Closed onedr0p closed 5 years ago
@onedr0p Can you post your compose file please ?
version: '2'
services:
fail2ban:
image: crazymax/fail2ban:latest
environment:
F2B_LOG_LEVEL: DEBUG
TZ: America/New_York
volumes:
- /apps/docker/fail2ban/db:/var/lib/fail2ban
- /apps/docker/fail2ban/jail.d:/etc/fail2ban/jail.d
- /var/log:/var/log:ro
- /apps/docker/fail2ban/filter.d:/etc/fail2ban/filter.d
- /apps/docker/fail2ban/action.d:/etc/fail2/ban/action.d
/etc/fail2/ban/action.d
> /etc/fail2ban/action.d
Good catch, I made the changes and the files in there are still not being seen on my host. Should those files be mounted there?
2018-10-04 16:57:03,806 fail2ban.configreader [1]: ERROR Found no accessible config files for 'action.d/iptables-multiport' under /etc/fail2ban
2018-10-04 16:57:03,806 fail2ban.jailreader [1]: ERROR Unable to read action 'iptables-multiport'
Seems as thou mounting the volumes nulls out that directory within the container.
Can you apply my docker-compose example instead with your binds ?
I think the problem is not to do with network --host
or --privileged
for Docker.
Are you able to mount ./action.d:/etc/fail2ban/action.d
and see the action.d
directory and files on the host?
iptables-multiport.conf
already exists in the container :
root@sandbox:/data/fail2ban# docker-compose exec fail2ban ls -al /etc/fail2ban/action.d/
total 292
drwxr-xr-x 2 root root 4096 Oct 4 15:23 .
drwxr-xr-x 1 root root 4096 Oct 4 22:52 ..
-rw-r--r-- 1 root root 3976 Oct 4 15:23 abuseipdb.conf
-rw-r--r-- 1 root root 587 Oct 4 15:23 apf.conf
-rw-r--r-- 1 root root 629 Oct 4 15:23 badips.conf
-rw-r--r-- 1 root root 11476 Oct 4 15:23 badips.py
-rw-r--r-- 1 root root 2715 Oct 4 15:23 blocklist_de.conf
-rw-r--r-- 1 root root 3271 Oct 4 15:23 bsd-ipfw.conf
-rw-r--r-- 1 root root 2807 Oct 4 15:23 cloudflare.conf
-rw-r--r-- 1 root root 4757 Oct 4 15:23 complain.conf
-rw-r--r-- 1 root root 7668 Oct 4 15:23 dshield.conf
-rw-r--r-- 1 root root 1717 Oct 4 15:23 dummy.conf
-rw-r--r-- 1 root root 1501 Oct 4 15:23 firewallcmd-allports.conf
-rw-r--r-- 1 root root 2649 Oct 4 15:23 firewallcmd-common.conf
-rw-r--r-- 1 root root 2235 Oct 4 15:23 firewallcmd-ipset.conf
-rw-r--r-- 1 root root 1270 Oct 4 15:23 firewallcmd-multiport.conf
-rw-r--r-- 1 root root 1898 Oct 4 15:23 firewallcmd-new.conf
-rw-r--r-- 1 root root 2314 Oct 4 15:23 firewallcmd-rich-logging.conf
-rw-r--r-- 1 root root 1765 Oct 4 15:23 firewallcmd-rich-rules.conf
-rw-r--r-- 1 root root 573 Oct 4 15:23 helpers-common.conf
-rw-r--r-- 1 root root 1657 Oct 4 15:23 hostsdeny.conf
-rw-r--r-- 1 root root 1573 Oct 4 15:23 ipfilter.conf
-rw-r--r-- 1 root root 1505 Oct 4 15:23 ipfw.conf
-rw-r--r-- 1 root root 1514 Oct 4 15:23 iptables-allports.conf
-rw-r--r-- 1 root root 2738 Oct 4 15:23 iptables-common.conf
-rw-r--r-- 1 root root 2088 Oct 4 15:23 iptables-ipset-proto4.conf
-rw-r--r-- 1 root root 2285 Oct 4 15:23 iptables-ipset-proto6-allports.conf
-rw-r--r-- 1 root root 2328 Oct 4 15:23 iptables-ipset-proto6.conf
-rw-r--r-- 1 root root 2170 Oct 4 15:23 iptables-multiport-log.conf
-rw-r--r-- 1 root root 1508 Oct 4 15:23 iptables-multiport.conf
-rw-r--r-- 1 root root 1585 Oct 4 15:23 iptables-new.conf
-rw-r--r-- 1 root root 2672 Oct 4 15:23 iptables-xt_recent-echo.conf
-rw-r--r-- 1 root root 1427 Oct 4 15:23 iptables.conf
-rw-r--r-- 1 root root 2431 Oct 4 15:23 mail-buffered.conf
-rw-r--r-- 1 root root 1049 Oct 4 15:23 mail-whois-common.conf
-rw-r--r-- 1 root root 2443 Oct 4 15:23 mail-whois-lines.conf
-rw-r--r-- 1 root root 1842 Oct 4 15:23 mail-whois.conf
-rw-r--r-- 1 root root 1709 Oct 4 15:23 mail.conf
-rw-r--r-- 1 root root 5321 Oct 4 15:23 mynetwatchman.conf
-rw-r--r-- 1 root root 1493 Oct 4 15:23 netscaler.conf
-rw-r--r-- 1 root root 490 Oct 4 15:23 nftables-allports.conf
-rw-r--r-- 1 root root 4126 Oct 4 15:23 nftables-common.conf
-rw-r--r-- 1 root root 496 Oct 4 15:23 nftables-multiport.conf
-rw-r--r-- 1 root root 3697 Oct 4 15:23 nginx-block-map.conf
-rw-r--r-- 1 root root 1524 Oct 4 15:23 npf.conf
-rw-r--r-- 1 root root 3234 Oct 4 15:23 nsupdate.conf
-rw-r--r-- 1 root root 469 Oct 4 15:23 osx-afctl.conf
-rw-r--r-- 1 root root 2302 Oct 4 15:23 osx-ipfw.conf
