-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
✨ Update fail2ban to fail2ban/fail2ban#3467 for geoIP support
- Loading branch information
1 parent
d28d56a
commit e727843
Showing
4 changed files
with
201 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,57 @@ | ||
FROM crazymax/fail2ban:latest | ||
# syntax=docker/dockerfile:1 | ||
|
||
ARG FAIL2BAN_VERSION=HEAD | ||
ARG ALPINE_VERSION=3.18 | ||
|
||
FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS fail2ban-src | ||
RUN apk add --no-cache git | ||
WORKDIR /src/fail2ban | ||
RUN git init . && git remote add origin "https://github.com/Honeybrain/fail2ban.git" | ||
ARG FAIL2BAN_VERSION | ||
RUN git fetch origin "${FAIL2BAN_VERSION}" && git checkout -q FETCH_HEAD | ||
|
||
FROM alpine:${ALPINE_VERSION} | ||
RUN --mount=from=fail2ban-src,source=/src/fail2ban,target=/tmp/fail2ban,rw \ | ||
apk --update --no-cache add \ | ||
bash \ | ||
curl \ | ||
docker-cli \ | ||
geoip \ | ||
grep \ | ||
ipset \ | ||
iptables \ | ||
ip6tables \ | ||
kmod \ | ||
nftables \ | ||
openssh-client-default \ | ||
python3 \ | ||
ssmtp \ | ||
tzdata \ | ||
wget \ | ||
whois \ | ||
&& apk --update --no-cache add -t build-dependencies \ | ||
build-base \ | ||
py3-pip \ | ||
py3-setuptools \ | ||
python3-dev \ | ||
&& pip3 install --no-cache-dir --upgrade pip \ | ||
&& pip3 install --no-cache-dir dnspython3 pyinotify \ | ||
&& cd /tmp/fail2ban \ | ||
&& 2to3 -w --no-diffs bin/* fail2ban \ | ||
&& python3 setup.py install --without-tests \ | ||
&& apk del build-dependencies \ | ||
&& rm -rf /etc/fail2ban/jail.d /root/.cache | ||
|
||
COPY entrypoint.sh /entrypoint.sh | ||
|
||
ENV TZ="UTC" | ||
|
||
VOLUME [ "/data" ] | ||
|
||
USER root | ||
|
||
RUN apk add --no-cache docker-cli | ||
ENTRYPOINT [ "/entrypoint.sh" ] | ||
CMD [ "fail2ban-server", "-f", "-x", "-v", "start" ] | ||
|
||
HEALTHCHECK --interval=10s --timeout=5s \ | ||
CMD fail2ban-client ping || exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
variable "DEFAULT_TAG" { | ||
default = "fail2ban:local" | ||
} | ||
|
||
// Special target: https://github.com/docker/metadata-action#bake-definition | ||
target "docker-metadata-action" { | ||
tags = ["${DEFAULT_TAG}"] | ||
} | ||
|
||
// Default target if none specified | ||
group "default" { | ||
targets = ["image-local"] | ||
} | ||
|
||
target "image" { | ||
inherits = ["docker-metadata-action"] | ||
} | ||
|
||
target "image-local" { | ||
inherits = ["image"] | ||
output = ["type=docker"] | ||
} | ||
|
||
target "image-all" { | ||
inherits = ["image"] | ||
platforms = [ | ||
"linux/386", | ||
"linux/amd64", | ||
"linux/arm/v6", | ||
"linux/arm/v7", | ||
"linux/arm64", | ||
"linux/ppc64le", | ||
"linux/s390x" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
#!/bin/bash | ||
|
||
TZ=${TZ:-UTC} | ||
|
||
F2B_LOG_TARGET=${F2B_LOG_TARGET:-STDOUT} | ||
F2B_LOG_LEVEL=${F2B_LOG_LEVEL:-INFO} | ||
F2B_DB_PURGE_AGE=${F2B_DB_PURGE_AGE:-1d} | ||
|
||
SSMTP_PORT=${SSMTP_PORT:-25} | ||
SSMTP_HOSTNAME=${SSMTP_HOSTNAME:-$(hostname -f)} | ||
SSMTP_TLS=${SSMTP_TLS:-NO} | ||
SSMTP_STARTTLS=${SSMTP_STARTTLS:-NO} | ||
|
||
# From https://github.com/docker-library/mariadb/blob/master/docker-entrypoint.sh#L21-L41 | ||
# usage: file_env VAR [DEFAULT] | ||
# ie: file_env 'XYZ_DB_PASSWORD' 'example' | ||
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of | ||
# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) | ||
file_env() { | ||
local var="$1" | ||
local fileVar="${var}_FILE" | ||
local def="${2:-}" | ||
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then | ||
echo >&2 "error: both $var and $fileVar are set (but are exclusive)" | ||
exit 1 | ||
fi | ||
local val="$def" | ||
if [ "${!var:-}" ]; then | ||
val="${!var}" | ||
elif [ "${!fileVar:-}" ]; then | ||
val="$(< "${!fileVar}")" | ||
fi | ||
export "$var"="$val" | ||
unset "$fileVar" | ||
} | ||
|
||
# Timezone | ||
echo "Setting timezone to ${TZ}..." | ||
ln -snf /usr/share/zoneinfo/${TZ} /etc/localtime | ||
echo ${TZ} > /etc/timezone | ||
|
||
# SSMTP | ||
file_env 'SSMTP_PASSWORD' | ||
echo "Setting SSMTP configuration..." | ||
if [ -z "$SSMTP_HOST" ] ; then | ||
echo "WARNING: SSMTP_HOST must be defined if you want fail2ban to send emails" | ||
else | ||
cat > /etc/ssmtp/ssmtp.conf <<EOL | ||
mailhub=${SSMTP_HOST}:${SSMTP_PORT} | ||
hostname=${SSMTP_HOSTNAME} | ||
FromLineOverride=YES | ||
UseTLS=${SSMTP_TLS} | ||
UseSTARTTLS=${SSMTP_STARTTLS} | ||
EOL | ||
# Authentication to SMTP server is optional. | ||
if [ -n "$SSMTP_USER" ] ; then | ||
cat >> /etc/ssmtp/ssmtp.conf <<EOL | ||
AuthUser=${SSMTP_USER} | ||
AuthPass=${SSMTP_PASSWORD} | ||
EOL | ||
fi | ||
fi | ||
unset SSMTP_HOST | ||
unset SSMTP_USER | ||
unset SSMTP_PASSWORD | ||
|
||
# Init | ||
echo "Initializing files and folders..." | ||
mkdir -p /data/db /data/action.d /data/filter.d /data/jail.d | ||
ln -sf /data/jail.d /etc/fail2ban/ | ||
|
||
# Fail2ban conf | ||
echo "Setting Fail2ban configuration..." | ||
sed -i "s|logtarget =.*|logtarget = $F2B_LOG_TARGET|g" /etc/fail2ban/fail2ban.conf | ||
sed -i "s/loglevel =.*/loglevel = $F2B_LOG_LEVEL/g" /etc/fail2ban/fail2ban.conf | ||
sed -i "s/dbfile =.*/dbfile = \/data\/db\/fail2ban\.sqlite3/g" /etc/fail2ban/fail2ban.conf | ||
sed -i "s/dbpurgeage =.*/dbpurgeage = $F2B_DB_PURGE_AGE/g" /etc/fail2ban/fail2ban.conf | ||
sed -i "s/#allowipv6 =.*/allowipv6 = auto/g" /etc/fail2ban/fail2ban.conf | ||
|
||
# Check custom actions | ||
echo "Checking for custom actions in /data/action.d..." | ||
actions=$(ls -l /data/action.d | grep -E '^-' | awk '{print $9}') | ||
for action in ${actions}; do | ||
if [ -f "/etc/fail2ban/action.d/${action}" ]; then | ||
echo " WARNING: ${action} already exists and will be overriden" | ||
rm -f "/etc/fail2ban/action.d/${action}" | ||
fi | ||
echo " Add custom action ${action}..." | ||
ln -sf "/data/action.d/${action}" "/etc/fail2ban/action.d/" | ||
done | ||
|
||
# Check custom filters | ||
echo "Checking for custom filters in /data/filter.d..." | ||
filters=$(ls -l /data/filter.d | grep -E '^-' | awk '{print $9}') | ||
for filter in ${filters}; do | ||
if [ -f "/etc/fail2ban/filter.d/${filter}" ]; then | ||
echo " WARNING: ${filter} already exists and will be overriden" | ||
rm -f "/etc/fail2ban/filter.d/${filter}" | ||
fi | ||
echo " Add custom filter ${filter}..." | ||
ln -sf "/data/filter.d/${filter}" "/etc/fail2ban/filter.d/" | ||
done | ||
|
||
exec "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters