Closed pexcn closed 3 years ago
Not possible with this image.
If you build a version with Debian or Ubuntu, based on this Dockerfile, journald works.
If you build a version with Debian or Ubuntu, based on this Dockerfile, journald works.
Would you mind sharing your solution? The adjusted Dockerfile and possible special configuration?
Dockerfile
FROM ubuntu:jammy
LABEL maintainer="Me <me@example.com>"
ENV \
LANG C.UTF-8 \
LANGUAGE en_US:en \
LC_ALL C.UTF-8
RUN apt update && apt dist-upgrade --no-install-recommends -y && apt install --no-install-recommends -y tzdata ca-certificates && apt install --no-install-recommends -y procps fail2ban msmtp msmtp-mta iptables python3-systemd whois && \
apt autoremove && apt clean && rm -rf /var/lib/apt/lists/*
COPY files/entrypoint.sh /entrypoint.sh
COPY files/msmtprc /etc/msmtprc
RUN mkdir -p /var/run/fail2ban && \
mv /etc/fail2ban/jail.d /etc/fail2ban/jail.d.orig && \
sed -i s_/var/log/fail2ban.log_STDOUT_ /etc/fail2ban/fail2ban.conf && \
chmod 755 /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["-xf", "start"]
entrypoint.sh
#!/bin/bash
## Timezone
#echo "Setting timezone to ${TZ}..."
#ln -snf /usr/share/zoneinfo/${TZ} /etc/localtime
#echo ${TZ} > /etc/timezone
TZ=${TZ:-UTC}
F2B_LOG_TARGET=${F2B_LOG_TARGET:-STDOUT}
F2B_LOG_LEVEL=${F2B_LOG_LEVEL:-INFO}
F2B_DB_PURGE_AGE=${F2B_DB_PURGE_AGE:-1d}
#SSMTP_PORT=${SSMTP_PORT:-25}
#SSMTP_HOSTNAME=${SSMTP_HOSTNAME:-$(hostname -f)}
#SSMTP_TLS=${SSMTP_TLS:-NO}
#SSMTP_STARTTLS=${SSMTP_STARTTLS:-NO}
# Init
echo "Initializing files and folders..."
mkdir -p /data/action.d /data/filter.d /data/jail.d
ln -sf /data/jail.d /etc/fail2ban
# Fail2ban conf
echo "Setting Fail2ban configuration..."
sed -i "s/loglevel =.*/loglevel = $F2B_LOG_LEVEL/g" /etc/fail2ban/fail2ban.conf
sed -i "s/dbpurgeage =.*/dbpurgeage = $F2B_DB_PURGE_AGE/g" /etc/fail2ban/fail2ban.conf
# Check custom actions
echo "Checking for custom actions in /data/action.d..."
actions=$(ls -l /data/action.d | egrep '^-' | awk '{print $9}')
for action in ${actions}; do
if [ -f "/etc/fail2ban/action.d/${action}" ]; then
echo " WARNING: ${action} already exists and will be overriden"
rm -f "/etc/fail2ban/action.d/${action}"
fi
echo " Add custom action ${action}..."
ln -sf "/data/action.d/${action}" "/etc/fail2ban/action.d/"
done
# Check custom filters
echo "Checking for custom filters in /data/filter.d..."
filters=$(ls -l /data/filter.d | egrep '^-' | awk '{print $9}')
for filter in ${filters}; do
if [ -f "/etc/fail2ban/filter.d/${filter}" ]; then
echo " WARNING: ${filter} already exists and will be overriden"
rm -f "/etc/fail2ban/filter.d/${filter}"
fi
echo " Add custom filter ${filter}..."
ln -sf "/data/filter.d/${filter}" "/etc/fail2ban/filter.d/"
done
exec fail2ban-server "$@"
msmtprc
# Set default values for all following accounts.
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
# Services
account services
host smtp.example.com
port 587
from Fail2ban <fail2ban@example.com>
user fail2banuser
password password
# Set a default account
account default : services
It looks like I have disabled SSMTP
variables in entrypoint.sh
and using my prefered package msmtp
. Don't know the changes. Just compare the files yourself.
On Ubuntu 22.04 host you need an action with iptables
only. Rename iptables-legacy
to iptables
in the file iptables-common.conf
, which I have added into my own action.d
folder.
Because this is my specific configuration, I can't support this. Maybe you need some more adjustments on your installation. It works on Ubuntu 20.04 and 22.04 host. I don't have tested ubuntu:jammy base on 20.04. Maybe you need ubuntu:focal
Thank you!
Found now "my" solution with a relativly simple setup:
FROM debian:bullseye-slim
ARG FAIL2BAN_VERSION="0.11.2"
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get --yes update && apt-get --yes install --no-install-recommends \
2to3 \
ca-certificates \
curl \
ipset \
iptables \
procps \
python3-setuptools \
python3-systemd \
sendmail \
tzdata \
unzip \
wget \
whois \
&& cd /tmp \
&& curl --show-error --silent --remote-name --location https://github.com/fail2ban/fail2ban/archive/${FAIL2BAN_VERSION}.zip \
&& unzip ${FAIL2BAN_VERSION}.zip \
&& cd fail2ban-${FAIL2BAN_VERSION} \
&& 2to3 --write --no-diffs bin/* fail2ban \
&& python3 setup.py install \
&& apt-get clean \
&& rm --recursive --force /var/lib/apt/lists/* /tmp/* /var/tmp/* ~/.cache
ENV TZ="Europe/Berlin"
ENTRYPOINT [ "fail2ban-server", "-f", "-x", "-v", "start" ]
HEALTHCHECK --interval=10s --timeout=5s CMD fail2ban-client ping || exit 1
docker run \
--rm \
--name fail2ban \
--privileged \
--net=host\
--volume "$PWD/data/jail.d:/etc/fail2ban/jail.d" \
--volume "$PWD/data/filter.d:/etc/fail2ban/filter.d" \
fail2ban:latest
[postfix-sasl]
enabled = true
backend = systemd
mta = sendmail
action = iptables-multiport[name="postfix-sasl", port="smtp,465,submission"]
journalmatch = CONTAINER_NAME=postfix
chain = DOCKER-USER
filter = postfix-sasl
maxretry = 2
Great that you find your solution 👍
Hello @crazy-max, would you consider moving the base image to debian or adding a second image based on debian in this repo to fix this issue? From my point of vue, it's very important to have the more complete version of fail2ban possible (i.e. with python3-systemd
& co available if needed) as this docker image is made to be deployed on any kind of distro, systemd or not.
For those interested, I've forked and switched the base image to debian here. I'm available to help on merging those changes to upstream if needed.
Available tags for now:
registry.gitlab.com/byh0ki-org/containers/fail2ban:1.1.0
registry.gitlab.com/byh0ki-org/containers/fail2ban:1.1.0-deb
registry.gitlab.com/byh0ki-org/containers/fail2ban:1.1.0-deb12.7-r1
Hi: In my system sshd does not provide
/var/log/auth.log
, only use systemd to view logjournalctl -u sshd
. Is there a way to make it work with this project?