Expose action.d volume

[onedr0p]

I would love to use a custom action and edit those configuration files but I cannot bind mount action.d to my host and see the files.

[crazy-max]

@onedr0p Can you post your compose file please ?

[onedr0p]

version: '2'
services:
  fail2ban:
    image: crazymax/fail2ban:latest
    environment:
      F2B_LOG_LEVEL: DEBUG
      TZ: America/New_York
    volumes:
    - /apps/docker/fail2ban/db:/var/lib/fail2ban
    - /apps/docker/fail2ban/jail.d:/etc/fail2ban/jail.d
    - /var/log:/var/log:ro
    - /apps/docker/fail2ban/filter.d:/etc/fail2ban/filter.d
    - /apps/docker/fail2ban/action.d:/etc/fail2/ban/action.d

[crazy-max]

/etc/fail2/ban/action.d > /etc/fail2ban/action.d

[onedr0p]

Good catch, I made the changes and the files in there are still not being seen on my host. Should those files be mounted there?

[crazy-max]

network_mode must be set to host and privileged enabled.

[onedr0p]

2018-10-04 16:57:03,806 fail2ban.configreader   [1]: ERROR   Found no accessible config files for 'action.d/iptables-multiport' under /etc/fail2ban
2018-10-04 16:57:03,806 fail2ban.jailreader     [1]: ERROR   Unable to read action 'iptables-multiport'

Seems as thou mounting the volumes nulls out that directory within the container.

[crazy-max]

Can you apply my docker-compose example instead with your binds ?

[onedr0p]

I think the problem is not to do with network --host or --privileged for Docker.

Are you able to mount ./action.d:/etc/fail2ban/action.d and see the action.d directory and files on the host?

[crazy-max]

iptables-multiport.conf already exists in the container :

root@sandbox:/data/fail2ban# docker-compose exec fail2ban ls -al /etc/fail2ban/action.d/
total 292
drwxr-xr-x    2 root     root          4096 Oct  4 15:23 .
drwxr-xr-x    1 root     root          4096 Oct  4 22:52 ..
-rw-r--r--    1 root     root          3976 Oct  4 15:23 abuseipdb.conf
-rw-r--r--    1 root     root           587 Oct  4 15:23 apf.conf
-rw-r--r--    1 root     root           629 Oct  4 15:23 badips.conf
-rw-r--r--    1 root     root         11476 Oct  4 15:23 badips.py
-rw-r--r--    1 root     root          2715 Oct  4 15:23 blocklist_de.conf
-rw-r--r--    1 root     root          3271 Oct  4 15:23 bsd-ipfw.conf
-rw-r--r--    1 root     root          2807 Oct  4 15:23 cloudflare.conf
-rw-r--r--    1 root     root          4757 Oct  4 15:23 complain.conf
-rw-r--r--    1 root     root          7668 Oct  4 15:23 dshield.conf
-rw-r--r--    1 root     root          1717 Oct  4 15:23 dummy.conf
-rw-r--r--    1 root     root          1501 Oct  4 15:23 firewallcmd-allports.conf
-rw-r--r--    1 root     root          2649 Oct  4 15:23 firewallcmd-common.conf
-rw-r--r--    1 root     root          2235 Oct  4 15:23 firewallcmd-ipset.conf
-rw-r--r--    1 root     root          1270 Oct  4 15:23 firewallcmd-multiport.conf
-rw-r--r--    1 root     root          1898 Oct  4 15:23 firewallcmd-new.conf
-rw-r--r--    1 root     root          2314 Oct  4 15:23 firewallcmd-rich-logging.conf
-rw-r--r--    1 root     root          1765 Oct  4 15:23 firewallcmd-rich-rules.conf
-rw-r--r--    1 root     root           573 Oct  4 15:23 helpers-common.conf
-rw-r--r--    1 root     root          1657 Oct  4 15:23 hostsdeny.conf
-rw-r--r--    1 root     root          1573 Oct  4 15:23 ipfilter.conf
-rw-r--r--    1 root     root          1505 Oct  4 15:23 ipfw.conf
-rw-r--r--    1 root     root          1514 Oct  4 15:23 iptables-allports.conf
-rw-r--r--    1 root     root          2738 Oct  4 15:23 iptables-common.conf
-rw-r--r--    1 root     root          2088 Oct  4 15:23 iptables-ipset-proto4.conf
-rw-r--r--    1 root     root          2285 Oct  4 15:23 iptables-ipset-proto6-allports.conf
-rw-r--r--    1 root     root          2328 Oct  4 15:23 iptables-ipset-proto6.conf
-rw-r--r--    1 root     root          2170 Oct  4 15:23 iptables-multiport-log.conf
-rw-r--r--    1 root     root          1508 Oct  4 15:23 iptables-multiport.conf
-rw-r--r--    1 root     root          1585 Oct  4 15:23 iptables-new.conf
-rw-r--r--    1 root     root          2672 Oct  4 15:23 iptables-xt_recent-echo.conf
-rw-r--r--    1 root     root          1427 Oct  4 15:23 iptables.conf
-rw-r--r--    1 root     root          2431 Oct  4 15:23 mail-buffered.conf
-rw-r--r--    1 root     root          1049 Oct  4 15:23 mail-whois-common.conf
-rw-r--r--    1 root     root          2443 Oct  4 15:23 mail-whois-lines.conf
-rw-r--r--    1 root     root          1842 Oct  4 15:23 mail-whois.conf
-rw-r--r--    1 root     root          1709 Oct  4 15:23 mail.conf
-rw-r--r--    1 root     root          5321 Oct  4 15:23 mynetwatchman.conf
-rw-r--r--    1 root     root          1493 Oct  4 15:23 netscaler.conf
-rw-r--r--    1 root     root           490 Oct  4 15:23 nftables-allports.conf
-rw-r--r--    1 root     root          4126 Oct  4 15:23 nftables-common.conf
-rw-r--r--    1 root     root           496 Oct  4 15:23 nftables-multiport.conf
-rw-r--r--    1 root     root          3697 Oct  4 15:23 nginx-block-map.conf
-rw-r--r--    1 root     root          1524 Oct  4 15:23 npf.conf
-rw-r--r--    1 root     root          3234 Oct  4 15:23 nsupdate.conf
-rw-r--r--    1 root     root           469 Oct  4 15:23 osx-afctl.conf
-rw-r--r--    1 root     root          2302 Oct  4 15:23 osx-ipfw.conf
-rw-r--r--    1 root     root          3750 Oct  4 15:23 pf.conf
-rw-r--r--    1 root     root          1023 Oct  4 15:23 route.conf
-rw-r--r--    1 root     root          2918 Oct  4 15:23 sendmail-buffered.conf
-rw-r--r--    1 root     root          1912 Oct  4 15:23 sendmail-common.conf
-rw-r--r--    1 root     root          1773 Oct  4 15:23 sendmail-geoip-lines.conf
-rw-r--r--    1 root     root          1052 Oct  4 15:23 sendmail-whois-ipjailmatches.conf
-rw-r--r--    1 root     root          1033 Oct  4 15:23 sendmail-whois-ipmatches.conf
-rw-r--r--    1 root     root          1300 Oct  4 15:23 sendmail-whois-lines.conf
-rw-r--r--    1 root     root           997 Oct  4 15:23 sendmail-whois-matches.conf
-rw-r--r--    1 root     root           977 Oct  4 15:23 sendmail-whois.conf
-rw-r--r--    1 root     root           857 Oct  4 15:23 sendmail.conf
-rw-r--r--    1 root     root          3069 Oct  4 15:23 shorewall-ipset-proto6.conf
-rw-r--r--    1 root     root          2156 Oct  4 15:23 shorewall.conf
-rw-r--r--    1 root     root          6134 Oct  4 15:23 smtp.py
-rw-r--r--    1 root     root          1418 Oct  4 15:23 symbiosis-blacklist-allports.conf
-rw-r--r--    1 root     root          1045 Oct  4 15:23 ufw.conf
-rw-r--r--    1 root     root          6082 Oct  4 15:23 xarf-login-attack.conf

