crazy-max / docker-fail2ban Goto Github PK

View Code? Open in Web Editor NEW

602.0 13.0 78.0 334 KB

Fail2ban Docker image

License: MIT License

Dockerfile 68.89% HCL 31.11%

fail2ban docker docker-compose alpine-linux iptables firewall

docker-fail2ban's Introduction

About

Fail2ban Docker image to ban hosts that cause multiple authentication errors.

Tip

Want to be notified of new releases? Check out 🔔 Diun (Docker Image Update Notifier) project!

Build locally
Image
Environment variables
Volumes
Usage
- Docker Compose
- Command line
Upgrade
Notes
Contributing
License

Build locally

git clone https://github.com/crazy-max/docker-fail2ban.git
cd docker-fail2ban

# Build image and output to docker (default)
docker buildx bake

# Build multi-platform image
docker buildx bake image-all

Image

Registry	Image
Docker Hub	`crazymax/fail2ban`
GitHub Container Registry	`ghcr.io/crazy-max/fail2ban`

Following platforms for this image are available:

$ docker run --rm mplatform/mquery crazymax/fail2ban:latest
Image: crazymax/fail2ban:latest
 * Manifest List: Yes
 * Supported platforms:
   - linux/amd64
   - linux/arm/v6
   - linux/arm/v7
   - linux/arm64
   - linux/386
   - linux/ppc64le
   - linux/s390x

Environment variables

TZ: The timezone assigned to the container (default UTC)
F2B_LOG_TARGET: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT (default STDOUT)
F2B_LOG_LEVEL: Log level output (default INFO)
F2B_DB_PURGE_AGE: Age at which bans should be purged from the database (default 1d)
SSMTP_HOST: SMTP server host
SSMTP_PORT: SMTP server port (default 25)
SSMTP_HOSTNAME: Full hostname (default $(hostname -f))
SSMTP_USER: SMTP username
SSMTP_PASSWORD: SMTP password
SSMTP_TLS: Use TLS to talk to the SMTP server (default NO)
SSMTP_STARTTLS: Specifies whether ssmtp does a EHLO/STARTTLS before starting SSL negotiation (default NO)

Note

SSMTP_PASSWORD_FILE can be used to fill in the value from a file, especially for Docker's secrets feature.

Volumes

/data: Contains customs jails, actions and filters and Fail2ban persistent database

Usage

Docker Compose

Docker compose is the recommended way to run this image. Copy the content of folder examples/compose in /var/fail2ban/ on your host for example. Edit the Compose and env files with your preferences and run the following commands:

$ docker compose up -d
$ docker compose logs -f

Command line

You can also use the following minimal command :

$ docker run -d --name fail2ban --restart always \
  --network host \
  --cap-add NET_ADMIN \
  --cap-add NET_RAW \
  -v $(pwd)/data:/data \
  -v /var/log:/var/log:ro \
  crazymax/fail2ban:latest

Upgrade

Recreate the container whenever I push an update:

$ docker compose pull
$ docker compose up -d

Notes

`DOCKER-USER` chain

In Docker 17.06 and higher through docker/libnetwork#1675, you can add rules to a new table called DOCKER-USER, and these rules will be loaded before any rules Docker creates automatically. This is useful to make iptables rules created by Fail2Ban persistent.

If you have an older version of Docker, you may just change the chain definition for your jail to chain = FORWARD. This way, all Fail2Ban rules come before any Docker rules but these rules will now apply to ALL forwarded traffic.

More info : https://docs.docker.com/network/iptables/

`DOCKER-USER` and `INPUT` chains

If your Fail2Ban container is attached to DOCKER-USER chain instead of INPUT, the rules will be applied only to containers. This means that any packets coming into the INPUT chain will bypass these rules that now reside under the FORWARD chain.

This is why the sshd jail contains a chain = INPUT in its definition and traefik jail contains chain = DOCKER-USER.

Jails examples

Here are some examples using the DOCKER-USER chain:

And others using the INPUT chain:

proxmox
sshd

Use iptables tooling without nftables backend

As you may know, nftables is available as a modern replacement for the kernel's iptables subsystem on Linux.

This image still uses iptables to preserve backwards compatibility but an issue is opened about its implementation.

If your system's iptables tooling uses the nftables backend, this will throw the error stderr: 'iptables: No chain/target/match by that name.'. You need to switch the iptables tooling to 'legacy' mode to avoid these problems. This is the case on at least Debian 10 (Buster), Ubuntu 19.04, Fedora 29 and newer releases of these distributions by default. RHEL 8 does not support switching to legacy mode, and is therefore currently incompatible with this image.

On Ubuntu or Debian:

$ update-alternatives --set iptables /usr/sbin/iptables-legacy
$ update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
$ update-alternatives --set arptables /usr/sbin/arptables-legacy
$ update-alternatives --set ebtables /usr/sbin/ebtables-legacy

On Fedora:

$ update-alternatives --set iptables /usr/sbin/iptables-legacy

Then reboot to apply changes.

Use fail2ban-client

Fail2ban commands can be used through the container. Here is an example if you want to ban an IP manually:

$ docker exec -t <CONTAINER> fail2ban-client set <JAIL> banip <IP>

Global jail configuration

You can provide customizations in /data/jail.d/*.local files.

For example to change the default bantime for all jails, send an e-mail with whois report and relevant log lines to the destemail:

[DEFAULT]
bantime = 1h
destemail = root@localhost
sender = root@$(hostname -f)
action = %(action_mwl)s

Warning

If you want email to be sent after a ban, you have to configure SSMTP env vars

FYI, here is the order jail configuration would be loaded:

jail.conf
jail.d/*.conf (in alphabetical order)
jail.local
jail.d/*.local (in alphabetical order)

A sample configuration file is available on the official repository.

Custom jails, actions and filters

Custom jails, actions and filters can be added respectively in /data/jail.d, /data/action.d and /data/filter.d. If you add an action/filter that already exists, it will be overriden.

Warning

Container has to be restarted to propagate changes

Contributing

Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. You can also support this project by becoming a sponsor on GitHub or by making a PayPal donation to ensure this journey continues indefinitely!

Thanks again for your support, it is much appreciated! 🙏

License

MIT. See LICENSE for more details.

docker-fail2ban's People

Contributors

Stargazers

Watchers

docker-fail2ban's Issues

Expose action.d volume

I would love to use a custom action and edit those configuration files but I cannot bind mount action.d to my host and see the files.

custom jails and filter not loaded

Hey,
maybe I am too dumb, but I am trying to run this fail2ban images with nextcloud using docker-compose. I use the following folder structure:
nextcloud/app

nextcloud folder with the log
nextcloud/fail2ban
-- filter.d
**** nextcloud.conf
-- jail.d
**** jail.conf

The part of my docker-compsoe file:
fail2ban: image: crazymax/fail2ban:latest container_name: nextcloud-fail2ban networks: - nextcloud_network cap_add: - NET_ADMIN - NET_RAW volumes: - nextcloud/fail2ban:/data - nextcloud/app/data:/var/log:ro env_file: - ./fail2ban.env restart: unless-stopped

wenn running the compose I see the following log:
Setting timezone to Europe/Berlin... Setting SSMTP configuration... WARNING: SSMTP_HOST must be defined if you want fail2ban to send emails Initializing files and folders... Setting Fail2ban configuration... Checking for custom actions in /data/action.d... Checking for custom filters in /data/filter.d... 2020-07-22 15:28:15,557 fail2ban.configreader [1]: INFO Loading configs for fail2ban under /etc/fail2ban 2020-07-22 15:28:15,558 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] 2020-07-22 15:28:15,559 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] 2020-07-22 15:28:15,560 fail2ban [1]: INFO Using socket file /var/run/fail2ban/fail2ban.sock 2020-07-22 15:28:15,560 fail2ban [1]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to STDOUT 2020-07-22 15:28:15,563 fail2ban.configreader [1]: INFO Loading configs for jail under /etc/fail2ban 2020-07-22 15:28:15,564 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/jail.conf'] 2020-07-22 15:28:15,579 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/paths-debian.conf'] 2020-07-22 15:28:15,580 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf'] 2020-07-22 15:28:15,582 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/paths-overrides.local'] 2020-07-22 15:28:15,583 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf'] 2020-07-22 15:28:15,628 fail2ban.server [1]: INFO -------------------------------------------------- 2020-07-22 15:28:15,629 fail2ban.server [1]: INFO Starting Fail2ban v0.11.1 2020-07-22 15:28:15,630 fail2ban.observer [1]: INFO Observer start... 2020-07-22 15:28:15,637 fail2ban.database [1]: INFO Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3' Server ready

Executing docker exec -t nextcloud-fail2ban fail2ban-client status results in
Status |- Number of jail: 0 - Jail list:
`

Is my path configuration wrong? Or where is my mistake?

with best regards

Dockerized fail2ban unable to block banned ip from sending request to nginx port 80 and port 443.

I have made exact issue on fail2ban/fail2ban repository.

fail2ban/fail2ban#2700 (comment)

sudo docker exec -ti fail2ban fail2ban-client -d | grep odoo output

['add', 'odoo', 'auto']
['set', 'odoo', 'usedns', 'warn']
['set', 'odoo', 'addfailregex', '^ \\d+ INFO \\S+ \\S+ Login failed for db:\\S+ login:\\S+ from <HOST>']
['set', 'odoo', 'maxretry', 5]
['set', 'odoo', 'maxmatches', 5]
['set', 'odoo', 'findtime', '10m']
['set', 'odoo', 'bantime', '1m']
['set', 'odoo', 'bantime.increment', True]
['set', 'odoo', 'bantime.rndtime', '59']
['set', 'odoo', 'bantime.overalljails', True]
['set', 'odoo', 'ignorecommand', '']
['set', 'odoo', 'logencoding', 'auto']
['set', 'odoo', 'addlogpath', '/var/log/odoo/odoo.access.log', 'head']
['set', 'odoo', 'addaction', 'iptables-multiport']
['multi-set', 'odoo', 'action', 'iptables-multiport', [['actionstart', '<iptables> -N f2b-odoo\n<iptables> -A f2b-odoo -j RETURN\n<iptables> -I DOCKER-USER -p tcp -m multiport --dports http,https -j f2b-odoo'], ['actionstop', '<iptables> -D DOCKER-USER -p tcp -m multiport --dports http,https -j f2b-odoo\n<iptables> -F f2b-odoo\n<iptables> -X f2b-odoo'], ['actionflush', '<iptables> -F f2b-odoo'], ['actioncheck', "<iptables> -n -L DOCKER-USER | grep -q 'f2b-odoo[ \\t]'"], ['actionban', '<iptables> -I f2b-odoo 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-odoo -s <ip> -j <blocktype>'], ['name', 'odoo'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', 'DOCKER-USER'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]]
['start', 'odoo']

Environment:

Fail2Ban version (including any possible distribution suffixes): 0.11.1
OS, including release name/version: Centos 8.1911
Fail2Ban installed via OS/distribution mechanisms
You have not applied any additional foreign patches to the codebase
Some customizations were done to the configuration (provide details below is so)

The issue:

The banned ip address can't access SSH but still can access the web behind Reverse Proxy. For more detail, I have git push to the fail2ban-experiment branch

Summary here

Steps to reproduce

git clone https://github.com/tempatkerja/docker-odoo-https/tree/fail2ban-experiment
add privkey.pem and fullchain.pem to ./volumes/nginx/certs
sudo docker-compose up
sudo docker exec -ti fail2ban fail2ban-client set odoo banip

Expected behavior

The banned ip address can't access port HTTP and HTTPS.

Observed behavior

If you use chain = INPUT and banaction = iptables-allports to banip. The banned ip address can't access port SSH but still can access port HTTP and HTTPS.
If you use chain = DOCKER-USER and banaction = iptables-multiport to banip. The banned ip address still can access port HTTP and HTTPS. The log is in section Relevant parts of sudo docker-compose logs

Configuration, dump and another helpful excerpts

Any customizations done to /etc/fail2ban/ configuration

cat volumes/fail2ban/config/jail.d/jail.local

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
bantime.increment = true

# "bantime.rndtime" is the max number of seconds using for mixing with random time
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
bantime.rndtime = 59

# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
bantime.overalljails = true

# --------------------

# "bantime" is the number of seconds that a host is banned.
bantime = 1m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

#
# HTTP servers
#

[odoo]

enabled = true

chain = DOCKER-USER

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

port = http,https

logpath = /var/log/odoo/odoo.access.log

Relevant parts of `sudo docker-compose logs`

fail2ban    | 2020-04-25 07:48:16,198 fail2ban.actions        [1]: NOTICE  [odoo] Ban 158.140.187.220
fail2ban    | 2020-04-25 07:48:16,212 fail2ban.utils          [1]: ERROR   7f4b445da0f0 -- exec: iptables -w -N f2b-odoo
fail2ban    | iptables -w -A f2b-odoo -j RETURN
fail2ban    | iptables -w -I DOCKER-USER -p tcp -m multiport --dports http,https -j f2b-odoo
fail2ban    | 2020-04-25 07:48:16,212 fail2ban.utils          [1]: ERROR   7f4b445da0f0 -- stderr: 'iptables: No chain/target/match by that name.'
fail2ban    | 2020-04-25 07:48:16,212 fail2ban.utils          [1]: ERROR   7f4b445da0f0 -- returned 1
fail2ban    | 2020-04-25 07:48:16,213 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'odoo' action 'iptables-multiport' info 'ActionInfo({'ip': '158.140.187.220', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f4b44c3dca0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f4b44c3e3a0>})': Error starting action Jail('odoo')/iptables-multiport: 'Script error'
fail2ban    | 2020-04-25 07:49:17,665 fail2ban.actions        [1]: NOTICE  [odoo] Unban 158.140.187.220

Make it possible to run the container as non root

It would be nice to run this container with another user.
With your firefox-sync image, you can run it with a PUID/PGID var.
Is it possible to do this with fail2ban also?

edit: tested with PUID/PGID vars with docker compose. The container is stil running as root. the user command don't work.

RancherOS support?

Hi! This is not really a bug report so I hope it's OK if I ask a question here. I am looking to use RancherOS both for the Rancher management platform and for my Kubernetes hosts. Since everything in RancherOS runs as a container - including system services - I was looking for how to use fail2ban as a container, and found this repo. Has anyone tried docker-fail2ban with RancherOS? Does it work?

Thanks a lot in advance for your help!

Add white IP's and different ban times

Hello,

I would have liked to know how to add and persist white IPs and different ban times than is already preconfigured.

Thank you.

