$ update-alternatives --set iptables /usr/sbin/iptables-legacy
$ update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
$ update-alternatives --set arptables /usr/sbin/arptables-legacy
$ update-alternatives --set ebtables /usr/sbin/ebtables-legacy

On Fedora:

$ update-alternatives --set iptables /usr/sbin/iptables-legacy

Then reboot to apply changes.

Use fail2ban-client

Fail2ban commands can be used through the container. Here is an example if you want to ban an IP manually:

$ docker exec -t <CONTAINER> fail2ban-client set <JAIL> banip <IP>

Global jail configuration

You can provide customizations in /data/jail.d/*.local files.

For example to change the default bantime for all jails, send an e-mail with whois report and relevant log lines to the destemail:

[DEFAULT]
bantime = 1h
destemail = root@localhost
sender = root@$(hostname -f)
action = %(action_mwl)s

Warning

If you want email to be sent after a ban, you have to configure SSMTP env vars

FYI, here is the order jail configuration would be loaded:

jail.conf
jail.d/*.conf (in alphabetical order)
jail.local
jail.d/*.local (in alphabetical order)

A sample configuration file is available on the official repository.

Custom jails, actions and filters

Custom jails, actions and filters can be added respectively in /data/jail.d, /data/action.d and /data/filter.d. If you add an action/filter that already exists, it will be overriden.

Warning

Container has to be restarted to propagate changes

Contributing

Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. You can also support this project by becoming a sponsor on GitHub or by making a Paypal donation to ensure this journey continues indefinitely!

Thanks again for your support, it is much appreciated! 🙏

License

MIT. See LICENSE for more details.

More Repositories

1

WindowsSpyBlocker

Block spying and tracking on Windows
Go
4,186
star
2

diun

Receive notifications when an image is updated on a Docker registry
Go
2,073
star
3

docker-jetbrains-license-server

JetBrains License Server Docker image
Dockerfile
1,241
star
4

swarm-cronjob

Create jobs on a time-based schedule on Docker Swarm
Go
641
star
5

csgo-server-launcher

Counter-Strike Global Offensive Dedicated Server Launcher
Shell
580
star
6

docker-samba

Samba Docker image
Dockerfile
451
star
7

ftpgrab

Grab your files periodically from a remote FTP or SFTP server easily
Go
438
star
8

ghaction-github-pages

:octocat: GitHub Action to deploy to GitHub Pages
TypeScript
408
star
9

nodejs-portable

Node.js portable on Windows
Go
385
star
10

docker-rtorrent-rutorrent

rTorrent and ruTorrent Docker image
Dockerfile
356
star
11

ghaction-import-gpg

GitHub Action to import a GPG key
TypeScript
291
star
12

docker-cloudflared

Cloudflared proxy-dns Docker image
Dockerfile
266
star
13

ghaction-docker-buildx

:octocat: GitHub Action to set up Docker Buildx
TypeScript
233
star
14

docker-nextcloud

Nextcloud Docker image
Dockerfile
213
star
15

ddns-route53

Dynamic DNS for Amazon Route 53 on a time-based schedule
Go
203
star
16

docker-firefox-syncserver

Firefox Sync Server Docker image
Dockerfile
188
star
17

undock

Extract contents of a container image in a local folder
Go
170
star
18

docker-matomo

Matomo (formerly Piwik) Docker image
Dockerfile
161
star
19

docker-flarum

Flarum Docker image
Dockerfile
157
star
20

ghaction-virustotal

GitHub Action to upload and scan files with VirusTotal
TypeScript
149
star
21

xgo

Go CGO cross compiler
Shell
145
star
22

ghaction-github-labeler

:octocat: GitHub Action to manage labels on GitHub
TypeScript
123
star
23

firefox-history-merger

Merge Firefox history and repair missing favicons with ease
Go
87
star
24

docker-msmtpd

Lightweight SMTP relay Docker image using msmtpd
Dockerfile
72
star
25

docker-osxcross

MacOSX cross toolchain as Docker image
Dockerfile
71
star
26

ghaction-chocolatey

:octocat: GitHub Action for Chocolatey, the package manager for Windows
Dockerfile
67
star
27

docker-qbittorrent

qBittorrent Docker image
Dockerfile
65
star
28

ghaction-container-scan

GitHub Action to check for vulnerabilities in your container image
TypeScript
58
star
29

ghaction-github-runtime

GitHub Action to expose GitHub runtime to the workflow
Dockerfile
56
star
30

geoip-updater

Download and update MaxMind's GeoIP2 databases on a time-based schedule
Go
55
star
31

dokuwiki-plugin-syntaxhighlighter4

SyntaxHighlighter4 plugin for DokuWiki
PHP
53
star
32

ghaction-xgo

:octocat: GitHub Action for xgo, a Golang CGO cross compiler
TypeScript
52
star
33

docker-unbound

Unbound Docker image
Dockerfile
50
star
34

git-rewrite-author

Rewrite authors / commiters history of a git repository with ease
Go
48
star
35

ghaction-upx

GitHub Action for UPX, the Ultimate Packer for eXecutables
TypeScript
48
star
36

docker-docker

Docker in Docker (DinD) image
Dockerfile
47
star
37

docker-pure-ftpd

Pure-FTPd Docker image based on Alpine Linux with MySQL, PostgreSQL and LDAP support
Dockerfile
47
star
38

goxx

Go CGO cross-compiler Docker image
Shell
43
star
39

CwsMailBounceHandler

📬 PHP class to help webmasters handle bounce-back, feedback loop and ARF mails in standard DSN
PHP
41
star
40

