Fail2ban Docker image
About
Fail2ban Docker image to ban hosts that cause multiple authentication errors.
[!TIP]
Want to be notified of new releases? Check out 🔔 Diun (Docker Image Update Notifier)
project!
* Docker Compose * Command line *
DOCKER-USER chain
* DOCKER-USER and INPUT chains
* Jails examples
* Use fail2ban-client
* Global jail configuration
* Custom jails, actions and filters
* Sending email using a sidecar container
Build locally
git clone https://github.com/crazy-max/docker-fail2ban.git
cd docker-fail2ban
Build image and output to docker (default)
docker buildx bake
Build multi-platform image
docker buildx bake image-all
Image
| Registry | Image | |-----------------------------------------------------------------------------------------------------|------------------------------| | Docker Hub | crazymax/fail2ban | | GitHub Container Registry | ghcr.io/crazy-max/fail2ban |
Following platforms for this image are available:
$ docker buildx imagetools inspect crazymax/fail2ban --format "{{json .Manifest}}" | \
jq -r '.manifests[] | select(.platform.os != null and .platform.os != "unknown") | .platform | "\(.os)/\(.architecture)\(if .variant then "/" + .variant else "" end)"'
linux/386 linux/amd64 linux/arm/v6 linux/arm/v7 linux/arm64 linux/ppc64le linux/riscv64 linux/s390x
Environment variables
TZ: The timezone assigned to the container (defaultUTC)F2BLOGTARGET: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT (defaultSTDOUT)F2BLOGLEVEL: Log level output (defaultINFO)F2BDBPURGE_AGE: Age at which bans should be purged from the database (default1d)IPTABLES_MODE: Choose between iptablesnftorlegacymode. (defaultauto)
Volumes
/data: Contains customs jails, actions and filters and Fail2ban persistent database
Usage
Docker Compose
Docker compose is the recommended way to run this image. Copy the content of folder examples/compose in /var/fail2ban/ on your host for example. Edit the Compose and env files with your preferences and run the following commands:
$ docker compose up -d
$ docker compose logs -f
Command line
You can also use the following minimal command :
$ docker run -d --name fail2ban --restart always \
--network host \
--cap-add NET_ADMIN \
--cap-add NET_RAW \
-v $(pwd)/data:/data \
-v /var/log:/var/log:ro \
crazymax/fail2ban:latest
Upgrade
Recreate the container whenever I push an update:
$ docker compose pull
$ docker compose up -d
Notes
DOCKER-USER chain
In Docker 17.06 and higher through docker/libnetwork#1675, you can add rules to a new table called DOCKER-USER, and these rules will be loaded before any rules Docker creates automatically. This is useful to make iptables rules created by Fail2Ban persistent.
If you have an older version of Docker, you may just change the chain definition for your jail to chain = FORWARD. This way, all Fail2Ban rules come before any Docker rules but these rules will now apply to ALL forwarded traffic.
More info : https://docs.docker.com/network/iptables/
DOCKER-USER and INPUT chains
If your Fail2Ban container is attached to DOCKER-USER chain instead of INPUT, the rules will be applied only to containers. This means that any packets coming into the INPUT chain will bypass these rules that now reside under the FORWARD chain.
This is why the sshd jail contains a chain = INPUT in its definition and traefik jail contains chain = DOCKER-USER.
Jails examples
Here are some examples using the DOCKER-USER chain:
INPUT chain:
Use fail2ban-client
Fail2ban commands can be used through the container. Here is an example if you want to ban an IP manually:
$ docker exec -t <CONTAINER> fail2ban-client set <JAIL> banip <IP>
Global jail configuration
You can provide customizations in /data/jail.d/*.local files.
For example, to change the default bantime for all jails:
[DEFAULT]
bantime = 1h
[!NOTE]
Loading order for jail configuration:
> jail.d/*.conf (in alphabetical order) > jail.local > jail.d/*.local (in alphabetical order) >> jail.conf
A sample configuration file is available on the official repository.
Custom jails, actions and filters
Custom jails, actions and filters can be added respectively in /data/jail.d, /data/action.d and /data/filter.d. If you add an action/filter that already exists, it will be overriden.
[!WARNING]
Container has to be restarted to propagate changes
Sending email using a sidecar container
If you want to send emails using a sidecar container, see the example in examples/smtp. It uses the smtp.py action and msmtpd SMTP relay image.
Contributing
Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. You can also support this project by becoming a sponsor on GitHub or by making a PayPal donation to ensure this journey continues indefinitely!
Thanks again for your support, it is much appreciated! :pray:
License
MIT. See LICENSE for more details.
