Fail2Ban
Fail2Ban is installed automatically and bans IP addresses for 3 hours after 3 failed attempts in 10 minutes by default.
Configuration files
If you want to change this, you can easily edit our github example file: config-examples/fail2ban-jail.cf
.
You can do the same with the values from fail2ban.conf
, e.g dbpurgeage
. In that case you need to edit: config-examples/fail2ban-fail2ban.cf
.
The configuration files need to be located at the root of the /tmp/docker-mailserver/
volume bind (usually ./docker-data/dms/config/:/tmp/docker-mailserver/
).
This following configuration files from /tmp/docker-mailserver/
will be copied during container startup.
fail2ban-jail.cf
->/etc/fail2ban/jail.d/user-jail.local
fail2ban-fail2ban.cf
->/etc/fail2ban/fail2ban.local
Docker-compose config
Example configuration volume bind:
volumes:
- ./docker-data/dms/config/:/tmp/docker-mailserver/
Attention
docker-mailserver
must be launched with the NET_ADMIN
capability in order to be able to install the iptable rules that actually ban IP addresses.
Thus either include --cap-add=NET_ADMIN
in the docker run
command, or the equivalent in docker-compose.yml
:
cap_add:
- NET_ADMIN
If you don't you will see errors the form of:
iptables -w -X f2b-postfix -- stderr: "getsockopt failed strangely: Operation not permitted\niptables v1.4.21: can't initialize iptabl
es table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.21: can'
t initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n"
2016-06-01 00:53:51,284 fail2ban.action [678]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission -
j f2b-postfix
Running fail2ban in a rootless container
RootlessKit
is the fakeroot implementation for supporting rootless mode in Docker and Podman. By default RootlessKit uses the builtin
port forwarding driver, which does not propagate source IP addresses.
It is necessary for fail2ban
to have access to the real source IP addresses in order to correctly identify clients. This is achieved by changing the port forwarding driver to slirp4netns
, which is slower than builtin
but does preserve the real source IPs.
Docker with slirp4netns
port driver
For rootless mode in Docker, create ~/.config/systemd/user/docker.service.d/override.conf
with the following content:
[Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
And then restart the daemon:
$ systemctl --user daemon-reload
$ systemctl --user restart docker
Note
This changes the port driver for all rootless containers managed by Docker.
Per container configuration is not supported, if you need that consider Podman instead.
Podman with slirp4netns
port driver
Rootless Podman requires adding the value slirp4netns:port_handler=slirp4netns
to the --network
CLI option, or network_mode
setting in your docker-compose.yml
.
You must also add the ENV NETWORK_INTERFACE=tap0
, because Podman uses a hard-coded interface name for slirp4netns
.
Example
services:
mailserver:
network_mode: "slirp4netns:port_handler=slirp4netns"
environment:
- ENABLE_FAIL2BAN=1
- NETWORK_INTERFACE=tap0
...
Note
slirp4netns
is not compatible with user-defined networks.
Manage bans
You can also manage and list the banned IPs with the setup.sh
script.
List bans
./setup.sh debug fail2ban
Un-ban
Here 192.168.1.15
is our banned IP.
./setup.sh debug fail2ban unban 192.168.1.15