Unable to ban an ip on a container being connected to a custom bridge network

Behaviour

I want to ban ip after multi retry false login on the container owncloud

Steps to reproduce this issue

Expected behaviour

The IP that made several errors on the owncloud login must be banned

Actual behaviour

Configuration

Docker version (type docker --version) :

Docker version 19.03.5, build 633a0ea

Docker compose version if applicable (type docker-compose --version) :

docker-compose version 1.25.1, build a82fef0

Platform (Debian 9, Ubuntu 18.04, ...) :

Distributor ID: Raspbian
Description: Raspbian GNU/Linux 10 (buster)
Release: 10
Codename: buster

System info (type uname -a) :

Linux stark 4.19.75-v7l+ #1270 SMP Tue Sep 24 18:51:41 BST 2019 armv7l GNU/Linux

Include all necessary configuration files : docker-compose.yml, .env, ...

filder.d -> owncloud.conf

failregex={.*Login failed: \'.*\' \(Remote IP: \'<HOST>\'\)"}
ignoreregex =

jail.d -> owncloud.conf

[owncloud]
enabled = true
port = http, https
protocol = tcp
filter = owncloud
maxretry = 3
bantime = 4w
logpath = /var/log/owncloud.log

docker-compose-owncloud.yml

  sync_cloud:
    image: owncloud/server:${SYNC_TAG}
    container_name: sync_cloud
    environment:
      - OWNCLOUD_DOMAIN=${SYNC_SERVER_HOSTNAME}
      # DATABASE
      - OWNCLOUD_DB_HOST=sync_db
      - OWNCLOUD_DB_TYPE=mysql
      - OWNCLOUD_DB_NAME=${SYNC_DB_NAME}
      - OWNCLOUD_DB_USERNAME=${SYNC_DB_USER}
      - OWNCLOUD_DB_PASSWORD=${SYNC_DB_PASS}
      # OWNCLOUD Administration
      - OWNCLOUD_ADMIN_USERNAME=${SYNC_ADMIN_USER}
      - OWNCLOUD_ADMIN_PASSWORD=${SYNC_ADMIN_PASS}
      # OWNCLOUD Cache
      - OWNCLOUD_REDIS_HOST=sync_cache
      - OWNCLOUD_REDIS_ENABLED=true
      # OWNCLOUD Log
      - OWNCLOUD_LOG_LEVEL=2
    volumes:
      - ${SYNC_SYNC_FOLDER}:/mnt/data
      - ${SYNC_LOG}:/mnt/data/files/owncloud.log
    labels:
      # SYNC HTTP
      - "traefik.enable=true"
      - "traefik.http.routers.sync.rule=Host(`${SYNC_SERVER_HOSTNAME}`)"
      - "traefik.http.routers.sync.entrypoints=http"
      - "traefik.http.services.sync.loadbalancer.server.port=8080"
      - "traefik.http.routers.sync.middlewares=redirect-to-https"
      # SYNC HTTPS
      - "traefik.http.routers.sync-https.rule=Host(`${SYNC_SERVER_HOSTNAME}`)"
      - "traefik.http.routers.sync-https.entrypoints=https"
      - "traefik.http.routers.sync-https.tls=true"
      - "traefik.http.routers.sync-https.tls.certresolver=eastwatch"
    networks:
      - web

docker-network web

docker_network:
        name: web
        driver: bridge
        ipam_config:
          - subnet: 172.19.0.0/16
            gateway: 172.19.0.1
        driver_options:
          com.docker.network.bridge.default_bridge: false
          com.docker.network.bridge.enable_icc: true
          com.docker.network.bridge.enable_ip_masquerade: true
          com.docker.network.bridge.host_binding_ipv4: 0.0.0.0
          com.docker.network.bridge.name: docker1
          com.docker.network.bridge.mtu: 1500

docker-compose-traefik.yml

reverse-proxy:
    image: traefik:${REVERSE_PROXY_TAG}
    container_name: reverse-proxy
    ports:
      - 443:443
      - 80:80
      - 8080:8080
    environment:
      - TZ=${TIMEZONE}
    volumes:
      - ${REVERSE_PROXY_STATIC_CONFIG}:/etc/traefik/traefik.toml
      - ${REVERSE_PROXY_DYNAMIC_CONFIG}:/etc/traefik/services.toml
      - ${REVERSE_PROXY_LETSENCRYPT_FOLDER}:/letsencrypt
      - ${DOCKER_VOLUME_SOCK}:/var/run/docker.sock:ro
      - ${REVERSE_PROXY_LOG}:/var/log
    labels:
      # DASHBOARD
      - "traefik.http.routers.api.rule=Host(`${API_TRAEFIK_HOSTNAME}`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.entrypoints=http"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=${REVERSE_PROXY_DASHBOARD_USER}:${REVERSE_PROXY_DASHBOARD_PASS}"
      # MIDDLEWARES
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # KINGSLANDING HTTP
      - "traefik.http.routers.kingslanding.rule=Host(`${KINGSLANDING_HOSTNAME}`)"
      - "traefik.http.routers.kingslanding.service=kingslanding@file"
      - "traefik.http.routers.kingslanding.entrypoints=http"
      # NETGEAR HTTP
      - "traefik.http.routers.netgear.rule=Host(`${NETGEAR_ROUTEUR_HOSTNAME}`)"
      - "traefik.http.routers.netgear.service=netgear@file"
      - "traefik.http.routers.netgear.entrypoints=http"
      # LIVEBOX HTTP
      - "traefik.http.routers.livebox.rule=Host(`${LIVEBOX_ROUTEUR_HOSTNAME}`)"
      - "traefik.http.routers.livebox.service=livebox@file"
      - "traefik.http.routers.livebox.entrypoints=http"
      # BITTORENT HTTP
      - "traefik.http.routers.bittorent.rule=Host(`${BITTORENT_HOSTNAME}`)"
      - "traefik.http.routers.bittorent.service=bittorent@file"
      - "traefik.http.routers.bittorent.entrypoints=http"
      # MEDIA LIBRARY HTTP
      - "traefik.http.routers.media-library.rule=Host(`${MEDIA_LIBRARY_HOSTNAME}`)"
      - "traefik.http.routers.media-library.service=media-library@file"
      - "traefik.http.routers.media-library.entrypoints=http"
      # DNS-SERVER HTTP
      - "traefik.http.routers.dns-server.rule=Host(`${DNS_SERVER_HOSTNAME}`)"
      - "traefik.http.routers.dns-server.service=dns-server@file"
      - "traefik.http.routers.dns-server.entrypoints=http"
    networks:
        - web

docker-compose-fail2ban.yml

fail2ban-docker:
        image: crazymax/fail2ban:${FAIL2BAN_TAG}
        container_name: fail2ban-docker
        environment:
            - F2B_LOG_TARGET=STDOUT
            - F2B_LOG_LEVEL=DEBUG
            - F2B_DB_PURGE_AGE=1d
            - TZ=${TIMEZONE}
            - F2B_IPTABLES_CHAIN=DOCKER-USER
        volumes:
            - ${FAIL2BAN_DOCKER_FOLDER_DATA_FILTER}:/data/filter.d
            - ${FAIL2BAN_DOCKER_FOLDER_DATA_JAIL}:/data/jail.d
            # - ${FAIL2BAN_DATA_DB}:/data/db
            - ${FAIL2BAN_FOLDER_SCRAP_LOG}:/var/log:ro
        cap_add:
            - NET_ADMIN
            - NET_RAW
        network_mode: host
        restart: always

Docker info

> Client:
 Debug Mode: false

Server:
 Containers: 8
  Running: 8
  Paused: 0
  Stopped: 0
 Images: 7
 Server Version: 19.03.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
 runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.19.75-v7l+
 Operating System: Raspbian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: armv7l
 CPUs: 4
 Total Memory: 3.863GiB
 Name: stark
 ID: HJOH:HX4T:DJYE:GDHO:NWXL:SFQN:57ST:KI56:ICFU:ZTWL:3UUH:RBEE
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support`

Logs

2020-06-20 15:13:01,586 fail2ban.observer       [1]: DEBUG   [owncloud] Observer: ban found 80.214.214.116, 2419200
2020-06-20 15:13:01,618 fail2ban.utils          [1]: ERROR   b6597bd0 -- exec: iptables -w -N f2b-owncloud iptables -w -A f2b-owncloud -j RETURN iptables -w -I DOCKER-USER -p tcp -m multiport --dports http, https -j f2b-owncloud
2020-06-20 15:13:01,618 fail2ban.utils          [1]: ERROR   b6597bd0 -- stderr: 'iptables: Chain already exists.'
2020-06-20 15:13:01,619 fail2ban.utils          [1]: ERROR   b6597bd0 -- stderr: "iptables v1.8.3 (legacy): invalid port/service `' specified"
2020-06-20 15:13:01,619 fail2ban.utils          [1]: ERROR   b6597bd0 -- stderr: "Try `iptables -h' or 'iptables --help' for more information."
2020-06-20 15:13:01,619 fail2ban.utils          [1]: ERROR   b6597bd0 -- returned 2
2020-06-20 15:13:01,620 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'owncloud' action 'iptables-multiport' info 'ActionInfo({'ip': '80.214.214.116', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0xb65bb220>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0xb65bb580>})': Error starting action Jail('owncloud')/iptables-multiport: 'Script error'


Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/fail2ban/server/actions.py", line 482, in __checkBan action.ban(aInfo)
  File "/usr/lib/python3.8/site-packages/fail2ban/server/action.py", line 548, in ban
    self._start(family, forceStart=True)
  File "/usr/lib/python3.8/site-packages/fail2ban/server/action.py", line 529, in _start
    ret = self._executeOperation('<actionstart>', 'starting', family=family, afterExec=_started)
  File "/usr/lib/python3.8/site-packages/fail2ban/server/action.py", line 462, in _executeOperation
    raise RuntimeError("Error %s action %s/%s: %r" % (operation, self._jail, self._name, err))

RuntimeError: Error starting action Jail('owncloud')/iptables-multiport: 'Script error'

Dockerhub images - latest and edge

Hello, thank you for your great work. This is not an issue - I apologize using this way for question.
What is the difference between "latest" and "edge" image tag on dockerhub?
Thank You!

Works on host connections

Just to make sure, this blocks connections to host as well correct?

Can someone explain what "F2B_DB_PURGE_AGE: Age at which bans should be purged from the database (default 1d)" means?

If I perma ban an IP bu using -1 for ban time. Does F2B_DB_PURGE_AGE purge that perma ban from the database after 1d? I'm kinda confused on what it supposed to do.

Thanks!

Chains INPUT vs DOCKER-USER - a way to cohabit

Behaviour

This is more a feedback than a bug report, but, if i'm right, maybe the doc should be updated (if im right only :) )

In the doc, you explain that the chains INPUT & DOCKER-USER cannot cohabit together in the same instance, and that we should use 2 different instances.

In my case, since it was breaking my b*** to have 2 instances, i digged a bit and dit the following.

Deploy the container using default input chain
for each jail dealing with containers (in my case they are traefik jails), I set it like the following:

`[traefik-auth]
enabled = true
logpath = %(traefik_access_log)s
port = http,https
action = %(action_)s[chain="DOCKER-USER"]
findtime = 600
maxretry = 3
bantime=1w

[traefik-botsearch]
enabled = true
logpath = %(traefik_access_log)s
maxretry = 1
bantime=4w
port = http,https
action = %(action_)s[chain="DOCKER-USER"]
...`

So basically, i'm using the default action (in this case iptables-multiport) but asking to use the chain DOCKER-USER for those jails.
You could of course, swap the 2 chains, setting DOCKER-USER as default and use INPUT when need (which would actually make more sense in my case as i have more docker jails than input jails.. but well, it's working)

So far, it's working ok.

Again, thank you for your great images!

Steps to reproduce this issue

Expected behaviour

Tell me what should happen

Actual behaviour

Tell me what happens instead

Configuration

Docker version (type docker --version) :
Docker compose version if applicable (type docker-compose --version) :
Platform (Debian 9, Ubuntu 18.04, ...) :
System info (type uname -a) :
Include all necessary configuration files : docker-compose.yml, .env, ...

Docker info

> Output of command `docker info`

Logs

> Container logs (set LOG_LEVEL to debug if applicable)

f2b adding to iptables but not banning

Behaviour

Steps to reproduce this issue

Bitwarden + f2b

Docker compose file:

# Fail2Ban - Intrusion prevention vs brute force attacks
  fail2ban:
    image: crazymax/fail2ban
    container_name: Fail2ban
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    privileged: true
    volumes:
      - $USERDIR/Fail2ban:/data
      - /var/log:/var/log:ro
      - /etc/localtime:/etc/localtime:ro
      - $USERDIR/Traefik/traefik.log:/traefik.log:ro
      - $USERDIR/Bitwarden/Data/bitwarden.log:/bitwarden.log:ro
      - $USERDIR/Authelia/authelia.log:/authelia.log:ro
    restart: always
    environment:
      - TZ=$TZ
      - SSMTP_HOST=$BW_SMTP_HOST
      - SSMTP_PORT=$BW_SMTP_PORT
      - SSMTP_USER=$BW_SMTP_USERNAME
      - SSMTP_PASSWORD=$BW_SMTP_PASSWORD
      - SSMTP_TLS=YES
      - F2B_LOG_TARGET=/data/fail2ban.log
      - F2B_LOG_LEVEL=INFO

Bitwarden log:

today at 10:30 PM [2020-09-05 22:30:14.258][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: [email protected].
today at 10:30 PM [2020-09-05 22:30:22.462][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: [email protected].
today at 10:30 PM [2020-09-05 22:30:24.183][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: [email protected].
today at 10:30 PM [2020-09-05 22:30:25.533][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: [email protected].
today at 10:30 PM [2020-09-05 22:30:26.683][error][ERROR] Username or password is incorrect. Try again. IP: 148.252.132.248. Username: [email protected].

F2B Log:

    today at 10:26 PM Setting timezone to Europe/London...
    today at 10:26 PM ln: /etc/localtime: File exists
    today at 10:26 PM Setting SSMTP configuration...
    today at 10:26 PM Initializing files and folders...
    today at 10:26 PM Setting Fail2ban configuration...
    today at 10:26 PM Checking for custom actions in /data/action.d...
    today at 10:26 PM Checking for custom filters in /data/filter.d...
    today at 10:26 PM Add custom filter authelia.conf...
    today at 10:26 PM Add custom filter bitwarden-admin.conf...
    today at 10:26 PM WARNING: bitwarden.conf already exists and will be overriden
    today at 10:26 PM Add custom filter bitwarden.conf...
    today at 10:26 PM WARNING: traefik-auth.conf already exists and will be overriden
    today at 10:26 PM Add custom filter traefik-auth.conf...
    today at 10:26 PM Add custom filter traefik-botsearch.conf...
    today at 10:26 PM 2020-09-05 22:26:38,592 fail2ban.configreader   [1]: INFO    Loading configs for fail2ban under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,593 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
    today at 10:26 PM 2020-09-05 22:26:38,594 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
    today at 10:26 PM 2020-09-05 22:26:38,594 fail2ban                [1]: INFO    Using socket file /var/run/fail2ban/fail2ban.sock
    today at 10:26 PM 2020-09-05 22:26:38,594 fail2ban                [1]: INFO    Using pid file /var/run/fail2ban/fail2ban.pid, [DEBUG] logging to /data/fail2ban.log
    today at 10:26 PM 2020-09-05 22:26:38,597 fail2ban.configreader   [1]: INFO    Loading configs for jail under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,597 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.conf']
    today at 10:26 PM 2020-09-05 22:26:38,607 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-debian.conf']
    today at 10:26 PM 2020-09-05 22:26:38,607 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf']
    today at 10:26 PM 2020-09-05 22:26:38,608 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-overrides.local']
    today at 10:26 PM 2020-09-05 22:26:38,609 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.d/authelia.conf']
    today at 10:26 PM 2020-09-05 22:26:38,611 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.d/bitwarden.conf']
    today at 10:26 PM 2020-09-05 22:26:38,612 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.d/traefik.conf']
    today at 10:26 PM 2020-09-05 22:26:38,612 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/authelia.conf', '/etc/fail2ban/jail.d/bitwarden.conf', '/etc/fail2ban/jail.d/traefik.conf']
    today at 10:26 PM 2020-09-05 22:26:38,620 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/bitwarden under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,620 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/bitwarden.conf']
    today at 10:26 PM 2020-09-05 22:26:38,621 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf']
    today at 10:26 PM 2020-09-05 22:26:38,622 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.local']
    today at 10:26 PM 2020-09-05 22:26:38,622 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/bitwarden.conf']
    today at 10:26 PM 2020-09-05 22:26:38,624 fail2ban.configreader   [1]: INFO    Loading configs for action.d/iptables-allports under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,624 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-allports.conf']
    today at 10:26 PM 2020-09-05 22:26:38,625 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
    today at 10:26 PM 2020-09-05 22:26:38,626 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
    today at 10:26 PM 2020-09-05 22:26:38,626 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
    today at 10:26 PM 2020-09-05 22:26:38,626 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/iptables-allports.conf']
    today at 10:26 PM 2020-09-05 22:26:38,628 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/traefik-auth under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,628 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/traefik-auth.conf']
    today at 10:26 PM 2020-09-05 22:26:38,629 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/traefik-auth.conf']
    today at 10:26 PM 2020-09-05 22:26:38,631 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/authelia under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,632 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/authelia.conf']
    today at 10:26 PM 2020-09-05 22:26:38,633 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/authelia.conf']
    today at 10:26 PM 2020-09-05 22:26:38,635 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/traefik-botsearch under /etc/fail2ban
    today at 10:26 PM 2020-09-05 22:26:38,636 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/traefik-botsearch.conf']
    today at 10:26 PM 2020-09-05 22:26:38,637 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/botsearch-common.conf']
    today at 10:26 PM 2020-09-05 22:26:38,637 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/botsearch-common.conf', '/etc/fail2ban/filter.d/traefik-botsearch.conf']
    today at 10:26 PM Server ready