You want to add a custom action ? I think this is the issue.

[onedr0p]

Yes, I want to add a custom one, and change the text in another.

[crazy-max]

Okay, I'll look at what we could do to add custom actions. For the moment you can mount the file with a different name instead of the folder :

/apps/docker/fail2ban/action.d/iptables-multiport.conf:/etc/fail2ban/action.d/iptables-multiport2.conf

[onedr0p]

Wouldn't it be as simple as adding a VOLUME in the Dockerfile set to /etc/fail2ban/action.d/ and likewise /etc/fail2ban/filter.d/ thus tell the host there is persistent data there?

[onedr0p]

Mounting a single .conf file in kills the other .conf files in action.d from existing.

[crazy-max]

Check my mount point again I have renamed the file in the container : /action.d/iptables-multiport2.conf

[onedr0p]

huh? I don't see any code changes in your repo or docker image updates.

[crazy-max]

Nope my comment as a quick workaround

[onedr0p]

Ah, I see. Looks to be working now. Can't wait to see all the config files in these directories on my host so I can easily configure with 1 volume mapping.

[onedr0p]

One thing to note, you don't need set net to host and privilege if you want to add iptable rules. Since I just want to ban IPs on Cloudflare it is not needed.

See here for more info.

[crazy-max]

One thing to note, you don't need set net to host and privilege if you want to add iptable rules.

@onedr0p Thanks for the tip :)

[onedr0p]

No problem, with your image I was successful in my project: I use Traefik as my reverse proxy on my VMs and Cloudflare to proxy to that from WAN. I needed to check the Traefik access logs for 401 un-authorized messages and ban IPs in Cloudflare where there were failures logging in with basic auth. My homelab just got a little more hardened ;)

Ideally I would ban the IPs in my pfSense router too but that's another project.

[crazy-max]

Ideally I would ban the IPs in my pfSense router too but that's another project.

Check abuseipdb.conf in the action.d folder in the container as an example to call pfsense web services ;)

[onedr0p]

I am not sure if that would work for me. I own a netgate router with pfSense on it. I would somehow need a way to add the table rules thru ssh or something.

The way I was thinking earlier was to serve a text file on my internal network that has the banned IPs written to it by fail2ban. Then pfSense could read it and ban them. But I have not seen such a project so it would require some dev time.

[crazy-max]

Ok I have made some changes to allow custom actions and filters. There are breaking changes. Check the README.

[onedr0p]

I updated and it looks better. However, the existing files in the *.d directories are still not being populated on the host volume mount. I am a little confused as to why because it looks like it should be now...

[crazy-max]

@onedr0p I don't copy existing files into the container on the binded path to avoid overwriting user-mounted files. We could do it if the folder does not exist, but it is not a good practice. Instead you can copy back the original files from the container using this command for example :

docker exec -it fail2ban cp -R /etc/fail2ban/action.d /data/action.orig.d