4.3 KiB
title | hide | |
---|---|---|
Security | Fail2Ban |
|
Fail2Ban is installed automatically and bans IP addresses for 1 week after 2 failed attempts in a time frame of 1 week by default.
Configuration files
If you want to change this, you can easily edit our github example file: config-examples/fail2ban-jail.cf
.
You can do the same with the values from fail2ban.conf
, e.g dbpurgeage
. In that case you need to edit: config-examples/fail2ban-fail2ban.cf
.
The configuration files need to be located at the root of the /tmp/docker-mailserver/
volume bind (usually ./docker-data/dms/config/:/tmp/docker-mailserver/
).
This following configuration files from /tmp/docker-mailserver/
will be copied during container startup.
fail2ban-jail.cf
->/etc/fail2ban/jail.d/user-jail.local
fail2ban-fail2ban.cf
->/etc/fail2ban/fail2ban.local
Docker-compose config
Example configuration volume bind:
volumes:
- ./docker-data/dms/config/:/tmp/docker-mailserver/
!!! attention
DMS must be launched with the `NET_ADMIN` capability in order to be able to install the nftables rules that actually ban IP addresses.
Thus either include `--cap-add=NET_ADMIN` in the `docker run` command, or the equivalent in `docker-compose.yml`:
```yaml
cap_add:
- NET_ADMIN
```
Running fail2ban in a rootless container
RootlessKit
is the fakeroot implementation for supporting rootless mode in Docker and Podman. By default RootlessKit uses the builtin
port forwarding driver, which does not propagate source IP addresses.
It is necessary for fail2ban
to have access to the real source IP addresses in order to correctly identify clients. This is achieved by changing the port forwarding driver to slirp4netns
, which is slower than builtin
but does preserve the real source IPs.
Docker with slirp4netns
port driver
For rootless mode in Docker, create ~/.config/systemd/user/docker.service.d/override.conf
with the following content:
[Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
And then restart the daemon:
$ systemctl --user daemon-reload
$ systemctl --user restart docker
!!! note
This changes the port driver for all rootless containers managed by Docker.
Per container configuration is not supported, if you need that consider Podman instead.
Podman with slirp4netns
port driver
Rootless Podman requires adding the value slirp4netns:port_handler=slirp4netns
to the --network
CLI option, or network_mode
setting in your docker-compose.yml
.
You must also add the ENV NETWORK_INTERFACE=tap0
, because Podman uses a hard-coded interface name for slirp4netns
.
!!! example
```yaml
services:
mailserver:
network_mode: "slirp4netns:port_handler=slirp4netns"
environment:
- ENABLE_FAIL2BAN=1
- NETWORK_INTERFACE=tap0
...
```
!!! note
`slirp4netns` is not compatible with user-defined networks.
Manage bans
You can also manage and list the banned IPs with the setup.sh
script.
List bans
./setup.sh fail2ban
Un-ban
Here 192.168.1.15
is our banned IP.
./setup.sh fail2ban unban 192.168.1.15