Jail.d/Bitwarden.conf

[DEFAULT]

ignoreip = 127.0.01/8 192.168.0.0.22
bantime = 3600
findtime = 3600
maxretry = 3
action = iptables-allports[name=bitwarden, DOCKER]

[bitwarden]
enabled = true
port = 80,443,8089,3012
filter = bitwarden
#action = iptables-allports[name=bitwarden, DOCKER-USER]
action = iptables-allports[name=bitwarden, chain=DOCKER-USER]
#action = iptables-allports[name=bitwarden]
#chain = DOCKER-USER
logpath = /bitwarden.log
#maxretry = 3
#bantime = 3600
#findtime = 3600

[bitwarden-admin]
enabled = false
port = 80,443,8081
filter = bitwarden-admin
##action = iptables-allports[name=bitwarden, chain=forward]
action = iptables-allports[name=bitwarden, DOCKER-USER]
#action = iptables-allports[name=bitwarden]
#chain = DOCKER-USER
logpath = /bitwarden.log
#maxretry = 3
#bantime = 3600
#findtime = 3600

filter.d/bitwarden.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

IPTables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (3 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.22.0.108         tcp dpt:ttat3lb
ACCEPT     tcp  --  anywhere             172.22.0.101         tcp dpt:cslistener
ACCEPT     tcp  --  anywhere             172.22.0.109         tcp dpt:8089
ACCEPT     tcp  --  anywhere             172.22.0.109         tcp dpt:twsdss
ACCEPT     tcp  --  anywhere             172.22.0.107         tcp dpt:intermapper
ACCEPT     tcp  --  anywhere             172.22.0.103         tcp dpt:webcache
ACCEPT     tcp  --  anywhere             172.22.0.102         tcp dpt:webcache
ACCEPT     tcp  --  anywhere             172.22.0.111         tcp dpt:31337
ACCEPT     tcp  --  anywhere             172.33.0.4           tcp dpt:hbci
ACCEPT     tcp  --  anywhere             172.22.0.105         tcp dpt:sunwebadmins
ACCEPT     tcp  --  anywhere             172.22.0.106         tcp dpt:owms
ACCEPT     tcp  --  anywhere             172.22.0.104         tcp dpt:5076
ACCEPT     tcp  --  anywhere             172.22.0.114         tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             172.22.0.114         tcp dpt:webcache
ACCEPT     tcp  --  anywhere             172.22.0.114         tcp dpt:https
ACCEPT     tcp  --  anywhere             172.22.0.114         tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
f2b-bitwarden  tcp  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain f2b-bitwarden (1 references)
target     prot opt source               destination
REJECT     all  --  148.252.132.248      anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Expected behaviour

IP should be banned

Actual behaviour

IP is added to IPtables, but still has access

Configuration

Docker version (type docker --version) : Docker version 19.03.5, build 633a0ea838
Docker compose version if applicable (type docker-compose --version) : docker-compose version 1.24.1, build 4667896
Platform (Debian 9, Ubuntu 18.04, ...) : Fedora
System info (type uname -a) :
Include all necessary configuration files : docker-compose.yml, .env, ...

Docker info

Client:
 Debug Mode: false

Server:
 Containers: 29
  Running: 28
  Paused: 0
  Stopped: 1
 Images: 30
 Server Version: 19.03.5
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
 runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.18.19-100.fc27.x86_64
 Operating System: Fedora 27 (Twenty Seven)
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 31.37GiB
 Name: HDA
 ID: Q4JX:I4DV:JYBQ:V35U:7SZG:FIQG:RPJR:5VGZ:TTSC:P5W3:EFBG:IYAJ
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: modem7
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

bock 0.0.0.3 on access from xxx.40.3.197?

Hi,

Why does (crazy-max-docker-)fail2ban block 0.0.0.3, if it sees access from xxx.40.3.173?

with best regards,
I.


===================================================================================================================
conf-file from jail.d:
===================================================================================================================
[DEFAULT]
bantime = 1h
destemail = [email protected]
sender = root@$(hostname -f)
action = %(action_mwl)s

[calweb-auth]
enabled = true
chain = DOCKER-USER
port = http,https
filter = calweb-auth
logpath = /var/log/calibre-web.log

===================================================================================================================
conf-file from filter.d:
===================================================================================================================
[Definition]
failregex = .*Login failed.*<HOST>
ignoreregex =

===================================================================================================================
john01@instance-2:~/yml$ docker logs fail2ban_c 2>&1|tail
2020-09-16 09:27:13,946 fail2ban.ipdns          [1]: WARNING Determined IP using DNS Lookup: 3 = {'0.0.0.3'}
2020-09-16 09:27:13,947 fail2ban.filter         [1]: INFO    [calweb-auth] Found 0.0.0.3 - 2020-09-16 09:27:13
2020-09-16 09:27:18,997 fail2ban.ipdns          [1]: WARNING Determined IP using DNS Lookup: 3 = {'0.0.0.3'}
2020-09-16 09:27:18,998 fail2ban.filter         [1]: INFO    [calweb-auth] Found 0.0.0.3 - 2020-09-16 09:27:18
2020-09-16 09:27:19,128 fail2ban.actions        [1]: NOTICE  [calweb-auth] Ban 0.0.0.3
2020-09-16 09:27:19,242 fail2ban.ipdns          [1]: WARNING Determined IP using DNS Lookup: 3 = {'0.0.0.3'}
2020-09-16 09:27:19,243 fail2ban.filter         [1]: INFO    [calweb-auth] Found 0.0.0.3 - 2020-09-16 09:27:19
2020-09-16 09:27:23,461 fail2ban.ipdns          [1]: WARNING Determined IP using DNS Lookup: 3 = {'0.0.0.3'}
2020-09-16 09:27:23,462 fail2ban.filter         [1]: INFO    [calweb-auth] Found 0.0.0.3 - 2020-09-16 09:27:23
2020-09-16 10:27:18,517 fail2ban.actions        [1]: NOTICE  [calweb-auth] Unban 0.0.0.3
john01@instance-2:~/yml$

===================================================================================================================
john01@instance-2:/var/log$ tail calibre-web.log
[2020-09-16 09:03:32,490]  INFO {cps.server:184} Performing shutdown of Calibre-Web
[2020-09-16 09:04:05,286]  INFO {cps:97} Starting Calibre Web...
[2020-09-16 09:04:05,903]  INFO {cps.server:156} Starting Tornado server on :8083
[2020-09-16 09:26:59,410]  INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
[2020-09-16 09:27:05,108]  INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
[2020-09-16 09:27:09,138]  INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
[2020-09-16 09:27:13,570]  INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
[2020-09-16 09:27:18,996]  INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
[2020-09-16 09:27:19,241]  INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
[2020-09-16 09:27:23,460]  INFO {cps.web:1437} Login failed for user "X" IP-adress: xxx.40.3.173
john01@instance-2:/var/log$

===================================================================================================================
part from docker-compose.yml:
===================================================================================================================
  fail2ban_s:
    restart: always
    image: crazymax/fail2ban:latest
    container_name: fail2ban_c
    network_mode: "host"
    depends_on:
      - calweb_s
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - "./data:/data"
      - "/var/log:/var/log:ro"
    env_file:
      - "./fail2ban.env"

=================================================================================================
```==================

ARMv7 Image

Hi Max,
Thanks for your hard work on this project!

Can you add an ARMv7 image to make it run on a Raspberry Pi?
I can confirm it works fine if the Dockerfile is built on a pi, so the only change would be to use the Alpine ARMv7 as base image.

Thanks.

Guacamole log filter issue

dont know what i am doing wrong but cant seem to get the guacamole jail working.
Using apache guacamole container behind traefik proxy. Tried manually banning some ip and rules are being added in cloudflare.

fail2ban log output:

2020-02-22 20:52:36,527 fail2ban.CommandAction  [1]: DEBUG     Set name = 'guacamole-auth'
2020-02-22 20:52:36,527 fail2ban.CommandAction  [1]: DEBUG     Set port = 'http,https'
2020-02-22 20:52:36,527 fail2ban.CommandAction  [1]: DEBUG     Set protocol = 'tcp'
2020-02-22 20:52:36,527 fail2ban.CommandAction  [1]: DEBUG     Set chain = '<known/chain>'
2020-02-22 20:52:36,527 fail2ban.CommandAction  [1]: DEBUG     Set actname = 'cloudflare'
2020-02-22 20:52:36,528 fail2ban.CommandAction  [1]: DEBUG     Set cfuser = 'xxxx'
2020-02-22 20:52:36,528 fail2ban.CommandAction  [1]: DEBUG     Set cftoken = 'xxx'
2020-02-22 20:52:36,528 fail2ban.jail           [1]: DEBUG   Starting jail 'guacamole-auth'
2020-02-22 20:52:36,528 fail2ban.filterpyinotif [1]: DEBUG   [guacamole-auth] filter started (pyinotifier)
2020-02-22 20:52:36,528 fail2ban.jail           [1]: INFO    Jail 'guacamole-auth' started
2020-02-22 20:52:36,529 fail2ban.transmitter    [1]: DEBUG   Status: ready
Server ready
2020-02-22 20:53:01,954 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-02-22 20:53:01,954 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-02-22 20:53:01,979 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-02-22 20:53:01,979 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-02-22 20:53:07,132 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-02-22 20:53:07,132 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-02-22 20:53:07,133 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-02-22 20:53:07,133 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-02-22 20:53:07,134 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16

jail.d/guacamole.conf

[DEFAULT]
banaction = cloudflare

[guacamole-auth]
enabled = true
logpath = /var/log/guacamole/guacd.log
port = http,https

bantime = -1
maxretry = 5

filter.d/guacamole-auth.conf

[Definition]
failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.
ignoreregex =

config/guacamole/logback.xml

<configuration>
        <!-- Appender for debugging -->
        <appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
                <encoder>
                        <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
                </encoder>
        </appender>
        <!-- Appender for debugging in a file-->
        <appender name="GUAC-DEBUG_FILE" class="ch.qos.logback.core.FileAppender">
                <file>/usr/local/tomcat/logs/guacd.log</file>
                <encoder>
                        <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
                </encoder>
        </appender>
        <!-- Log at DEBUG level -->
        <root level="debug">
                <appender-ref ref="GUAC-DEBUG"/>
                <appender-ref ref="GUAC-DEBUG_FILE"/>
        </root>
</configuration>

docker-compose.yaml

fail2ban:
    container_name: fail2ban
    image: crazymax/fail2ban:latest
    restart: always
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - /var/log:/var/log
      - ${USERDIR}/docker/fail2ban:/data
      - ${USERDIR}/docker/fail2ban/fail2ban.d:/etc/fail2ban/fail2ban.d
    environment:
      - TZ=${TZ}
      - F2B_LOG_TARGET=STDOUT
      - F2B_LOG_LEVEL=INFO
      - F2B_DB_PURGE_AGE=1d
      - F2B_IPTABLES_CHAIN=DOCKER-USER
      - SSMTP_HOST=smtp.gmail.com
      - SSMTP_PORT=587
      - SSMTP_USER=${SMTP_EMAIL}
      - SSMTP_PASSWORD=${SMTP_PASSWORD} # Create an "app password" if you use 2FA
      - SSMTP_TLS=TLS

jail status

/ # fail2ban-client status guacamole-auth
Status for the jail: guacamole-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/guacamole/guacd.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

regex test

Results
=======

Failregex: 15 total
|-  #) [# of hits] regular expression
|   1) [15] \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [376] {^LN-BEG}24hour:Minute:Second
`-

Lines: 376 lines, 0 ignored, 15 matched, 361 missed
[processed in 0.04 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 361 lines

Overlay network

This looks great. Do you have any idea how I would be able to get this to work on an overlay network? perhaps I'm thinking of this wrong. If I have a swarm and just ran one container per node in host mode does that also block the overlay network?

iptables: No chain/target/match by that name

Sorry I know there are other issues on this and I have read them but still cannot figure out a solution to my problem :/

Behaviour

I have two instances of f2b running: input (ssh) and docker (postfix service i am having issues with). I followed examples for ssh and it works great, but i am getting an error for my postfix service.

Configuration

Docker version (type docker --version) : Docker version 18.09.1, build 4c52b90
Docker compose version if applicable (type docker-compose --version) : docker-compose version 1.21.0, build unknown
Postfix is running in another container that i built (with dovecot, spamassassin, etc). Port 25, 465, and 993 are exposed in this container.
Platform (Debian 9, Ubuntu 18.04, ...) : Debian 10
System info (type uname -a) : 4.19.118 kernel
docker-compose.yml

 f2b-input:
    image: crazymax/fail2ban
    container_name: f2b-input
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    env_file:
      - env/f2b.${ENV}.env
    environment: 
      - "F2B_IPTABLES_CHAIN=INPUT"
    volumes:
      - /opt/f2b-input:/data
      - /var/log:/var/log:ro
    restart: always

  f2b-docker:
    image: crazymax/fail2ban
    container_name: f2b-docker
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    env_file:
      - env/f2b.${ENV}.env
    environment: 
      - "F2B_IPTABLES_CHAIN=DOCKER-USER"
    volumes:
      - /opt/f2b-docker:/data
      - /var/log:/var/log:ro
    restart: always

f2b.prd.env

TZ=America/Denver

F2B_LOG_TARGET=STDOUT
F2B_LOG_LEVEL=INFO
F2B_DB_PURGE_AGE=1d

Postfix jail

[postfix]
enabled = true
# To use another modes set filter parameter "mode" in jail.local:
filter  = postfix[mode=aggressive]
port    = smtp,465,submission
chain = DOCKER-USER
logpath = %(postfix_log)s
backend = %(postfix_backend)s

Default conf

[DEFAULT]
bantime.increment = true
bantime.rndtime = 60
bantime.maxtime = 2592000
bantime.factor = 2
bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
bantime.multipliers = 1 5 30 60 300 720 1440 2880
bantime.overalljails = false
ignoreself = true
ignorecommand =
bantime  = 60m
findtime  = 10m
maxretry = 5
maxmatches = %(maxretry)s

Logs

For f2b-docker container:

2020-07-23 21:08:29,136 fail2ban.filter         [1]: INFO    [postfix] Found 185.222.58.118 - 2020-07-23 21:08:29
2020-07-23 21:08:29,280 fail2ban.actions        [1]: NOTICE  [postfix] Ban 185.222.58.118
2020-07-23 21:08:29,288 fail2ban.utils          [1]: ERROR   7f504a1da9f0 -- exec: iptables -w -N f2b-postfix
iptables -w -A f2b-postfix -j RETURN
iptables -w -I DOCKER-USER -p tcp -m multiport --dports smtp,465,submission -j f2b-postfix
2020-07-23 21:08:29,289 fail2ban.utils          [1]: ERROR   7f504a1da9f0 -- stderr: 'iptables: Chain already exists.'
2020-07-23 21:08:29,289 fail2ban.utils          [1]: ERROR   7f504a1da9f0 -- stderr: 'iptables: No chain/target/match by that name.'
2020-07-23 21:08:29,289 fail2ban.utils          [1]: ERROR   7f504a1da9f0 -- returned 1
2020-07-23 21:08:29,290 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'postfix' action 'iptables-multiport' info 'ActionInfo({'ip': '185.222.58.118', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f504a851dc0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f504a84c4c0>})': Error starting action Jail('postfix')/iptables-multiport: 'Script error'
2020-07-23 21:08:35,738 fail2ban.filter         [1]: INFO    [postfix] Found 212.70.149.67 - 2020-07-23 21:08:35

fail2ban logs

I moved to your image from a previous docker implementation and before that from fail2ban installed on the host. Much prefer running it in docker.

However I had a couple of scripts running which parsed the fail2ban logs and performed actions when certain events occurred (e.g. triggered slack and pushbullet notifications to suppliment the emails). Typically the logs get written to /var/log/fail2ban.log.

Is there any way to write the fail2ban logs to a file with this image?

fail2ban using iptables-legacy instead of iptables

Behaviour

In this comment, it is mentioned that you can use iptables -S | grep f2b to see the banned IPs in iptables, when I try to do that I get this:

~$ sudo iptables -S | grep f2b
# Warning: iptables-legacy tables present, use iptables-legacy to see them
~$ sudo iptables-legacy -S | grep f2b
-A f2b-sshd -s 1.11.201.18/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 1.10.133.55/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 1.1.186.208/32 -j REJECT --reject-with icmp-port-unreachable
etc.

Steps to reproduce this issue

Follow the docs at the sshd example

Configuration

Docker version (type docker --version) : Docker version 19.03.12, build 48a66213fe
Platform (Debian 9, Ubuntu 18.04, ...) : Debian GNU/Linux 10 (buster)
System info (type uname -a) : Linux apollo 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 GNU/Linux

Docker info

Client:
 Debug Mode: false

Server:
 Containers: 6
  Running: 6
  Paused: 0
  Stopped: 0
 Images: 77
 Server Version: 19.03.12
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.19.0-8-amd64
 Operating System: Debian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 1.902GiB
 Name: apollo
 ID: CQKT:FWY5:L44P:4CX5:CEER:W6SM:YKZT:FPD7:VNHL:3D4V:BARG:MKYB
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Logs

gist

Fail2Ban Banning but not Blocking

Hello people,

I set up Fail2Ban with bitwarden_rs and while it seems to bann the ip the logs, i can still successfully login with the correct password. I am using Traefik 1.7 Maroilles as a reverse proxy to access BitwardenRS. What i have tried till now to fix the issue :

I have added the server port and the reverse proxy port in addition to the BitwardenRS container's ports.
i have added /action.d/iptables-allports.local to try to kill any existing connections
I have added chain=FORWARD to the /jail.d/bitwarden.local file even if i dont need it i think as im using a reverse proxy
Timezones are correct everywhere
I tried also with cellular data just to be sure.

Logs:
The ip i suppose as it's through the docker network is different from the "real" one, not sure how to configure it to show it properly (tried with a lan device as also mobile data)

2020-07-05 18:32:22,123 fail2ban.filter [1]: INFO [bitwarden] Found myip- 2020-07-05 18:32:22
2020-07-05 18:32:23,456 fail2ban.actions [1]: NOTICE [bitwarden] myip already banned

i'm putting as image an not as text as every time i paste it all the format/composure goes to hell and it's not easily writable.

docker compose file

Any idea what's wrong ? any tip or suggestion would be really helpful as i cannot figure it out whats wrong.

update:
After some attempts i see that the loading button is just looping giving me hope that the ip is banned but then refreshing the page and entering my normal credentials is giving me access once again. Also I'm making the test with a phone with cellular data and i see that the ip doesn't match the ones in the log probably because of docker networking but still not sure if it's ok. What i tried :

action = iptables-allports[name=bitwarden]
action = iptables-allports[name=bitwarden, chain=DOCKER-USER]
action = iptables-allports[name=bitwarden, chain=FORWARD]

i'm always restarted the container but nothing of these seems to work. I also try to change in the docker compose file the

network_mode: "host" to network_mode: "bridge"

and try once again all the 3 above action configurations but still nothing. Traefik the reverse proxy is configured with cloudflare if it can helps somehow.

traefik 2.1 not working (can't set timezone in traefik accesslogs [always UTC])

There are multiple closed issues about traefik, and I read most of them...I still can't figure out, what I'm doing wrong...I use traefik with basic auth on docker containers...I followed exactly your steps...ssh is working, traefik not...it siply shows no action in the logs...except that it is adding the traefik access log...please help!

Log attachment automation

Hi Max,
Thanks for all your hard work on this project!

I was wondering about the log system implementation with compose though. Since the startup requires logs -f, I'm wondering how I might bake this into restart policies? If the system goes down, or the docker gets detattached from the console log output for some reason..would you have any recommendations for tieing them together?

Thanks

iptables: Chain already exists + No chain/target/match by that name

Behaviour

Fail2Ban container running on a Raspberry Pi 4, failing to properly ban ips.

Steps to reproduce this issue

Implement Basic Auth with Traefik
Set up the logs properly
Turn on [traefik-auth] jail

Expected behaviour

The ban phase works and the iptable action works.

Actual behaviour

The ban phase works, but the action fails for some reason.
It's the same issue as #55, but it was never resolved.

Configuration

Docker version (type docker --version) : Docker version 19.03.13, build 4484c46
Docker compose version if applicable (type docker-compose --version) : docker-compose version 1.27.3, build unknown
Platform (Debian 9, Ubuntu 18.04, ...) : Raspberry Pi OS (previously called Raspbian), Raspbian GNU/Linux 10 (buster), I think based on Debian 10
System info (type uname -a) : Linux raspberrypi 5.4.51-v7l+ #1333 SMP Mon Aug 10 16:51:40 BST 2020 armv7l GNU/Linux
Include all necessary configuration files : docker-compose.yml, .env, ...

docker-compose.yml

fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    security_opt:
      - no-new-privileges:true
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - ./fail2ban:/data
      - /var/log:/var/log:ro
      - ./traefik/traefik.log:/logextra/traefik.log:ro
    environment:
      - TZ=${TZ}
      - F2B_LOG_TARGET=${FAIL2BAN_F2B_LOG_TARGET}
      - F2B_LOG_LEVEL=${FAIL2BAN_F2B_LOG_LEVEL}
      - F2B_DB_PURGE_AGE=${FAIL2BAN_F2B_DB_PURGE_AGE}
      - SSMTP_HOST=${FAIL2BAN_SSMTP_HOST}
      - SSMTP_PORT=${FAIL2BAN_SSMTP_PORT}
      - SSMTP_HOSTNAME=${FAIL2BAN_SSMTP_HOSTNAME}
      - SSMTP_USER=${FAIL2BAN_SSMTP_USER}
      - SSMTP_PASSWORD=${FAIL2BAN_SSMTP_PASSWORD}
      - SSMTP_TLS=${FAIL2BAN_SSMTP_TLS}
    restart: unless-stopped

.env (relevant info only ^^)

FAIL2BAN_F2B_LOG_TARGET=STDOUT
FAIL2BAN_F2B_LOG_LEVEL=INFO
FAIL2BAN_F2B_DB_PURGE_AGE=1d

jail.local

[DEFAULT]
bantime = 1h
maxretry = 3
findtime = 1h
ignoreip = 127.0.0.1/8 ::1
enabled = false
mode = normal
destemail = root@localhost
sender = root@$(hostname -f)
action = %(action_mwl)s
port = 0:65535
banaction = iptables-multiport

jail.d/traefik.local

[traefik-auth]
enabled  = true
chain    = DOCKER-USER
port     = http,https
filter   = traefik-auth
logpath  = /logextra/traefik.log

### Docker info

Output of command `docker info`

> Output of command `docker info`
Client:
 Debug Mode: false

Server:
 Containers: 9
  Running: 9
  Paused: 0
  Stopped: 0
 Images: 10
 Server Version: 19.03.13
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.4.51-v7l+
 Operating System: Raspbian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: armv7l
 CPUs: 4
 Total Memory: 7.691GiB
 Name: raspberrypi
 ID: HNQJ:2QLW:NIJP:OCJQ:6RLW:B7TX:EGNG:VBNS:MLKF:76S3:DMWF:CWNU
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No kernel memory limit support
WARNING: No kernel memory TCP limit support
WARNING: No oom kill disable support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support

### Logs

Container logs (set LOG_LEVEL to debug if applicable)

2020-10-22 02:32:30,216 fail2ban.server         [1]: INFO    Starting Fail2ban v0.11.1
2020-10-22 02:32:30,220 fail2ban.observer       [1]: INFO    Observer start...
