crazy-max
commented
3 years ago Not possible with this image.
Closed pexcn closed 3 years ago
crazy-max
commented
3 years ago Not possible with this image.
helmut72
commented
2 years ago If you build a version with Debian or Ubuntu, based on this Dockerfile, journald works.
kingfisher77
commented
2 years ago If you build a version with Debian or Ubuntu, based on this Dockerfile, journald works.
Would you mind sharing your solution? The adjusted Dockerfile and possible special configuration?
helmut72
commented
2 years ago Dockerfile
FROM ubuntu:jammy
LABEL maintainer="Me <me@example.com>"
ENV \
LANG C.UTF-8 \
LANGUAGE en_US:en \
LC_ALL C.UTF-8
RUN apt update && apt dist-upgrade --no-install-recommends -y && apt install --no-install-recommends -y tzdata ca-certificates && apt install --no-install-recommends -y procps fail2ban msmtp msmtp-mta iptables python3-systemd whois && \
apt autoremove && apt clean && rm -rf /var/lib/apt/lists/*
COPY files/entrypoint.sh /entrypoint.sh
COPY files/msmtprc /etc/msmtprc
RUN mkdir -p /var/run/fail2ban && \
mv /etc/fail2ban/jail.d /etc/fail2ban/jail.d.orig && \
sed -i s_/var/log/fail2ban.log_STDOUT_ /etc/fail2ban/fail2ban.conf && \
chmod 755 /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["-xf", "start"]entrypoint.sh
#!/bin/bash
## Timezone
#echo "Setting timezone to ${TZ}..."
#ln -snf /usr/share/zoneinfo/${TZ} /etc/localtime
#echo ${TZ} > /etc/timezone
TZ=${TZ:-UTC}
F2B_LOG_TARGET=${F2B_LOG_TARGET:-STDOUT}
F2B_LOG_LEVEL=${F2B_LOG_LEVEL:-INFO}
F2B_DB_PURGE_AGE=${F2B_DB_PURGE_AGE:-1d}
#SSMTP_PORT=${SSMTP_PORT:-25}
#SSMTP_HOSTNAME=${SSMTP_HOSTNAME:-$(hostname -f)}
#SSMTP_TLS=${SSMTP_TLS:-NO}
#SSMTP_STARTTLS=${SSMTP_STARTTLS:-NO}
# Init
echo "Initializing files and folders..."
mkdir -p /data/action.d /data/filter.d /data/jail.d
ln -sf /data/jail.d /etc/fail2ban
# Fail2ban conf
echo "Setting Fail2ban configuration..."
sed -i "s/loglevel =.*/loglevel = $F2B_LOG_LEVEL/g" /etc/fail2ban/fail2ban.conf
sed -i "s/dbpurgeage =.*/dbpurgeage = $F2B_DB_PURGE_AGE/g" /etc/fail2ban/fail2ban.conf
# Check custom actions
echo "Checking for custom actions in /data/action.d..."
actions=$(ls -l /data/action.d | egrep '^-' | awk '{print $9}')
for action in ${actions}; do
if [ -f "/etc/fail2ban/action.d/${action}" ]; then
echo " WARNING: ${action} already exists and will be overriden"
rm -f "/etc/fail2ban/action.d/${action}"
fi
echo " Add custom action ${action}..."
ln -sf "/data/action.d/${action}" "/etc/fail2ban/action.d/"
done
# Check custom filters
echo "Checking for custom filters in /data/filter.d..."
filters=$(ls -l /data/filter.d | egrep '^-' | awk '{print $9}')
for filter in ${filters}; do
if [ -f "/etc/fail2ban/filter.d/${filter}" ]; then
echo " WARNING: ${filter} already exists and will be overriden"
rm -f "/etc/fail2ban/filter.d/${filter}"
fi
echo " Add custom filter ${filter}..."
ln -sf "/data/filter.d/${filter}" "/etc/fail2ban/filter.d/"
done
exec fail2ban-server "$@"msmtprc
# Set default values for all following accounts.
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
# Services
account services
host smtp.example.com
port 587
from Fail2ban <fail2ban@example.com>
user fail2banuser
password password
# Set a default account
account default : servicesIt looks like I have disabled SSMTP variables in entrypoint.sh and using my prefered package msmtp. Don't know the changes. Just compare the files yourself.
On Ubuntu 22.04 host you need an action with iptables only. Rename iptables-legacy to iptables in the file iptables-common.conf, which I have added into my own action.d folder.
Because this is my specific configuration, I can't support this. Maybe you need some more adjustments on your installation. It works on Ubuntu 20.04 and 22.04 host. I don't have tested ubuntu:jammy base on 20.04. Maybe you need ubuntu:focal
kingfisher77
commented
2 years ago Thank you!
Found now "my" solution with a relativly simple setup:
FROM debian:bullseye-slim
ARG FAIL2BAN_VERSION="0.11.2"
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get --yes update && apt-get --yes install --no-install-recommends \
2to3 \
ca-certificates \
curl \
ipset \
iptables \
procps \
python3-setuptools \
python3-systemd \
sendmail \
tzdata \
unzip \
wget \
whois \
&& cd /tmp \
&& curl --show-error --silent --remote-name --location https://github.com/fail2ban/fail2ban/archive/${FAIL2BAN_VERSION}.zip \
&& unzip ${FAIL2BAN_VERSION}.zip \
&& cd fail2ban-${FAIL2BAN_VERSION} \
&& 2to3 --write --no-diffs bin/* fail2ban \
&& python3 setup.py install \
&& apt-get clean \
&& rm --recursive --force /var/lib/apt/lists/* /tmp/* /var/tmp/* ~/.cache
ENV TZ="Europe/Berlin"
ENTRYPOINT [ "fail2ban-server", "-f", "-x", "-v", "start" ]
HEALTHCHECK --interval=10s --timeout=5s CMD fail2ban-client ping || exit 1docker run \
--rm \
--name fail2ban \
--privileged \
--net=host\
--volume "$PWD/data/jail.d:/etc/fail2ban/jail.d" \
--volume "$PWD/data/filter.d:/etc/fail2ban/filter.d" \
fail2ban:latest[postfix-sasl]
enabled = true
backend = systemd
mta = sendmail
action = iptables-multiport[name="postfix-sasl", port="smtp,465,submission"]
journalmatch = CONTAINER_NAME=postfix
chain = DOCKER-USER
filter = postfix-sasl
maxretry = 2Great that you find your solution 👍
Byh0ki
commented
1 week ago Hello @crazy-max, would you consider moving the base image to debian or adding a second image based on debian in this repo to fix this issue? From my point of vue, it's very important to have the more complete version of fail2ban possible (i.e. with python3-systemd & co available if needed) as this docker image is made to be deployed on any kind of distro, systemd or not.
Byh0ki
commented
1 week ago For those interested, I've forked and switched the base image to debian here. I'm available to help on merging those changes to upstream if needed.
Available tags for now:
registry.gitlab.com/byh0ki-org/containers/fail2ban:1.1.0registry.gitlab.com/byh0ki-org/containers/fail2ban:1.1.0-debregistry.gitlab.com/byh0ki-org/containers/fail2ban:1.1.0-deb12.7-r1
Hi: In my system sshd does not provide
/var/log/auth.log, only use systemd to view logjournalctl -u sshd. Is there a way to make it work with this project?