docker-dokuwiki

DokuWiki Docker image
Dockerfile
38
star
41

docker-healthchecks

Healthchecks Docker image
Dockerfile
38
star
42

ghaction-dump-context

GitHub Action composite to dump context
37
star
43

rocketchat-uptimerobot

Uptime Robot integration for Rocket.Chat
JavaScript
34
star
44

goreleaser-xx

Cross compilation helper for GoReleaser
Go
33
star
45

ghaction-github-status

GitHub Action to check GitHub Status in your workflow
TypeScript
33
star
46

aetraymenu

Aestan Tray Menu
Pascal
33
star
47

docker-alpine-s6

Alpine Linux with s6 overlay
Dockerfile
33
star
48

ghaction-dockerhub-mirror

GitHub Action to mirror a DockerHub repo to another registry
30
star
49

docker-linguist

GitHub Linguist Docker image
HCL
27
star
50

artifactory-cleanup

Cleanup artifacts on Jfrog Artifactory with advanced settings
Go
27
star
51

docker-7zip

7-Zip Docker image
Dockerfile
26
star
52

IconsRefresh

Refresh icons on Desktop, Start Menu and Taskbar
Go
26
star
53

ghaction-setup-docker

GitHub Action to set up (download and install) Docker CE
TypeScript
19
star
54

docker-ejtserver

EJT License Server Docker image
Dockerfile
19
star
55

yasu

Yet Another Switch User
Dockerfile
17
star
56

docker-rrdcached

RRDcached Docker image
Dockerfile
17
star
57

travis-wait-enhanced

Prevent Travis CI from thinking a long-running process has stalled
Go
17
star
58

ghaction-setup-containerd

GitHub Action to set up containerd
TypeScript
16
star
59

login-servers-enhanced

Fork of the official login-servers Adminer plugin with enhancements
PHP
16
star
60

docker-n8n

n8n Docker image
Dockerfile
15
star
61

ghaction-hugo

:octocat: GitHub Action for Hugo, the world's fastest framework for building websites
TypeScript
13
star
62

docker-svn2git-mirror

🐳 Docker image to mirror SVN repositories to Git periodically
Dockerfile
13
star
63

CwsShareCount

PHP class to get social share count for Delicious, Facebook, Google+, Linkedin, Pinterest, Reddit, StumbleUpon and Twitter.
PHP
13
star
64

docker-allhands2-buildx-bake

buildx bake demo @ Docker Community All-Hands #2
HCL
13
star
65

crazy-max

12
star
66

gonfig

Lightweight config handling for Go
Go
11
star
67

ghaction-docker-status

GitHub Action to check Docker system status in your workflow
TypeScript
10
star
68

docker-spliit

Spliit Docker image
Dockerfile
10
star
69

docker-artifactory

JFrog Artifactory Docker images
10
star
70

docker-shodan

Shodan Docker image
HCL
10
star
71

echo-ipfilter

Middleware that provides ipfilter support for echo framework
Go
10
star
72

expect-nt

Fork of Expect for Windows NT by Gordon Chaffee
C
8
star
73

gotestlist

List tests in the given Go packages
Go
8
star
74

dockerfile

Official Dockerfile frontend that enables building Dockerfiles with BuildKit
Go
8
star
75

ghaction-github-release

GitHub Action for creating GitHub Releases
TypeScript
7
star
76

CwsCaptcha

PHP class to generate a captcha to avoid spam.
PHP
6
star
77

crazy-max.github.io

Homepage
HTML
6
star
78

CwsDump

PHP class to replace var_dump(), print_r() based on the Xdebug style.
PHP
6
star
79

CwsCrypto

PHP class for password hashing with multi encryption methods
PHP
6
star
80

CwsSession

PHP class to manipulate sessions. Data are securely encrypted and sessions are stored in database.
PHP
5
star
81

buildkit-nofrontend

Go
5
star
82

Killer

Kill a program by process name and clean-up notify and tray icons
C#
5
star
83

rtorrent-launcher

🚀 A simple bash script to launch rtorrent as a daemon
Shell
4
star
84

docker-snmpd

🐳 SNMP daemon Docker image based on Alpine Linux
Dockerfile
4
star
85

dokuwiki-plugin-syntaxhighlighter3

📝 Fork of SyntaxHighlighter3 plugin for DokuWiki
CSS
4
star
86

docker-loop

Simple loop for dummy services
Dockerfile
4
star
87

docker-syntaxhighlighter

🐳 Docker image to build SyntaxHighlighter javascript plugin
Dockerfile
4
star
88

rocketchat-xray

JFrog Xray integration for Rocket.Chat
JavaScript
4
star
89

rocketchat-appveyor

AppVeyor integration for Rocket.Chat
JavaScript
4
star
90

CwsDebug

PHP class to output additional messages for debug
PHP
4
star
91

docker-syspass

🐳 sysPass Docker image based on Alpine Linux
Dockerfile
4
star
92

shares-erasor

A DOS Batch script to remove all shares and disable auto shares on Windows systems.
Shell
4
star
93

IOPriority

Fork of IO Priority
C#
3
star
94

docker-inboxen

🐳 Inboxen Docker image based on Alpine Linux
Dockerfile
3
star
95

rocketchat-microbadger

MicroBadger integration for Rocket.Chat
JavaScript
3
star
96

CwsCurl

A flexible wrapper PHP class for the cURL extension.
PHP
3
star
97

geass

A multi-user front-end client for rTorrent with many features
3
star
98

CwsOvhLogsDownloader

PHP class to download the Apache access and error, FTP, CGI, Out and SSH logs available on http://logs.ovh.net from a shared hosting.
PHP
3
star
99

ama

Ask me Anything!
2
star
100

crossfit-reader

💳 Card reader application for ACR122U device affiliate to the Crossfit Nancy booking application
Java
2
star