2020-10-22 02:32:30,225 fail2ban.database       [1]: INFO    Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3'
2020-10-22 02:32:30,228 fail2ban.jail           [1]: INFO    Creating new jail 'traefik-auth'
2020-10-22 02:32:30,251 fail2ban.jail           [1]: INFO    Jail 'traefik-auth' uses pyinotify {}
2020-10-22 02:32:30,253 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend
2020-10-22 02:32:30,259 fail2ban.filter         [1]: INFO      maxRetry: 5
2020-10-22 02:32:30,260 fail2ban.filter         [1]: INFO      findtime: 600
2020-10-22 02:32:30,260 fail2ban.actions        [1]: INFO      banTime: 600
2020-10-22 02:32:30,261 fail2ban.filter         [1]: INFO      encoding: UTF-8
2020-10-22 02:32:30,262 fail2ban.filter         [1]: INFO    Added logfile: '/logextra/traefik.log' (pos = 0, hash = 550e4202c7074eb9b0faf38a81af86cde593562a)
2020-10-22 02:32:30,732 fail2ban.jail           [1]: INFO    Jail 'traefik-auth' started
Server ready
2020-10-22 05:01:04,088 fail2ban.filter         [1]: INFO    [traefik-auth] Found 10.2.0.5 - 2020-10-22 05:01:03
2020-10-22 05:01:05,832 fail2ban.filter         [1]: INFO    [traefik-auth] Found 10.2.0.5 - 2020-10-22 05:01:05
2020-10-22 05:01:07,787 fail2ban.filter         [1]: INFO    [traefik-auth] Found 10.2.0.5 - 2020-10-22 05:01:07
2020-10-22 05:01:09,397 fail2ban.filter         [1]: INFO    [traefik-auth] Found 10.2.0.5 - 2020-10-22 05:01:09
2020-10-22 05:01:16,077 fail2ban.filter         [1]: INFO    [traefik-auth] Found 10.2.0.5 - 2020-10-22 05:01:16
2020-10-22 05:01:16,161 fail2ban.actions        [1]: NOTICE  [traefik-auth] Ban 10.2.0.5
2020-10-22 05:01:16,197 fail2ban.utils          [1]: ERROR   b63d76e0 -- exec: iptables -w -N f2b-traefik-auth
iptables -w -A f2b-traefik-auth -j RETURN
iptables -w -I DOCKER-USER -p tcp -m multiport --dports http,https -j f2b-traefik-auth
2020-10-22 05:01:16,198 fail2ban.utils          [1]: ERROR   b63d76e0 -- stderr: 'iptables: Chain already exists.'
2020-10-22 05:01:16,199 fail2ban.utils          [1]: ERROR   b63d76e0 -- stderr: 'iptables: No chain/target/match by that name.'
2020-10-22 05:01:16,200 fail2ban.utils          [1]: ERROR   b63d76e0 -- returned 1
2020-10-22 05:01:16,201 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'traefik-auth' action 'iptables-multiport' info 'ActionInfo({'ip': '10.2.0.5', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0xb65ef658>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0xb65ef9b8>})': Error starting action Jail('traefik-auth')/iptables-multiport: 'Script error'

Ipv6 support with Ubuntu

Behaviour

Tried to ssh in from ipv6 host, which showed in the logs when the attempts failed. After the third try, fail2ban attempted to ban the ip address, which it managed to do in its database, but the ip6tables failed. On subsequent attempt, the same log lines appeared, and it seemed like I could try to log in again. After three attempts, a message appeared in the log stating that the ip is already banned.

Steps to reproduce this issue

Start up multi-container example with sshd jail on INPUT chain
Attempt three failed login attempts from ipv6 address
Observe error message below in the logs

Expected behaviour

IP should be banned

Actual behaviour

IP is not banned, and the below is observed in the logs;

Suggested fix

Install insmod via the kmod package. I did this in the running container, and on subsequent attempt, the ip was successfully banned.

Configuration

Docker version (type docker --version) : 18.06.1-ce, build e68fc7a
Docker compose version if applicable (type docker-compose --version) : 1.19.0, build 9e633ef
Platform (Debian 9, Ubuntu 18.04, ...) : Ubuntu 18.04.2
Include all necessary configuration files : docker-compose.yml, .env, ...

Docker info

Containers: 9
 Running: 7
 Paused: 0
 Stopped: 2
Images: 33
Server Version: 18.06.1-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-36-generic
Operating System: Ubuntu 18.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.9GiB
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Logs

2019-05-05 23:55:19,444 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,444 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "ip6tables v1.6.2: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "ip6tables v1.6.2: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "ip6tables v1.6.2: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- returned 3
2019-05-05 23:55:19,447 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'sshd' action 'iptables-multiport' info 'ActionInfo({'ip': '2a02:2121:343:a0d4:*something more*', 'fid': <function <lambda> at 0x7fe1bd8bb320>, 'family': 'inet6', 'raw-ticket': <function <lambda> at 0x7fe1bd8bb7d0>})': Error starting action Jail('sshd')/iptables-multiport
2019-05-05 23:56:47,178 fail2ban.filter         [1]: INFO    [sshd] Found 2a02:2121:343:a0d4:*something more* - 2019-05-05 23:56:46
2019-05-05 23:56:52,592 fail2ban.filter         [1]: INFO    [sshd] Found 2a02:2121:343:a0d4:*something more* - 2019-05-05 23:56:52
2019-05-05 23:56:54,614 fail2ban.filter         [1]: INFO    [sshd] Found 2a02:2121:343:a0d4:*something more* - 2019-05-05 23:56:54
2019-05-05 23:56:54,642 fail2ban.actions        [1]: WARNING [sshd] 2a02:2121:343:a0d4:*something more* already banned

"fail2ban does not resolve" message filling the logs

Behaviour

Hi, sorry if I missed something but there is a lot of these lines being spat out in the logs:

fail2ban.ipdns [1]: WARNING Unable to find a corresponding IP address for fail2ban: [Errno -2] Name does not resolve

Sadly I was unable to find the reason behind it. Is it a misconfiguration? Nothing no worry about? Can I turn it off?

Thanks in advance!

Steps to reproduce this issue

following configuration may give a hint?

docker-compose:

    fail2ban:
        container_name: fail2ban
        hostname: fail2ban
        image: crazymax/fail2ban:latest
        network_mode: "host"
        restart: always
        cap_add:
            - NET_ADMIN
            - NET_RAW
        volumes:
            - /var/log:/var/log:ro
            - ./fail2ban:/data

also, taken from your traefik tutorial:

./fail2ban/action.d/traefik-auth.conf
./fail2ban/action.d/traefik-botsearch.conf

jails:

./fail2ban/jail.d/sshd.local

[sshd]
enabled = true
port = 2424
filter = sshd
logpath = /var/log/auth.log
findtime = 3600
maxretry = 3
bantime  = 604800
ignoreip = 127.0.0.1/8 x.x.x.x
banaction = iptables-allports[name=sshBan, chain=INPUT, protocol=all]
			cloudflare

./fail2ban/jail.d/traefik.local

[traefik-auth]
enabled = true
port = http,https
filter = traefik-auth
logpath = /var/log/traefik/access.log
findtime = 3600
maxretry = 5
bantime  = 604800
ignoreip = 127.0.0.1/8 x.x.x.x
banaction = iptables-allports[name=traefikAuth, chain=DOCKER-USER, protocol=all]
			cloudflare

[traefik-botsearch]
enabled = true
port = http,https
filter = traefik-botsearch
logpath = /var/log/traefik/access.log
findtime = 3600
maxretry = 5
bantime  = 604800
ignoreip = 127.0.0.1/8 x.x.x.x
banaction = iptables-allports[name=traefikBot, chain=DOCKER-USER, protocol=all]
			cloudflare

and additional action "cloudflare.local" for banning..

Expected behaviour

Dont print INFO/Errors?

Actual behaviour

Everything seems to work properly, but the INFO message keeps appearing.

Configuration

Docker version (type docker --version) : Docker version 19.03.12, build 48a66213fe
Docker compose version if applicable (type docker-compose --version) : docker-compose version 1.18.0, build 8dd22a9
Platform (Debian 9, Ubuntu 18.04, ...) : Ubuntu 18.04
System info (type uname -a) : Linux hexx.one 4.15.0-115-generic #116-Ubuntu SMP Wed Aug 26 14:04:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Include all necessary configuration files : docker-compose.yml, .env, ... done (see "reproduce")

Docker info

> Output of command `docker info`

Client:
 Debug Mode: false

Server:
 Containers: 12
  Running: 12
  Paused: 0
  Stopped: 0
 Images: 27
 Server Version: 19.03.12
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.15.0-115-generic
 Operating System: Ubuntu 18.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: XXXXXXXXX
 Name: hexx.one
 ID: XXXXXXXXXXXXXXXXXXXXXX
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Logs


2020-09-07 14:53:31,516 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for fail2ban: [Errno -2] Name does not resolve
2020-09-07 14:53:31,516 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for fail2ban: [Errno -2] Name does not resolve
2020-09-07 15:16:01,899 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for fail2ban: [Errno -2] Name does not resolve
2020-09-07 15:56:46,696 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for fail2ban: [Errno -2] Name does not resolve
2020-09-07 16:02:28,319 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for fail2ban: [Errno -2] Name does not resolve

etc...

"iptables: No chain/target/match by that name"

Behaviour

Fail2ban tries to ban an IP but the banning does not take affect on the host machine and a "Script error" is seen in the container log; "iptables: No chain/target/match by that name".

Steps to reproduce this issue

I deploy the container using the exact command listed in the readme:

sudo docker run -d --name fail2ban --restart always \
  --network host \
  --cap-add NET_ADMIN \
  --cap-add NET_RAW \
  -v $(pwd)/data:/data \
  -v /var/log:/var/log:ro \
  crazymax/fail2ban:latest

I then set up a jail.local file in data/jail.d/, and restart the fail2ban container.

This is the jail:

[DEFAULT]

ignoreip = 127.0.0.0/8
bantime  = 1d
findtime  = 10m
maxretry = 5

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5

I then attempt to SSH into the host machine and use the wrong psasword 5+ times, causing fail2ban to ban my address.

If I connect to the container and run the command fail2ban-client status sshd it shows this output:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     16
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   192.168.0.225

Expected behaviour

When I try to SSH into my host machine with the correct password, I should get immediately rejected.

Actual behaviour

I SSH into the machine as normal and nothing stops my connection.

Configuration

Running on Debian 10

Docker info

Docker version 19.03.5, build 633a0ea838

Logs

2020-02-08 02:58:48,411 fail2ban.actions        [1]: NOTICE  [sshd] Ban 192.168.0.225
2020-02-08 02:58:48,429 fail2ban.utils          [1]: ERROR   7f2f45a329f0 -- exec: iptables -w -N f2b-sshd
iptables -w -A f2b-sshd -j RETURN
iptables -w -I DOCKER-USER -p tcp -m multiport --dports ssh -j f2b-sshd
2020-02-08 02:58:48,430 fail2ban.utils          [1]: ERROR   7f2f45a329f0 -- stderr: 'iptables: No chain/target/match by that name.'
2020-02-08 02:58:48,430 fail2ban.utils          [1]: ERROR   7f2f45a329f0 -- returned 1
2020-02-08 02:58:48,430 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'sshd' action 'iptables-multiport' info 'ActionInfo({'ip': '192.168.0.225', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f2f45a19dc0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f2f45a184c0>})': Error starting action Jail('sshd')/iptables-multiport: 'Script error'

(further down in the log, after the above message)

2020-02-08 02:58:51,574 fail2ban.filter         [1]: INFO    [sshd] Found 192.168.0.225 - 2020-02-08 02:58:51
2020-02-08 02:58:52,230 fail2ban.actions        [1]: NOTICE  [sshd] 192.168.0.225 already banned

Note

I am running the default version of Docker with no edited settings.

Here is my sudo iptables -L output: https://pastebin.com/uw7mVyPr.

Multiple containers for banning multiple chains?

One question please:
Why is it adviced to use a second container when banning with iptables the chain DOCKER-USER and INPUT at the same time as shown here:
https://github.com/crazy-max/docker-fail2ban/blob/master/examples/compose-multi/docker-compose.yml

Wouldn't it be enough to use just one container and extend the used action to just add the second chain to iptables?

Something like this:

actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I INPUT -p <protocol> -j f2b-<name>
              <iptables> -I DOCKER-USER -p <protocol> -j f2b-<name>

sshd: can't find failed attempts

Hi, I successfully setup fail2ban to block traefik error 401 but it seems like the regex can't pick my sshd error attempts.

I have this log when I enable debug and an attempt is made:
[1]: DEBUG /var/log/auth.log has been modified

On auth.log I have this log:

sshd[27292]: input_userauth_request: invalid user xxxx [preauth]
sshd[27292]: pam_unix(sshd:auth): check pass; user unknown
sshd[27292]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x
sshd[27292]: Failed password for invalid user xxxx from x.x.x.x port 54768 ssh2
sshd[27292]: Received disconnect from x.x.x.x port 54768:11: Bye Bye [preauth]
sshd[27292]: Disconnected from x.x.x.x port 54768 [preauth]

I used your example, do you know why it would fail this way ?
Thanks for this docker image by the way, there is more documentation and all options seems easier to use than other images.

SMTP example?

Is there a good example config for the SMTP setup?
I've setup the ENV but can't get it to fire on a ban....

sendmail [email protected] works fine though, so the wiring is correct, but my jail/f2b config is clearly "not right"

Pointers appreciated :)

doesn't work on Fedora

2019-12-06 10:42:27,108 fail2ban.jailreader     [1]: NOTICE  No file(s) found for glob /var/log/auth.log
2019-12-06 10:42:27,108 fail2ban                [1]: ERROR   Failed during configuration: Have not found any log file for sshd jail
2019-12-06 10:42:27,108 fail2ban                [1]: ERROR   Async configuration of server failed
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/fail2ban/client/fail2banserver.py", line 189, in start
    raise ServerExecutionException('Async configuration of server failed')
fail2ban.client.fail2bancmdline.ServerExecutionException: Async configuration of server failed

It may caused by this setting in jail.conf:

before = path-debian.conf

How to override this option to path-fedora.conf? Thanks.

Default chain does not block ssh traffic

Hi, I'm using debian 9.6 and Docker version 18.06.1-ce. sshd is on default port 22 and I'm using example sshd.conf.
I found many "already banned" messages on logs. I try to banned my self and realised I could still connect to ssh while being banned.

Iptable line inserted by fail2ban:
REJECT all -- xx.xx.xx.xx anywhere reject-with icmp-port-unreachable

It appears DOCKER-USER chain does not block ssh traffic at all for me.
I had to set environment to : - F2B_IPTABLES_CHAIN=INPUT

I'm using a traefik rule that works fine.
Here's my thought: DOCKER-USER chain works fine for a container block but blocking sshd on host does not work. If it is the case it would be nice to add a warning on documentation.

ignoreips

Thanks for the great image.

While I can manually map my own jail.local and include the ignoreip config setting I'd rather not do that since you've got everything else working through env vars.

Can we add another env var for ignoreip?

Is it possible to integrate fail2ban in an simple ssh docker container?

Hi,

is it possible to integrate fail2ban in a alpine docker with an simple OpenSSH Server running?
or does fail2ban only works on the docker host?

Traefik auth filter

Behaviour

It's more a feedback than a bug report. But as i'm not a Github expert... I open an issue.. bear with me :)
Using Traefik 2.x, i was not able to use the example traefik-auth filter.
I don't know why honestly.

So just to say, that i adapted to tthe regex to something like :
failregex = ^<HOST> \- \- \[\] \"(POST|HEAD|GET) [^"]+" 401\b and it worked.

And seeing all the s***t issuing requests, based on the model of badbots and botsearch, i made some other filters that i could share.

Well, this is not a bug, more a share, and again thank you for all your images!

Add curl

Hi there, good work on this f2b image, it's way better than the ones I've tried.

If you don't mind, I've got a request, could you please add curl to this as well? I use cloudflare and the cloudflare action requires curl.

Thanks

sendmail hangs

I followed the instructions to set up two containers (one for INPUT one for DOCKER-USER).

.env file is as follows:

TZ=UTC
F2B_LOG_TARGET=STDOUT
F2B_LOG_LEVEL=DEBUG
F2B_DB_PURGE_AGE=1d
F2B_MAX_RETRY=3
[email protected]
[email protected]
F2B_ACTION=%(action_mw)s
F2B_IPTABLES_CHAIN=DOCKER-USER
SSMTP_HOST=smtp
SSMTP_PORT=587
SSMTP_HOSTNAME=xxx.com
[email protected]
SSMTP_PASSWORD=xxxxxx
SSMTP_TLS=YES

When someone gets banned it should be sending me an email but it does not appear to do anything.

I tried entering the container and executing sendmail and it simply hangs and I have to do a kill <pid> on it to end.

Any ideas how to fix this ?

Thanks

Included whois can't lookup ip

Embedded whois can't lookup by IP; outputs

[Querying whois.iana.org:43 '5.188.10.76']
[Querying whois.iana.org:43 'domain 5.188.10.76']
[whois.iana.org]
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
%
% Error: Invalid query domain 5.188.10.76

Was able to circumvent the bug by manually apk adding whois in a dockerfile but you might as well do it here; happy to fill a PR if needed

Near-100% CPU utilization

I am seeing a near-100% CPU utilization on my docker ps listing. The fail2ban log shows nothing abnormal (attached). I have restarted the host, and recreated the container, to no avail.

Log:

2019-02-27 06:07:43,940 fail2ban.jail           [1]: INFO    Jail 'mariadb' stopped,
2019-02-27 06:07:43,973 fail2ban.database       [1]: INFO    Connection to database closed.,
2019-02-27 06:07:43,982 fail2ban.server         [1]: INFO    Exiting Fail2ban,
Setting timezone to America/Chicago...,
WARNING: SSMTP_HOST must be defined if you want fail2ban to send emails,
Setting SSMTP configuration...,
Setting Fail2ban configuration...,
Initializing files and folders...,
Checking for custom actions in /data/action.d...,
Checking for custom filters in /data/filter.d...,
2019-02-27 08:03:50,667 fail2ban.filter         [1]: ERROR   Unable to open /var/lib/docker/containers/9cb32f37eac495ccdfd4351473c3fda27d3cad66305566984d080d0dd136618e/9cb32f37eac495ccdfd4351473c3fda27d3cad66305566984d080d0dd136618e-json.log,
2019-02-27 06:12:25,877 fail2ban.actions        [1]: NOTICE  [mariadb] Restore Ban 88.214.26.40,
2019-02-27 06:12:25,849 fail2ban.actions        [1]: NOTICE  [mariadb] Restore Ban 88.214.26.20,
2019-02-27 06:12:25,836 fail2ban.actions        [1]: NOTICE  [mariadb] Restore Ban 88.214.26.19,
2019-02-27 06:11:54,406 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.local'],
  WARNING: mariadb.conf already exists and will be overriden,
2019-02-27 06:11:53,671 fail2ban.configreader   [1]: INFO    Loading configs for fail2ban under /etc/fail2ban ,
  Add custom filter mariadb.conf...,
2019-02-27 06:11:53,782 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf'],
2019-02-27 06:11:53,783 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf'],
2019-02-27 06:11:53,784 fail2ban                [1]: INFO    Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to STDOUT,
2019-02-27 06:11:53,783 fail2ban                [1]: INFO    Using socket file /var/run/fail2ban/fail2ban.sock,
2019-02-27 06:11:54,084 fail2ban.configreader   [1]: INFO    Loading configs for jail under /etc/fail2ban ,
2019-02-27 06:11:54,198 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-debian.conf'],
2019-02-27 06:11:54,094 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.conf'],
2019-02-27 06:11:54,395 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf'],
2019-02-27 06:11:54,397 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-overrides.local'],
2019-02-27 06:11:54,398 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.d/mariadb.conf'],
2019-02-27 06:11:54,406 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/mariadb.conf', '/etc/fail2ban/jail.local'],
2019-02-27 06:11:54,427 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/mariadb under /etc/fail2ban ,
2019-02-27 06:11:54,428 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/mariadb.conf'],
2019-02-27 06:11:54,438 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/mariadb.conf'],
2019-02-27 06:11:54,440 fail2ban.configreader   [1]: INFO    Loading configs for action.d/iptables-multiport under /etc/fail2ban ,
2019-02-27 06:11:54,441 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-multiport.conf'],
2019-02-27 06:11:54,652 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.conf'],
2019-02-27 06:11:54,654 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local'],
2019-02-27 06:11:54,654 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.local'],
2019-02-27 06:11:54,654 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/iptables-multiport.conf'],
2019-02-27 06:11:57,792 fail2ban.server         [1]: INFO    Starting Fail2ban v0.10.4,
2019-02-27 06:11:57,812 fail2ban.database       [1]: INFO    Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3',
2019-02-27 06:12:04,952 fail2ban.jail           [1]: INFO    Creating new jail 'mariadb',
2019-02-27 06:11:57,792 fail2ban.server         [1]: INFO    --------------------------------------------------,
2019-02-27 06:12:05,710 fail2ban.jail           [1]: INFO    Jail 'mariadb' uses poller {},
2019-02-27 06:12:05,710 fail2ban.jail           [1]: INFO    Initiated 'polling' backend,
2019-02-27 06:12:06,075 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/962a11dbc906c02e967eb8ae83897f60f8e9b75af4b20a76da8dbbec08d84482/962a11dbc906c02e967eb8ae83897f60f8e9b75af4b20a76da8dbbec08d84482-json.log' (pos = 345617, hash = be385f4980536ce06284c64cb3dc422a),
2019-02-27 06:12:06,409 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/7149edd8a50bcb8d1eaf3c09a74eb5e774c58292c658bec14f73e4c58d2e1903/7149edd8a50bcb8d1eaf3c09a74eb5e774c58292c658bec14f73e4c58d2e1903-json.log' (pos = 0, hash = 7a663743b240e7366c380b1c4fcc24fc),
2019-02-27 06:12:06,826 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/56092a0e5f1555749c602bd11163de3690674bbe9209e9a485ac807e7e94a8f0/56092a0e5f1555749c602bd11163de3690674bbe9209e9a485ac807e7e94a8f0-json.log' (pos = 57081, hash = e56da09f4431bb618ea7b44d0d4b2c68),
2019-02-27 06:12:07,193 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/10acbe69d26b81ab9907995fa5f59ce41c0c9452e3fae23bda3f285852cc9f80/10acbe69d26b81ab9907995fa5f59ce41c0c9452e3fae23bda3f285852cc9f80-json.log' (pos = 2522803, hash = fd546c9220c59bf5ec6bbd68653de18c),
2019-02-27 06:12:07,575 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/0fe62649afa8598f0e3c4f5db25cdfa420f171503857890578db1359a59be88f/0fe62649afa8598f0e3c4f5db25cdfa420f171503857890578db1359a59be88f-json.log' (pos = 0, hash = 5c7f6af8ea4ff44b6043289174bd2c0d),
2019-02-27 06:12:07,918 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/b1c9f263f7e9e16c5e8b78c53bf9efb4dd77b295861d4bbd95a92eddf5ad427c/b1c9f263f7e9e16c5e8b78c53bf9efb4dd77b295861d4bbd95a92eddf5ad427c-json.log' (pos = 0, hash = 5b45292fde933657561c500cefff6b11),
2019-02-27 06:12:08,587 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/ccbb1762211b608f38bef1eba382299aa4332d66688409fb273198dc868b5fb3/ccbb1762211b608f38bef1eba382299aa4332d66688409fb273198dc868b5fb3-json.log' (pos = 0, hash = 62413be95e2653fb32d9a9417e1ae4a5),
2019-02-27 06:12:09,529 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/ad5df8b326021cea797eb6a1413f95664f1b154fbed4ca7736e18b50c634d175/ad5df8b326021cea797eb6a1413f95664f1b154fbed4ca7736e18b50c634d175-json.log' (pos = 0, hash = 5c8dd0b9f11f0a363f4034dac636aa71),
2019-02-27 06:12:09,884 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/366a426557563f9f0ef4a58029f759a49a90a86629959b93bf4b63a85cb8bc2c/366a426557563f9f0ef4a58029f759a49a90a86629959b93bf4b63a85cb8bc2c-json.log' (pos = 0, hash = d43ed1489fd13b97f6978c76523b6516),
2019-02-27 06:12:12,002 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/7c727df2af5a377a0a24efbd4917b1210d7a54b1da10981be2354f218646fada/7c727df2af5a377a0a24efbd4917b1210d7a54b1da10981be2354f218646fada-json.log' (pos = 213085, hash = bea28ec2e9e6e051d89bc55a8d3e6620),
2019-02-27 06:12:12,343 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/875fcd076d8ae570f35e7f7e2dc5fe529640ec395103f3e0247b66b78a3f25ec/875fcd076d8ae570f35e7f7e2dc5fe529640ec395103f3e0247b66b78a3f25ec-json.log' (pos = 146308, hash = 9539bc7fc59289554104b00c9142083f),
2019-02-27 06:12:12,869 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/aed5bd9bd9c43c65133418df1f65d0280973a576e2fab35e9a30e194fc068656/aed5bd9bd9c43c65133418df1f65d0280973a576e2fab35e9a30e194fc068656-json.log' (pos = 168167692, hash = 56b6da46f8a21bff11dbd3ba1125721f),
2019-02-27 06:12:14,454 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/4c75011557ddbaa7ff673cbb9bb1d1f048c13dd5fb684c2f13945c422dfa68b7/4c75011557ddbaa7ff673cbb9bb1d1f048c13dd5fb684c2f13945c422dfa68b7-json.log' (pos = 0, hash = d4f2853bc56593d743646b2735539db6),
2019-02-27 06:12:17,748 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/7cea5149a96a0881ec1088074568257f8081d443bc697f9ab81641de08b0264b/7cea5149a96a0881ec1088074568257f8081d443bc697f9ab81641de08b0264b-json.log' (pos = 1952209, hash = 5734813bf6ec323008c2dead6791809b),
2019-02-27 06:12:23,339 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/05052f373e400da18b4f46a4c3f9854895bb498cd14cdebbb3d6bd2e5ba0500c/05052f373e400da18b4f46a4c3f9854895bb498cd14cdebbb3d6bd2e5ba0500c-json.log' (pos = 273703238, hash = 701d36455644350fc31d5f11f704e61d),
2019-02-27 06:12:21,427 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/3b5a2f6fa6679232a951ba76ef38bd4a6e2bf985921100ceba2afbeb113de244/3b5a2f6fa6679232a951ba76ef38bd4a6e2bf985921100ceba2afbeb113de244-json.log' (pos = 0, hash = 32fe3df226af5c76962fe1caf9ac13cc),
2019-02-27 06:12:20,419 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/e690eb6aad3afb91a093933e7c8cdffb463588cf4f2043edd9b91cb4fbd4098a/e690eb6aad3afb91a093933e7c8cdffb463588cf4f2043edd9b91cb4fbd4098a-json.log' (pos = 288808, hash = 904fc8081cda09c0f5feb9012f63c0ec),
2019-02-27 06:12:19,202 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/b2a7a88390e1b377ed88756264cf717677e6b4cb8b85872b312b25e799921e0b/b2a7a88390e1b377ed88756264cf717677e6b4cb8b85872b312b25e799921e0b-json.log' (pos = 3370012, hash = 3266bd02edc1500252709c4d2fdf803a),
2019-02-27 06:12:18,639 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/ed027346190868e23566ef6b1afc62d0c373b9160940377fced4f14c25f6eae7/ed027346190868e23566ef6b1afc62d0c373b9160940377fced4f14c25f6eae7-json.log' (pos = 0, hash = 3dde2d7d3adc40393ff6ae5d83794fd1),
2019-02-27 06:12:18,072 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/4bafc2b9d87c61f136980d1f580f4c33857f7c8775f6c2c7d451cef96eaaa629/4bafc2b9d87c61f136980d1f580f4c33857f7c8775f6c2c7d451cef96eaaa629-json.log' (pos = 2682, hash = 33453e2957eb6d5f944944b773d19242),
2019-02-27 06:12:17,142 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/fa00d7bdb90e7ad0f306291b497b4a859c8c5dccd3c7ff3f1ddea585556428b5/fa00d7bdb90e7ad0f306291b497b4a859c8c5dccd3c7ff3f1ddea585556428b5-json.log' (pos = 70336340, hash = c50f4a2f549e5587e3fe1a8917896c91),
2019-02-27 06:12:16,344 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/ed27fcbdde611b2dbec1fe67cceca7e4d3f2266498fdc1cf9895b2cb52b579c6/ed27fcbdde611b2dbec1fe67cceca7e4d3f2266498fdc1cf9895b2cb52b579c6-json.log' (pos = 0, hash = a786de92ec5fe25a81daf3edf94c25fa),
2019-02-27 06:12:15,991 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/9189056bf836fe012b2c9f090abbc7e55339b1a0479df7cd982b13678004e3fd/9189056bf836fe012b2c9f090abbc7e55339b1a0479df7cd982b13678004e3fd-json.log' (pos = 0, hash = a0c86593206c96e5ed25f37f6aabb9e8),
2019-02-27 06:12:15,468 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/9cb32f37eac495ccdfd4351473c3fda27d3cad66305566984d080d0dd136618e/9cb32f37eac495ccdfd4351473c3fda27d3cad66305566984d080d0dd136618e-json.log' (pos = 37718498, hash = 2746faa949f2adc5d10cc9c7d000a18d),
2019-02-27 06:12:14,818 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/8e2b81022d2ca0e350f5dd05811ab5d052c9bef975773d00dfb3010d35eff02d/8e2b81022d2ca0e350f5dd05811ab5d052c9bef975773d00dfb3010d35eff02d-json.log' (pos = 6770817, hash = 77486b66ae50cb03580705cee905a410),
2019-02-27 06:12:13,693 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/b9452268796c47135e90b8e960ce7c856cb5f987a8a9ef588f85879979a3b1b9/b9452268796c47135e90b8e960ce7c856cb5f987a8a9ef588f85879979a3b1b9-json.log' (pos = 434465221, hash = 8efeb60eb94fe5b5013ee102edbfee8f),
2019-02-27 06:12:13,391 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/1c3944ca26e6403912ab9c6dcb18b8a0439ce2c17cab2ba383a592dd27cd9672/1c3944ca26e6403912ab9c6dcb18b8a0439ce2c17cab2ba383a592dd27cd9672-json.log' (pos = 0, hash = 36acdcbd4558c586c0639165428a8dde),
2019-02-27 06:12:10,731 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/5751aabc5cc402381be40acbf358c6b8e85f96dca0aafd8767751c96ce4e2756/5751aabc5cc402381be40acbf358c6b8e85f96dca0aafd8767751c96ce4e2756-json.log' (pos = 0, hash = ef78180c5d6309c070bdeeb701168771),
2019-02-27 06:12:11,107 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/b4f1d9267cc063d04aa91f0f069e21fd17fec06f053bc7bf8e2affd0b0f11db4/b4f1d9267cc063d04aa91f0f069e21fd17fec06f053bc7bf8e2affd0b0f11db4-json.log' (pos = 388650, hash = cf12883f0c8dcebb4d06e3ec47ecbb59),
2019-02-27 06:12:09,862 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/f1a6ead7a0641f080129d48759e2ef68843011d0c53ea63c6f32b340302fd70f/f1a6ead7a0641f080129d48759e2ef68843011d0c53ea63c6f32b340302fd70f-json.log' (pos = 6751, hash = 5c1612b42ecdcb30735deee03e1cdc54),
2019-02-27 06:12:09,060 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/8c17dff7ac4f0cf35235155113397f35f6fc723e699738e5a3ab209ba36c2aeb/8c17dff7ac4f0cf35235155113397f35f6fc723e699738e5a3ab209ba36c2aeb-json.log' (pos = 0, hash = 518c1c466d37434ce9317774105b7e43),
2019-02-27 06:12:08,236 fail2ban.filter         [1]: INFO    Added logfile: '/var/lib/docker/containers/31e2940271e10c84241d218ba7a707527b20b580d1da3c973c45f763d4cf9054/31e2940271e10c84241d218ba7a707527b20b580d1da3c973c45f763d4cf9054-json.log' (pos = 0, hash = b4e71e670359ecb1a7b3c241fe2cb05e),
2019-02-27 06:12:23,340 fail2ban.filter         [1]: INFO      maxRetry: 15,
2019-02-27 06:12:23,341 fail2ban.filter         [1]: INFO      encoding: UTF-8,
2019-02-27 06:12:23,342 fail2ban.filter         [1]: INFO      findtime: 600,
2019-02-27 06:12:23,342 fail2ban.actions        [1]: INFO      banTime: 2592000,
2019-02-27 06:12:23,726 fail2ban.jail           [1]: INFO    Jail 'mariadb' started,

docker ps:

portainer_portainer_1         e690eb6aad3a        0.00%               14.25MiB / 7.79GiB
redis                         366a42655756        0.09%               14.88MiB / 7.79GiB
fail2ban                      05052f373e40        99.20%              19.25MiB / 7.79GiB
nginx-proxy                   b9452268796c        0.32%               27.48MiB / 7.79GiB
billingbelmankraulcom_web_1   b4f1d9267cc0        0.15%               32.48MiB / 7.79GiB
blogbelmankraulcom_web_1      ccbb1762211b        0.10%               33.2MiB / 7.79GiB

Best way to unban

i have banned myself (for testing purposes) at the office. Everything is working as it should... but know what is the best way to unban ip

Traefik

Trying to install fail2ban on my Ubuntu Server that runs almost everything in Docker.
Do you know how should I monitor Traefik logs with fail2ban?
I would like to secure ssh on host, and some common jails (btw, which ones would you recommend?).

Thanks

script error sendmail: Cannot open mail:25

F2B tries to send email but fail2ban.utils results in ERROR because it tries to open port 25
Docker-compose variables set for using smtp mailserver using port 587.

fail2ban.log :

2020-06-17 18:09:40,668 fail2ban.utils [1]: ERROR 7fb382728ab0 -- stderr: 'sendmail: Cannot open mail:25'
2020-06-17 18:09:40,668 fail2ban.utils [1]: ERROR 7fb382728ab0 -- returned 1
2020-06-17 18:09:40,668 fail2ban.actions [1]: ERROR Failed to start jail 'bitwarden' action 'sendmail-whois-lines': Error starting action Jail('bitwarden')/sendmail-whois-lines: 'Script error'

version info

Docker version 18.09.8, build bfed4f5
docker-compose version 1.24.0, build 0aa59064
Linux Zeus 3.10.105 #25426 SMP Tue May 12 04:53:17 CST 2020 x86_64 GNU/Linux synology_broadwell_rs3617rpxs

####Docker-compose
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban
restart: always
environment:
- TZ=Europe/Paris
- F2B_DB_PURGE_AGE=30d
- F2B_LOG_TARGET=/data/fail2ban.log
- F2B_LOG_LEVEL=INFO
- F2B_IPTABLES_CHAIN=INPUT
- [email protected]
- F2B_SENDER=[email protected]
- SSMTP_PORT:587
- SSMTP_HOST:xxxx
- SSMTP_HOSTNAME=xxxx
- SSMTP_USER:xxxx
- SSMTP_PASSWORD:xxxx
- SSMTP_TLS=YES
- SSMTP_STARTTLS:YES

###jail.d

[DEFAULT]
ignoreip = 127.0.0.1/8
#Ban for 30 days
bantime = 2592000
findtime = 86400
maxretry = 3
backend = auto
action = iptables-allports[name=bitwarden]