-rw-r--r-- 1 root root 3750 Oct 4 15:23 pf.conf
-rw-r--r-- 1 root root 1023 Oct 4 15:23 route.conf
-rw-r--r-- 1 root root 2918 Oct 4 15:23 sendmail-buffered.conf
-rw-r--r-- 1 root root 1912 Oct 4 15:23 sendmail-common.conf
-rw-r--r-- 1 root root 1773 Oct 4 15:23 sendmail-geoip-lines.conf
-rw-r--r-- 1 root root 1052 Oct 4 15:23 sendmail-whois-ipjailmatches.conf
-rw-r--r-- 1 root root 1033 Oct 4 15:23 sendmail-whois-ipmatches.conf
-rw-r--r-- 1 root root 1300 Oct 4 15:23 sendmail-whois-lines.conf
-rw-r--r-- 1 root root 997 Oct 4 15:23 sendmail-whois-matches.conf
-rw-r--r-- 1 root root 977 Oct 4 15:23 sendmail-whois.conf
-rw-r--r-- 1 root root 857 Oct 4 15:23 sendmail.conf
-rw-r--r-- 1 root root 3069 Oct 4 15:23 shorewall-ipset-proto6.conf
-rw-r--r-- 1 root root 2156 Oct 4 15:23 shorewall.conf
-rw-r--r-- 1 root root 6134 Oct 4 15:23 smtp.py
-rw-r--r-- 1 root root 1418 Oct 4 15:23 symbiosis-blacklist-allports.conf
-rw-r--r-- 1 root root 1045 Oct 4 15:23 ufw.conf
-rw-r--r-- 1 root root 6082 Oct 4 15:23 xarf-login-attack.conf
You want to add a custom action ? I think this is the issue.
Yes, I want to add a custom one, and change the text in another.
Okay, I'll look at what we could do to add custom actions. For the moment you can mount the file with a different name instead of the folder :
/apps/docker/fail2ban/action.d/iptables-multiport.conf:/etc/fail2ban/action.d/iptables-multiport2.conf
Wouldn't it be as simple as adding a VOLUME
in the Dockerfile set to /etc/fail2ban/action.d/
and likewise /etc/fail2ban/filter.d/
thus tell the host there is persistent data there?
Mounting a single .conf file in kills the other .conf files in action.d
from existing.
Check my mount point again I have renamed the file in the container : /action.d/iptables-multiport2.conf
huh? I don't see any code changes in your repo or docker image updates.
Nope my comment as a quick workaround
Ah, I see. Looks to be working now. Can't wait to see all the config files in these directories on my host so I can easily configure with 1 volume mapping.
One thing to note, you don't need set net to host and privilege if you want to add iptable
rules. Since I just want to ban IPs on Cloudflare it is not needed.
See here for more info.
One thing to note, you don't need set net to host and privilege if you want to add
iptable
rules.
@onedr0p Thanks for the tip :)
No problem, with your image I was successful in my project: I use Traefik as my reverse proxy on my VMs and Cloudflare to proxy to that from WAN. I needed to check the Traefik access logs for 401 un-authorized messages and ban IPs in Cloudflare where there were failures logging in with basic auth. My homelab just got a little more hardened ;)
Ideally I would ban the IPs in my pfSense router too but that's another project.
Ideally I would ban the IPs in my pfSense router too but that's another project.
Check abuseipdb.conf
in the action.d
folder in the container as an example to call pfsense web services ;)
I am not sure if that would work for me. I own a netgate router with pfSense on it. I would somehow need a way to add the table rules thru ssh or something.
The way I was thinking earlier was to serve a text file on my internal network that has the banned IPs written to it by fail2ban. Then pfSense could read it and ban them. But I have not seen such a project so it would require some dev time.
Ok I have made some changes to allow custom actions and filters. There are breaking changes. Check the README.
I updated and it looks better. However, the existing files in the *.d
directories are still not being populated on the host volume mount. I am a little confused as to why because it looks like it should be now...
@onedr0p I don't copy existing files into the container on the binded path to avoid overwriting user-mounted files. We could do it if the folder does not exist, but it is not a good practice. Instead you can copy back the original files from the container using this command for example :
docker exec -it fail2ban cp -R /etc/fail2ban/action.d /data/action.orig.d
I would love to use a custom action and edit those configuration files but I cannot bind mount
action.d
to my host and see the files.