✨ Update fail2ban to fail2ban/fail2ban#3467 for geoIP support

Honeybrain · Jan 3, 2024 · e727843 · e727843
1 parent d28d56a
commit e727843
Show file tree

Hide file tree

Showing 4 changed files with 201 additions and 2 deletions.
diff --git a/docker/dockerfile/fail2ban/Dockerfile b/docker/dockerfile/fail2ban/Dockerfile
@@ -1,5 +1,57 @@
-FROM crazymax/fail2ban:latest
+# syntax=docker/dockerfile:1
+
+ARG FAIL2BAN_VERSION=HEAD
+ARG ALPINE_VERSION=3.18
+
+FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS fail2ban-src
+RUN apk add --no-cache git
+WORKDIR /src/fail2ban
+RUN git init . && git remote add origin "https://github.com/Honeybrain/fail2ban.git"
+ARG FAIL2BAN_VERSION
+RUN git fetch origin "${FAIL2BAN_VERSION}" && git checkout -q FETCH_HEAD
+
+FROM alpine:${ALPINE_VERSION}
+RUN --mount=from=fail2ban-src,source=/src/fail2ban,target=/tmp/fail2ban,rw \
+  apk --update --no-cache add \
+    bash \
+    curl \
+    docker-cli \
+    geoip \
+    grep \
+    ipset \
+    iptables \
+    ip6tables \
+    kmod \
+    nftables \
+    openssh-client-default \
+    python3 \
+    ssmtp \
+    tzdata \
+    wget \
+    whois \
+  && apk --update --no-cache add -t build-dependencies \
+    build-base \
+    py3-pip \
+    py3-setuptools \
+    python3-dev \
+  && pip3 install --no-cache-dir --upgrade pip \
+  && pip3 install --no-cache-dir dnspython3 pyinotify \
+  && cd /tmp/fail2ban \
+  && 2to3 -w --no-diffs bin/* fail2ban \
+  && python3 setup.py install --without-tests \
+  && apk del build-dependencies \
+  && rm -rf /etc/fail2ban/jail.d /root/.cache
+
+COPY entrypoint.sh /entrypoint.sh
+
+ENV TZ="UTC"
+
+VOLUME [ "/data" ]
 
