I wan to write an Articlle about this Topic because I havent found one what is including all I want and have to Figure it Out by myself.
At first wen need a Folder and get our Docker Compose File running
mkdir fail2ban cd fail2ban vi docker-compose.ymlPaste the following text into the editor:
version: "3" services: fail2ban: container_name: fail2ban hostname: fail2ban cap_add: - NET_ADMIN - NET_RAW environment: - TZ=Europe/Berlin - F2B_DB_PURGE_AGE=14d - SSMTP_HOST=<your-mail-server> - SSMTP_PORT=25 - SSMTP_HOSTNAME=<hostname-of-your-container> image: crazymax/fail2ban:latest network_mode: host restart: unless-stopped volumes: - /root/fail2ban/data:/data - /root/ngix-proxy-manager/data/logs:/var/log/npm - /var/log:/var/log/varlogSave the file and start the Container with
docker-compose up -dThe Fail2ban Container will be loaded and is starting. There should be a data dir now with 4 folders
action.d db filter.d jail.dThe db Folder can be ignored, now we need to create a jail.local in jail.d
vi jail.d/jail.localPaste the following in there.:
[DEFAULT] # "bantime.increment" allows to use database for searching of previously banned ip's to increase a # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... bantime.increment = true # "bantime.rndtime" is the max number of seconds using for mixing with random time # to prevent "clever" botnets calculate exact time IP can be unbanned again: bantime.rndtime = 2048 # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin, # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day bantime.multipliers = 1 5 30 60 300 720 1440 2880 #Ban without sending E-Mail #action = %(action_)s #Ban and send E-Mail action = %(action_mw)s destemail = <dest email> sender = <from email> mta = sendmail [npm] # bots that trigger too many 403 or 404 # logs are comming from reverse proxy "nginx proxy manager" enabled = true ignoreip = 127.0.0.0/8 10.0.0.0/8 172.0.0.0/8 192.168.0.0/16 filter = npm-filter chain = DOCKER-USER logpath = /var/log/npm/proxy-host-*_access.log maxretry = 5 findtime = 60 bantime = 600 [sshd] enabled = true port = ssh filter = sshd ignoreip = 127.0.0.0/8 10.0.0.0/8 172.27.0.0/16 192.168.0.0/16 chain = INPUT logpath = /var/log/varlog/auth.log findtime = 10m maxretry = 5 bantime = -1we Monitor the NPM and the Systems sshd here, thats why we mapped the Volume from local logs into the fail2ban container.
Next Step is to add filter Rules in filter.d for our NPM
vi filter.d/npm-filter.conf [INCLUDES] [Definition] failregex = ^.+ (405|404|403|401|\-) (405|404|403|401) - .+ [Client <HOST>] [Length .+] .+ [Sent-to <F-CONTAINER>.+</F-CONTAINER>] <F-USERAGENT>".+"</F-USERAGENT> .+$ ignoreregex = ^.+ (404|\-) (404) - .+".+(\.png|\.txt|\.jpg|\.ico|\.js|\.css)[/]" [Client <HOST>] [Length .+] ".+" .+$Now we have everything set up and we can restart the container with
docker-compose restartNow we want to see what fail2ban is doing. We can check the logs by doing docker ps to show the running containers and docker logs <container-id> --follow
Thats it, feel Free to ask if you have problems with this Setup