sendmail-whois[name=bitwarden, [email protected]]

Why does fail2ban still try to open port 25 ?

Feature: Do you know how to implement FAIL2Ban with Guacamole Docker

Struggling to get Fail2Ban to work with Guacamole docker this would be a great addition especially since there is no mechanism protecting from brute force. I use Traefik and Cloudflare.

fail2Ban banning Nextcloud Users

I set up a fail2ban container, and now when I access any security settings in nextcloud, I get banned. and I can't seem to figure out why. If I'd guess, the regex for traefik-auth is misparsing something,

Here's my fail2ban log: https://hastebin.com/secunuhepi.pl
My traefik access logs: https://hastebin.com/edidorijav.pl

EDIT: Seems to be banning nextcloud webdav users as well.
Forgot to mention that I'm using the example scripts provided for traefik.

sendmail returns segfault (return code: 139) when mail password contains special letters (#, §, $, ...)

Behaviour

When configured fail2ban to send email notification with env - VARs in docker, sending an email crashes with segfault.

Steps to reproduce this issue

Configure mail client with a password containing one or more special letters

Expected behaviour

Sendmail works like a charm and sends out mail.

Configuration

Im running docker within ContainerStation on QNAP NAS
QTS: 4.4.3.1439
ContainerStation: 2.1.3.1360

IPv6 Support

When Fail2Ban tries to ban a user with an IPv6 address, I get the following error:

stderr: '/bin/sh: ip6tables: not found'

It doesn't seem like you have the ip6tables program installed in this container. Can this be added?

Unable to find a corresponding IP address for authenticating: Name does not resolve

Behaviour

I made a remote PC try to ssh with password to my raspberry pi server with password authentication turned off (only public key), and it doesn't recognize the IP address.

Steps to reproduce this issue

jail.local

jail.d/jail.local

[DEFAULT]
bantime			= 1h
maxretry		= 3
findtime		= 1h
ignoreip		= 127.0.0.1/8 ::1 10.0.0.1/24
logencoding		= auto
usedns			= warn
enabled			= false
mode			= aggressive
destemail		= [email protected]
sendername		= Fail2Ban Schklom
fq-hostname		= Schklom
port			= 0:65535
#banaction		= iptables-multiport
banaction		= iptables-allports
protocol		= tcp
bantime.increment	= true
bantime.factor		= 1
bantime.maxtime		= 4w
bantime.rndtime		= 38

# Email with sendername activated (copied from jail.conf and arranged according to git issue below)
# Email with fq-hostname activated (copied from jail.conf and arranged according to git issue below)
# https://github.com/fail2ban/fail2ban/issues/2071
action_mwl			= %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
				  %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", sendername="%(sendername)s", fq-hostname="%(fq-hostname)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action				= %(action_mwl)s

sshd_log			= /var/log/auth.log

Jail sshd

jail.d/sshd.local

[sshd]
enabled		= true
chain		= INPUT
port		= 1234
filter		= sshd[mode=aggressive]
logpath		= %(sshd_log)s
maxretry	= 3
# When I turn off usedns, the log's line "Unable to ..." disappears, but still no ban
#usedns		= no

Filter added to sshd
I tried to manually make the line recognized, but this doesn't work either.

filter.d/sshd.local

[Definition]
failregex =	%(known/failregex)s
		%(__prefix_line)sConnection closed by authenticating user <F-USER>.+</F-USER> <HOST> port \d+ [preauth]$

Expected behaviour

The ip should be banned when /var/log/auth.log has these lines

Oct 29 17:58:34 raspberrypi sshd[25644]: Connection reset by authenticating user pi 123.456.78.910 port 53945 [preauth]
Oct 29 17:59:24 raspberrypi sshd[25960]: Connection reset by authenticating user pi 123.456.78.910 port 53977 [preauth]
Oct 29 18:38:10 raspberrypi sshd[32493]: Connection reset by authenticating user pi 123.456.78.910 port 61479 [preauth]

Actual behaviour

It doesn't read the IP, and doesn't ban it.

Configuration

Docker version (type docker --version) : Docker version 19.03.13, build 4484c46
Docker compose version if applicable (type docker-compose --version) : docker-compose version 1.27.3, build unknown
Platform (Debian 9, Ubuntu 18.04, ...) : Raspberry Pi OS (based on Debian 10)
System info (type uname -a) : Linux raspberrypi 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l GNU/Linux
Include all necessary configuration files : docker-compose.yml, .env, ...

docker-compose.yml

version: "3.8"
services:
fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    security_opt:
      - no-new-privileges:true
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - ${DOCKERCONFIG}/fail2ban:/data
      - /var/log:/var/log:ro
    environment:
      - TZ=${TZ}
      - F2B_LOG_TARGET=STDOUT
      - F2B_LOG_LEVEL=DEBUG
      - F2B_DB_PURGE_AGE=1d
      - SSMTP_HOST=smtp.gmail.com
      - SSMTP_PORT=465
      - SSMTP_HOSTNAME=gmail.com
      - SSMTP_USER=${FAIL2BAN_SSMTP_USER}
      - SSMTP_PASSWORD=${FAIL2BAN_SSMTP_PASSWORD}
      - SSMTP_TLS=YES
    restart: always

Docker info

> Output of command `docker info`

Client:
 Debug Mode: false

Server:
 Containers: 10
  Running: 9
  Paused: 0
  Stopped: 1
 Images: 12
 Server Version: 19.03.13
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.4.72-v7l+
 Operating System: Raspbian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: armv7l
 CPUs: 4
 Total Memory: 7.691GiB
 Name: raspberrypi
 ID: HNQJ:2QLW:NIJP:OCJQ:6RLW:B7TX:EGNG:VBNS:MLKF:76S3:DMWF:CWNU
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No kernel memory limit support
WARNING: No kernel memory TCP limit support
WARNING: No oom kill disable support

### Logs

docker logs fail2ban

Setting timezone to Europe/Oslo...
Setting SSMTP configuration...
Initializing files and folders...
Setting Fail2ban configuration...
Checking for custom actions in /data/action.d...
Checking for custom filters in /data/filter.d...
  Add custom filter sshd.local...
2020-10-29 18:53:44,378 fail2ban.configreader   [1]: INFO    Loading configs for fail2ban under /etc/fail2ban
2020-10-29 18:53:44,385 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
2020-10-29 18:53:44,388 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
2020-10-29 18:53:44,395 fail2ban                [1]: INFO    Using socket file /var/run/fail2ban/fail2ban.sock
2020-10-29 18:53:44,396 fail2ban                [1]: INFO    Using pid file /var/run/fail2ban/fail2ban.pid, [DEBUG] logging to STDOUT
2020-10-29 18:53:44,407 fail2ban.configreader   [1]: INFO    Loading configs for jail under /etc/fail2ban
2020-10-29 18:53:44,409 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.conf']
2020-10-29 18:53:44,460 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-debian.conf']
2020-10-29 18:53:44,469 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf']
2020-10-29 18:53:44,473 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-overrides.local']
2020-10-29 18:53:44,490 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.d/sshd.local']
2020-10-29 18:53:44,500 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/jail.local',  '/etc/fail2ban/jail.d/sshd.local']
2020-10-29 18:53:44,504 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/sshd under /etc/fail2ban
2020-10-29 18:53:44,512 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/sshd.conf']
2020-10-29 18:53:44,518 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf']
2020-10-29 18:53:44,523 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.local']
2020-10-29 18:53:44,524 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/sshd.local']
2020-10-29 18:53:44,525 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/sshd.conf', '/etc/fail2ban/filter.d/sshd.local']
2020-10-29 18:53:44,558 fail2ban.configreader   [1]: INFO    Loading configs for action.d/iptables-allports under /etc/fail2ban
2020-10-29 18:53:44,560 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-allports.conf']
2020-10-29 18:53:44,565 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
2020-10-29 18:53:44,569 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
2020-10-29 18:53:44,570 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
2020-10-29 18:53:44,571 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/iptables-allports.conf']
2020-10-29 18:53:44,576 fail2ban.configreader   [1]: INFO    Loading configs for action.d/sendmail-whois-lines under /etc/fail2ban
2020-10-29 18:53:44,578 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/sendmail-whois-lines.conf']
2020-10-29 18:53:44,582 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/sendmail-common.conf']
2020-10-29 18:53:44,585 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/sendmail-common.local']
2020-10-29 18:53:44,587 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/mail-whois-common.conf']
2020-10-29 18:53:44,589 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/mail-whois-common.local']
2020-10-29 18:53:44,595 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/helpers-common.conf']
2020-10-29 18:53:44,597 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/sendmail-common.conf', '/etc/fail2ban/action.d/mail-whois-common.conf', '/etc/fail2ban/action.d/helpers-common.conf', '/etc/fail2ban/action.d/sendmail-whois-lines.conf']
2020-10-29 18:53:44,758 fail2ban.server         [1]: INFO    --------------------------------------------------
2020-10-29 18:53:44,759 fail2ban.server         [1]: INFO    Starting Fail2ban v0.11.1
2020-10-29 18:53:44,760 fail2ban.server         [1]: DEBUG   Creating PID file /var/run/fail2ban/fail2ban.pid
2020-10-29 18:53:44,763 fail2ban.observer       [1]: INFO    Observer start...
2020-10-29 18:53:44,767 fail2ban.server         [1]: DEBUG   Starting communication
2020-10-29 18:53:44,783 fail2ban.database       [1]: INFO    Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3'
2020-10-29 18:53:44,786 fail2ban.jail           [1]: INFO    Creating new jail 'sshd'
2020-10-29 18:53:44,818 fail2ban.jail           [1]: INFO    Jail 'sshd' uses pyinotify {}
2020-10-29 18:53:44,819 fail2ban.filter         [1]: DEBUG   Setting usedns = warn for FilterPyinotify(Jail('sshd'))
2020-10-29 18:53:44,819 fail2ban.filter         [1]: DEBUG   Created FilterPyinotify(Jail('sshd'))
2020-10-29 18:53:44,822 fail2ban.filterpyinotif [1]: DEBUG   Created FilterPyinotify
2020-10-29 18:53:44,822 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend
2020-10-29 18:53:44,824 fail2ban.filter         [1]: DEBUG   Setting usedns = warn for FilterPyinotify(Jail('sshd'))
2020-10-29 18:53:44,824 fail2ban.server         [1]: DEBUG     prefregex: '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$'
2020-10-29 18:53:44,831 fail2ban.filter         [1]: INFO      maxLines: 1
2020-10-29 18:53:44,832 fail2ban.server         [1]: DEBUG     failregex: '^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,838 fail2ban.server         [1]: DEBUG     failregex: '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,843 fail2ban.server         [1]: DEBUG     failregex: '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-10-29 18:53:44,849 fail2ban.server         [1]: DEBUG     failregex: '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-10-29 18:53:44,857 fail2ban.server         [1]: DEBUG     failregex: '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>'
2020-10-29 18:53:44,861 fail2ban.server         [1]: DEBUG     failregex: '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,867 fail2ban.server         [1]: DEBUG     failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,872 fail2ban.server         [1]: DEBUG     failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,878 fail2ban.server         [1]: DEBUG     failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,884 fail2ban.server         [1]: DEBUG     failregex: '^refused connect from \\S+ \\(<HOST>\\)'
2020-10-29 18:53:44,888 fail2ban.server         [1]: DEBUG     failregex: '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,894 fail2ban.server         [1]: DEBUG     failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,900 fail2ban.server         [1]: DEBUG     failregex: "^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$"
2020-10-29 18:53:44,907 fail2ban.server         [1]: DEBUG     failregex: '^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,915 fail2ban.server         [1]: DEBUG     failregex: '^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,923 fail2ban.server         [1]: DEBUG     failregex: '^User <F-USER>.+</F-USER> not allowed because account is locked(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*'
2020-10-29 18:53:44,926 fail2ban.server         [1]: DEBUG     failregex: '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*Change of username or service not allowed:\\s*.*\\[preauth\\]\\s*$'
2020-10-29 18:53:44,933 fail2ban.server         [1]: DEBUG     failregex: '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,937 fail2ban.server         [1]: DEBUG     failregex: '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*11:'
2020-10-29 18:53:44,942 fail2ban.server         [1]: DEBUG     failregex: '^<F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET> (?:by|from)(?: (?:invalid|authenticating) user <F-USER>\\S+|.+?</F-USER>)? <HOST>(?: (?:port \\d+|on \\S+)){0,2}\\s+\\[preauth\\]\\s*$'
2020-10-29 18:53:44,949 fail2ban.server         [1]: DEBUG     failregex: '^<F-MLFFORGET><F-MLFGAINED>Accepted \\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from <HOST>(?:\\s|$)'
2020-10-29 18:53:44,955 fail2ban.server         [1]: DEBUG     failregex: '^Did not receive identification string from <HOST>'
2020-10-29 18:53:44,971 fail2ban.server         [1]: DEBUG     failregex: "^Bad protocol version identification '.*' from <HOST>"
2020-10-29 18:53:44,976 fail2ban.server         [1]: DEBUG     failregex: '^Connection <F-MLFFORGET>reset</F-MLFFORGET> by <HOST>'
2020-10-29 18:53:44,980 fail2ban.server         [1]: DEBUG     failregex: '^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\\d+;[A-Z]\\w+:'
2020-10-29 18:53:44,991 fail2ban.server         [1]: DEBUG     failregex: '^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer'
2020-10-29 18:53:44,992 fail2ban.server         [1]: DEBUG     failregex: '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*14: No supported authentication methods available'
2020-10-29 18:53:45,003 fail2ban.server         [1]: DEBUG     failregex: '^Unable to negotiate with <HOST>(?: (?:port \\d+|on \\S+)){0,2}: no matching (?:(?:\\w+ (?!found\\b)){0,2}\\w+) found.'
2020-10-29 18:53:45,008 fail2ban.server         [1]: DEBUG     failregex: '^Unable to negotiate a (?:(?:\\w+ (?!found\\b)){0,2}\\w+)'
2020-10-29 18:53:45,010 fail2ban.server         [1]: DEBUG     failregex: '^no matching (?:(?:\\w+ (?!found\\b)){0,2}\\w+) found:'
2020-10-29 18:53:45,012 fail2ban.server         [1]: DEBUG     failregex: '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>'
2020-10-29 18:53:45,016 fail2ban.server         [1]: DEBUG     failregex: '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?Connection closed by authenticating user <F-USER>.+</F-USER> <HOST> port \\d+ [preauth]$'
2020-10-29 18:53:45,049 fail2ban.filter         [1]: INFO      maxRetry: 3
2020-10-29 18:53:45,050 fail2ban.filter         [1]: INFO      findtime: 3600
2020-10-29 18:53:45,051 fail2ban.actions        [1]: INFO      banTime: 3600
2020-10-29 18:53:45,051 fail2ban.jail           [1]: INFO    Set banTime.increment = True
2020-10-29 18:53:45,052 fail2ban.jail           [1]: INFO    Set banTime.factor = 1
2020-10-29 18:53:45,052 fail2ban.jail           [1]: INFO    Set banTime.maxtime = 4w
2020-10-29 18:53:45,053 fail2ban.jail           [1]: INFO    Set banTime.rndtime = 38
2020-10-29 18:53:45,055 fail2ban.filter         [1]: DEBUG     Add '127.0.0.0/8' to ignore list ('127.0.0.1/8')
2020-10-29 18:53:45,055 fail2ban.filter         [1]: DEBUG     Add '::1' to ignore list ('::1')
2020-10-29 18:53:45,056 fail2ban.filter         [1]: DEBUG     Add '10.2.0.0/24' to ignore list ('10.2.0.1/24')
2020-10-29 18:53:45,056 fail2ban.filter         [1]: DEBUG     Add '10.0.0.0/24' to ignore list ('10.0.0.1/24')
2020-10-29 18:53:45,057 fail2ban.filter         [1]: INFO      encoding: UTF-8
2020-10-29 18:53:45,058 fail2ban.filter         [1]: INFO    Added logfile: '/var/log/auth.log' (pos = 303192, hash = ccd6530adb8309f16718f1b271d3c1c104b3da5e)
2020-10-29 18:53:45,059 fail2ban.filterpyinotif [1]: DEBUG   New <Watch wd=1 path=/var/log mask=1073745280 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb60265c8> dir=True >
2020-10-29 18:53:45,060 fail2ban.filterpyinotif [1]: DEBUG   Added monitor for the parent directory /var/log
2020-10-29 18:53:45,061 fail2ban.filterpyinotif [1]: DEBUG   New <Watch wd=2 path=/var/log/auth.log mask=2 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb60265c8> dir=False >
2020-10-29 18:53:45,062 fail2ban.filterpyinotif [1]: DEBUG   Added file watcher for /var/log/auth.log
2020-10-29 18:53:45,062 fail2ban.filter         [1]: DEBUG   Seek to find time 1603990425.062525 (2020-10-29 17:53:45), file size 303516
2020-10-29 18:53:45,076 fail2ban.filter         [1]: DEBUG   Position 303192 from 303516, found time 1603994017.0 (2020-10-29 18:53:37) within 1 seeks
2020-10-29 18:53:45,077 fail2ban.CommandAction  [1]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
2020-10-29 18:53:45,077 fail2ban.CommandAction  [1]: DEBUG     Set actionstart = '<iptables> -N f2b-sshd\n<iptables> -A f2b-sshd -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-sshd'
2020-10-29 18:53:45,078 fail2ban.CommandAction  [1]: DEBUG     Set actionstop = '<iptables> -D INPUT -p tcp -j f2b-sshd\n<iptables> -F f2b-sshd\n<iptables> -X f2b-sshd'
2020-10-29 18:53:45,078 fail2ban.CommandAction  [1]: DEBUG     Set actionflush = '<iptables> -F f2b-sshd'
2020-10-29 18:53:45,078 fail2ban.CommandAction  [1]: DEBUG     Set actioncheck = "<iptables> -n -L INPUT | grep -q 'f2b-sshd[ \\t]'"
2020-10-29 18:53:45,078 fail2ban.CommandAction  [1]: DEBUG     Set actionban = '<iptables> -I f2b-sshd 1 -s <ip> -j <blocktype>'
2020-10-29 18:53:45,079 fail2ban.CommandAction  [1]: DEBUG     Set actionunban = '<iptables> -D f2b-sshd -s <ip> -j <blocktype>'
2020-10-29 18:53:45,079 fail2ban.CommandAction  [1]: DEBUG     Set name = 'sshd'
2020-10-29 18:53:45,079 fail2ban.CommandAction  [1]: DEBUG     Set port = '55821'
2020-10-29 18:53:45,079 fail2ban.CommandAction  [1]: DEBUG     Set protocol = 'tcp'
2020-10-29 18:53:45,080 fail2ban.CommandAction  [1]: DEBUG     Set chain = 'INPUT'
2020-10-29 18:53:45,080 fail2ban.CommandAction  [1]: DEBUG     Set actname = 'iptables-allports'
2020-10-29 18:53:45,080 fail2ban.CommandAction  [1]: DEBUG     Set blocktype = 'REJECT --reject-with icmp-port-unreachable'
2020-10-29 18:53:45,081 fail2ban.CommandAction  [1]: DEBUG     Set returntype = 'RETURN'
2020-10-29 18:53:45,081 fail2ban.CommandAction  [1]: DEBUG     Set lockingopt = '-w'
2020-10-29 18:53:45,082 fail2ban.CommandAction  [1]: DEBUG     Set iptables = 'iptables <lockingopt>'
2020-10-29 18:53:45,082 fail2ban.CommandAction  [1]: DEBUG     Set blocktype?family=inet6 = 'REJECT --reject-with icmp6-port-unreachable'
2020-10-29 18:53:45,082 fail2ban.CommandAction  [1]: DEBUG     Set iptables?family=inet6 = 'ip6tables <lockingopt>'
2020-10-29 18:53:45,085 fail2ban.CommandAction  [1]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
2020-10-29 18:53:45,085 fail2ban.CommandAction  [1]: DEBUG     Set actionstart = 'printf %b "Subject: [Fail2Ban] sshd: started on Schklom\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban Schklom <root@Schklom>\nTo: [email protected]\\n\nHi,\\n\nThe jail sshd has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@Schklom" "[email protected]"'
2020-10-29 18:53:45,085 fail2ban.CommandAction  [1]: DEBUG     Set actionstop = 'printf %b "Subject: [Fail2Ban] sshd: stopped on Schklom\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban Schklom <root@Schklom>\nTo: [email protected]\\n\nHi,\\n\nThe jail sshd has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@Schklom" "[email protected]"'
2020-10-29 18:53:45,085 fail2ban.CommandAction  [1]: DEBUG     Set actioncheck = ''
2020-10-29 18:53:45,086 fail2ban.CommandAction  [1]: DEBUG     Set actionban = '( printf %b "Subject: [Fail2Ban] sshd: banned <ip> from Schklom\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban Schklom <root@Schklom>\nTo: [email protected]\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against sshd.\\n\\n\nHere is more information about <ip> :\\n"\nwhois <ip> || echo "missing whois program";\nprintf %b "\\nLines containing failures of <ip> (max 1000)\\n";\nlogpath="/var/log/auth.log"; grep -m 1000 -wF "<ip>" $logpath | tail -n 1000;\nprintf %b "\\n\nRegards,\\n\nFail2Ban" ) | /usr/sbin/sendmail -f "root@Schklom" "[email protected]"'
2020-10-29 18:53:45,086 fail2ban.CommandAction  [1]: DEBUG     Set actionunban = ''
2020-10-29 18:53:45,086 fail2ban.CommandAction  [1]: DEBUG     Set norestored = True
2020-10-29 18:53:45,087 fail2ban.CommandAction  [1]: DEBUG     Set name = 'sshd'
2020-10-29 18:53:45,087 fail2ban.CommandAction  [1]: DEBUG     Set sender = 'root@<fq-hostname>'
2020-10-29 18:53:45,087 fail2ban.CommandAction  [1]: DEBUG     Set sendername = 'Fail2Ban Schklom'
2020-10-29 18:53:45,087 fail2ban.CommandAction  [1]: DEBUG     Set fq-hostname = 'Schklom'
2020-10-29 18:53:45,088 fail2ban.CommandAction  [1]: DEBUG     Set dest = '[email protected]'
2020-10-29 18:53:45,088 fail2ban.CommandAction  [1]: DEBUG     Set logpath = '/var/log/auth.log'
2020-10-29 18:53:45,088 fail2ban.CommandAction  [1]: DEBUG     Set chain = 'INPUT'
2020-10-29 18:53:45,088 fail2ban.CommandAction  [1]: DEBUG     Set actname = 'sendmail-whois-lines'
2020-10-29 18:53:45,089 fail2ban.CommandAction  [1]: DEBUG     Set mailcmd = '/usr/sbin/sendmail -f "<sender>" "<dest>"'
2020-10-29 18:53:45,089 fail2ban.CommandAction  [1]: DEBUG     Set greplimit = 'tail -n <grepmax>'
2020-10-29 18:53:45,089 fail2ban.CommandAction  [1]: DEBUG     Set grepmax = '1000'
2020-10-29 18:53:45,089 fail2ban.CommandAction  [1]: DEBUG     Set grepopts = '-m <grepmax>'
2020-10-29 18:53:45,090 fail2ban.jail           [1]: DEBUG   Starting jail 'sshd'
2020-10-29 18:53:45,099 fail2ban.filterpyinotif [1]: DEBUG   [sshd] filter started (pyinotifier)
2020-10-29 18:53:45,135 fail2ban.jail           [1]: INFO    Jail 'sshd' started
2020-10-29 18:53:45,148 fail2ban.transmitter    [1]: DEBUG   Status: ready
Server ready
2020-10-29 18:53:46,655 fail2ban.utils          [1]: DEBUG   b6034160 -- returned successfully 0
2020-10-29 18:53:52,278 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-10-29 18:53:52,279 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-10-29 18:53:52,284 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-10-29 18:53:52,285 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-10-29 18:53:52,418 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-10-29 18:53:52,418 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-10-29 19:01:01,319 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-10-29 19:01:01,320 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-10-29 19:01:01,366 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for authenticating: [Errno -2] Name does not resolve
2020-10-29 19:01:02,405 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-10-29 19:01:02,405 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >

PS: I am using this container instead of Fail2Ban on host, because while I don't have the problem I just described, I can't manage to setup email notifications.

If someone could help, I would be very grateful :)

Many thanks

jail.local overwritten on start

Firstly - thanks very much for this image. It's working wonderfully!

Behaviour

CURRENT BEHAVIOUR: upon execution, entrypoint.sh writes default values into /etc/fail2ban/jail.local - effectively creating jail.local from scratch. It does this every time the container is run .. as designed.

However, I'd recommend that FAIL2BAN's philosophy for jail.local is that it be used to define custom behaviour (i.e. if I wanted to add a new action & jail I would do so by amending jail.local).

Following best-practices (I hope!) for Docker Swarm, I map a volume to jail.local and amend my jail.local file:-

fail2ban.yaml (my file!)
volumes:
- /media/nas/common/fail2ban/jail.local:/etc/fail2ban/jail.local

... but of course when entrypoint.sh runs it erases my amendments to jail.local ( entrypoint.sh: cat > ) by creating jail.local from scratch.

If you agree with my position, I would recommend making a slight amendment to entrypoint.sh as follows:-

Patch - only initialise the jail.local if it doesn't exist

if [ ! -f /etc/fail2ban/jail.local ] ; then
cat > /etc/fail2ban/jail.local <<EOL
[DEFAULT]
maxretry = ${F2B_MAX_RETRY}
backend = ${F2B_BACKEND}
destemail = ${F2B_DEST_EMAIL}
sender = ${F2B_SENDER}
action = ${F2B_ACTION}
EOL
fi

Steps to reproduce this issue

Mount /etc/fail2ban/jail.local to a file on the host system
Amend the host system's jail.local
Bring up docker-fail2ban container
both the host and the container's /etc/fail2ban/jail.local loses all amendments.

Expected behaviour

Tell me what should happen

The current entrypoint.sh does exactly what it's designed to do - creating /etc/fail2ban/jail.local from scratch each time the container is run.

My suggestion is amend entrypoint.sh so that it only creates jail.local if the file doesn't already exist. In that way developers can amend the execution of fail2ban using amendments to jail.local

Failed to access socket path

Running the container on a Synology NAS.
Other containers sharing same docker-compose file include Traefik and other typical media server services.

Getting this error when running the following command on the container:

"docker-compose run -T fail2ban fail2ban-client status"

which results in the following error:

[1]: ERROR   Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?

following excerpt from docker-compose.yml file:

  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    restart: "no"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      - TZ=${TZ}
      - PUID=${PUID}
      - PGID=${PGID}
      - F2B_LOG_LEVEL=DEBUG
      - F2B_DB_PURGE_AGE=1d
      - F2B_MAX_RETRY=3
      - [email protected]
      - [email protected]
      - F2B_ACTION=%(action_)s
      - F2B_IPTABLES_CHAIN=FORWARD # For Docker version 17.06 and higher, use "DOCKER-USER"; otherwise use "FORWARD"
      - SSMTP_HOST=smtp.example.com
      - SSMTP_PORT=587
      - SSMTP_HOSTNAME=example.com
      - [email protected]
      - SSMTP_PASSWORD=
      - SSMTP_TLS=YES
    network_mode: host
    privileged: true
    volumes:
      - "${MOUNT_POINT}/docker/fail2ban:/data"
      - "${MOUNT_POINT}/docker/fail2ban/log:/var/log"
      - "${MOUNT_POINT}/docker/shared:/shared"
      - "${MOUNT_POINT}/docker/organizr/www/db:/var/log/organizr:ro" # Organizr login log path

I've also tried running fail2ban on the Traefik docker bridge network rather than host but no luck as well. Not sure what's going wrong.

Will you support nftables?

Hi,

Starting with Debian 10 nftables is the current FW solution. I'm managing my FW rules manually (not Docker integrated) and noticed that your fail2ban container uses iptable rules. Is it possible to enhance nftables support?

[Help] No way to ban IPs

Hi there,

Just trying to set up properly Bitwarden_rs + Fail2ban on a Synology NAS using Docker's containers. I run a DS718+ with latest DSM and using the built-in reverse proxy.
At this time I went around most issues except one : the ban does not work despite the logs. What did I missed ?

Docker version 18.09.8, build 2c0a67b

Here the setup :

dani-garcia/bitwarden_rs
- Mounting point: docker/bw-data:/data/
- Extended_logging true
- Log_file: /data/bitwarden.log
- log level: error
crazy-max/docker-fail2ban
- Run as root
- Mounting points
  - docker/fail2ban:/data/
  - docker/bw-data:/bitwarden/ Read-Only
- F2B_IPTABLE_CHAIN: Input as per issue 36 as I had before the exact same error before that change.

The jail :

[DEFAULT]

ignoreip = 127.0.0.1/8 192.168.0.0/22
#Ban for 30 days
#bantime = 2592000
bantime = 6400
findtime = 86400
maxretry = 4
backend = auto
action = iptables-allports[name=bitwarden]

[bitwarden]

enabled = true
port = 80,81,443
filter = bitwarden
logpath = /bitwarden/bitwarden.log

The filter:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

Bitwarden log :

[2020-03-05 21:53:26][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: [email protected].
[2020-03-05 21:53:35][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: [email protected].
[2020-03-05 21:53:38][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: [email protected].
[2020-03-05 21:53:40][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: [email protected].
[2020-03-05 21:53:51][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: [email protected].
[2020-03-05 21:56:22][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: [email protected].
[2020-03-05 21:56:27][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: [email protected].
[2020-03-05 21:56:33][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: [email protected].
[2020-03-05 21:56:49][error][ERROR] Username or password is incorrect. Try again. IP: 80.XX.XX.XX. Username: [email protected].

F2B Log:

2020-03-05 22:46:16,047 fail2ban.server         [1]: INFO    Reload all jails
2020-03-05 22:46:16,048 fail2ban.server         [1]: INFO    Reload jail 'bitwarden'
2020-03-05 22:46:16,049 fail2ban.filter         [1]: INFO      maxRetry: 4
2020-03-05 22:46:16,049 fail2ban.filter         [1]: INFO      findtime: 86400
2020-03-05 22:46:16,050 fail2ban.actions        [1]: INFO      banTime: 6400
2020-03-05 22:46:16,050 fail2ban.filter         [1]: INFO      encoding: UTF-8
2020-03-05 22:46:16,051 fail2ban.server         [1]: INFO    Jail 'bitwarden' reloaded
2020-03-05 22:46:16,051 fail2ban.actions        [1]: NOTICE  [bitwarden] Flush ticket(s) with iptables-allports
2020-03-05 22:46:16,052 fail2ban.server         [1]: INFO    Reload finished.
2020-03-05 22:53:04,043 fail2ban.filter         [1]: INFO    [bitwarden] Found 192.168.XX.XX - 2020-03-05 21:53:03
2020-03-05 22:53:26,758 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:53:26
2020-03-05 22:53:35,072 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:53:35
2020-03-05 22:53:38,592 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:53:38
2020-03-05 22:53:41,297 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:53:40
2020-03-05 22:53:41,896 fail2ban.actions        [1]: NOTICE  [bitwarden] Ban 80.XX.XX.XX
2020-03-05 22:53:51,006 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:53:51
2020-03-05 22:55:48,931 fail2ban.actions        [1]: NOTICE  [bitwarden] Unban 80.XX.XX.XX - Done manually after tested access still ok
2020-03-05 22:56:22,282 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:56:22
2020-03-05 22:56:27,154 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:56:27
2020-03-05 22:56:33,709 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:56:33
2020-03-05 22:56:34,098 fail2ban.actions        [1]: NOTICE  [bitwarden] Ban 80.XX.XX.XX
2020-03-05 22:56:49,381 fail2ban.filter         [1]: INFO    [bitwarden] Found 80.XX.XX.XX - 2020-03-05 21:56:49

crazy-max / docker-fail2ban Goto Github PK

docker-fail2ban's Introduction

About

Build locally

Image

Environment variables

Volumes

Usage

Docker Compose

Command line

Upgrade

Notes

DOCKER-USER chain

DOCKER-USER and INPUT chains

Jails examples

Use iptables tooling without nftables backend

Use fail2ban-client

Global jail configuration

Custom jails, actions and filters

Contributing

License

docker-fail2ban's People

Contributors

Stargazers

Watchers

Forkers

docker-fail2ban's Issues

Environment:

The issue:

Steps to reproduce

Expected behavior

Observed behavior

Configuration, dump and another helpful excerpts

Any customizations done to /etc/fail2ban/ configuration

Relevant parts of sudo docker-compose logs

Behaviour

Steps to reproduce this issue

Expected behaviour

Actual behaviour

Configuration

Docker info

Logs

Behaviour

Steps to reproduce this issue

Expected behaviour

Actual behaviour

Configuration

Docker info

Logs

Behaviour

Steps to reproduce this issue

Expected behaviour

Actual behaviour

Configuration

Docker info

Behaviour

Configuration

Logs

Behaviour

Steps to reproduce this issue

Configuration

Docker info

Logs

Behaviour

Steps to reproduce this issue

Expected behaviour

Actual behaviour

Configuration

Behaviour

Steps to reproduce this issue

Expected behaviour

Actual behaviour

Suggested fix

Configuration

Docker info

Logs

Behaviour

Steps to reproduce this issue

docker-compose:

also, taken from your traefik tutorial:

`DOCKER-USER` chain

`DOCKER-USER` and `INPUT` chains

Relevant parts of `sudo docker-compose logs`