docker-mailserver/docs/content/config/security/fail2ban.md
Georg Lauterbach a9305a073f
firewall: replace iptables with nftables (#2505)
* first adjustments to use Fail2Ban with nftables

* replace `iptables` -> `nftables` and adjust tests

nftables lists IPs a bit differently , so the order was adjusted for the
tests to be more flexible.

* line correction in mailserver.env

* change from `.conf` -> `.local` and remove redundant config

* revert HEREDOC to `echo`

Co-authored-by: Casper <casperklein@users.noreply.github.com>
2022-04-05 15:13:59 +02:00

4.3 KiB

title hide
Security | Fail2Ban
toc

Fail2Ban is installed automatically and bans IP addresses for 3 hours after 3 failed attempts in 10 minutes by default.

Configuration files

If you want to change this, you can easily edit our github example file: config-examples/fail2ban-jail.cf.

You can do the same with the values from fail2ban.conf, e.g dbpurgeage. In that case you need to edit: config-examples/fail2ban-fail2ban.cf.

The configuration files need to be located at the root of the /tmp/docker-mailserver/ volume bind (usually ./docker-data/dms/config/:/tmp/docker-mailserver/).

This following configuration files from /tmp/docker-mailserver/ will be copied during container startup.

  • fail2ban-jail.cf -> /etc/fail2ban/jail.d/user-jail.local
  • fail2ban-fail2ban.cf -> /etc/fail2ban/fail2ban.local

Docker-compose config

Example configuration volume bind:

    volumes:
      - ./docker-data/dms/config/:/tmp/docker-mailserver/

!!! attention docker-mailserver must be launched with the NET_ADMIN capability in order to be able to install the nftables rules that actually ban IP addresses.

Thus either include `--cap-add=NET_ADMIN` in the `docker run` command, or the equivalent in `docker-compose.yml`:

```yaml
cap_add:
  - NET_ADMIN
```

Running fail2ban in a rootless container

RootlessKit is the fakeroot implementation for supporting rootless mode in Docker and Podman. By default RootlessKit uses the builtin port forwarding driver, which does not propagate source IP addresses.

It is necessary for fail2ban to have access to the real source IP addresses in order to correctly identify clients. This is achieved by changing the port forwarding driver to slirp4netns, which is slower than builtin but does preserve the real source IPs.

Docker with slirp4netns port driver

For rootless mode in Docker, create ~/.config/systemd/user/docker.service.d/override.conf with the following content:

[Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"

And then restart the daemon:

$ systemctl --user daemon-reload
$ systemctl --user restart docker

!!! note

This changes the port driver for all rootless containers managed by Docker.

Per container configuration is not supported, if you need that consider Podman instead.

Podman with slirp4netns port driver

Rootless Podman requires adding the value slirp4netns:port_handler=slirp4netns to the --network CLI option, or network_mode setting in your docker-compose.yml.

You must also add the ENV NETWORK_INTERFACE=tap0, because Podman uses a hard-coded interface name for slirp4netns.

!!! example

```yaml
services:
  mailserver:
    network_mode: "slirp4netns:port_handler=slirp4netns"
    environment:
      - ENABLE_FAIL2BAN=1
      - NETWORK_INTERFACE=tap0
      ...
```

!!! note

`slirp4netns` is not compatible with user-defined networks.

Manage bans

You can also manage and list the banned IPs with the setup.sh script.

List bans

./setup.sh debug fail2ban

Un-ban

Here 192.168.1.15 is our banned IP.

./setup.sh debug fail2ban unban 192.168.1.15