 USER root
 
-RUN apk add --no-cache docker-cli
+ENTRYPOINT [ "/entrypoint.sh" ]
+CMD [ "fail2ban-server", "-f", "-x", "-v", "start" ]
+
+HEALTHCHECK --interval=10s --timeout=5s \
+  CMD fail2ban-client ping || exit 1
diff --git a/docker/dockerfile/fail2ban/docker-bake.hcl b/docker/dockerfile/fail2ban/docker-bake.hcl
@@ -0,0 +1,35 @@
+variable "DEFAULT_TAG" {
+  default = "fail2ban:local"
+}
+
+// Special target: https://github.com/docker/metadata-action#bake-definition
+target "docker-metadata-action" {
+  tags = ["${DEFAULT_TAG}"]
+}
+
+// Default target if none specified
+group "default" {
+  targets = ["image-local"]
+}
+
+target "image" {
+  inherits = ["docker-metadata-action"]
+}
+
+target "image-local" {
+  inherits = ["image"]
+  output = ["type=docker"]
+}
+
+target "image-all" {
+  inherits = ["image"]
+  platforms = [
+    "linux/386",
+    "linux/amd64",
+    "linux/arm/v6",
+    "linux/arm/v7",
+    "linux/arm64",
+    "linux/ppc64le",
+    "linux/s390x"
+  ]
+}
diff --git a/docker/dockerfile/fail2ban/entrypoint.sh b/docker/dockerfile/fail2ban/entrypoint.sh
@@ -0,0 +1,104 @@
+#!/bin/bash
+
+TZ=${TZ:-UTC}
+
+F2B_LOG_TARGET=${F2B_LOG_TARGET:-STDOUT}
+F2B_LOG_LEVEL=${F2B_LOG_LEVEL:-INFO}
+F2B_DB_PURGE_AGE=${F2B_DB_PURGE_AGE:-1d}
+
+SSMTP_PORT=${SSMTP_PORT:-25}
+SSMTP_HOSTNAME=${SSMTP_HOSTNAME:-$(hostname -f)}
+SSMTP_TLS=${SSMTP_TLS:-NO}
+SSMTP_STARTTLS=${SSMTP_STARTTLS:-NO}
+
+# From https://github.com/docker-library/mariadb/blob/master/docker-entrypoint.sh#L21-L41
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+  local var="$1"
+  local fileVar="${var}_FILE"
+  local def="${2:-}"
+  if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+    echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+    exit 1
+  fi
+  local val="$def"
+  if [ "${!var:-}" ]; then
+    val="${!var}"
+  elif [ "${!fileVar:-}" ]; then
+    val="$(< "${!fileVar}")"
+  fi
+  export "$var"="$val"
+  unset "$fileVar"
+}
+
+# Timezone
+echo "Setting timezone to ${TZ}..."
+ln -snf /usr/share/zoneinfo/${TZ} /etc/localtime
+echo ${TZ} > /etc/timezone
+
+# SSMTP
+file_env 'SSMTP_PASSWORD'
+echo "Setting SSMTP configuration..."
+if [ -z "$SSMTP_HOST" ] ; then
+  echo "WARNING: SSMTP_HOST must be defined if you want fail2ban to send emails"
+else
+  cat > /etc/ssmtp/ssmtp.conf <<EOL
+mailhub=${SSMTP_HOST}:${SSMTP_PORT}
+hostname=${SSMTP_HOSTNAME}
+FromLineOverride=YES
+UseTLS=${SSMTP_TLS}
+UseSTARTTLS=${SSMTP_STARTTLS}
+EOL
+  # Authentication to SMTP server is optional.
+  if [ -n "$SSMTP_USER" ] ; then
+    cat >> /etc/ssmtp/ssmtp.conf <<EOL
+AuthUser=${SSMTP_USER}
+AuthPass=${SSMTP_PASSWORD}
+EOL
+  fi
+fi
+unset SSMTP_HOST
+unset SSMTP_USER
+unset SSMTP_PASSWORD
+
+# Init
+echo "Initializing files and folders..."
+mkdir -p /data/db /data/action.d /data/filter.d /data/jail.d
+ln -sf /data/jail.d /etc/fail2ban/
+
+# Fail2ban conf
+echo "Setting Fail2ban configuration..."
+sed -i "s|logtarget =.*|logtarget = $F2B_LOG_TARGET|g" /etc/fail2ban/fail2ban.conf
+sed -i "s/loglevel =.*/loglevel = $F2B_LOG_LEVEL/g" /etc/fail2ban/fail2ban.conf
+sed -i "s/dbfile =.*/dbfile = \/data\/db\/fail2ban\.sqlite3/g" /etc/fail2ban/fail2ban.conf
+sed -i "s/dbpurgeage =.*/dbpurgeage = $F2B_DB_PURGE_AGE/g" /etc/fail2ban/fail2ban.conf
+sed -i "s/#allowipv6 =.*/allowipv6 = auto/g" /etc/fail2ban/fail2ban.conf
+
+# Check custom actions
+echo "Checking for custom actions in /data/action.d..."
+actions=$(ls -l /data/action.d | grep -E '^-' | awk '{print $9}')
+for action in ${actions}; do
+  if [ -f "/etc/fail2ban/action.d/${action}" ]; then
+    echo "  WARNING: ${action} already exists and will be overriden"
+    rm -f "/etc/fail2ban/action.d/${action}"
+  fi
+  echo "  Add custom action ${action}..."
+  ln -sf "/data/action.d/${action}" "/etc/fail2ban/action.d/"
+done
+
+# Check custom filters
+echo "Checking for custom filters in /data/filter.d..."
+filters=$(ls -l /data/filter.d | grep -E '^-' | awk '{print $9}')
+for filter in ${filters}; do
+  if [ -f "/etc/fail2ban/filter.d/${filter}" ]; then
+    echo "  WARNING: ${filter} already exists and will be overriden"
+    rm -f "/etc/fail2ban/filter.d/${filter}"
+  fi
+  echo "  Add custom filter ${filter}..."
+  ln -sf "/data/filter.d/${filter}" "/etc/fail2ban/filter.d/"
+done
+
+exec "$@"
diff --git a/protos/blacklist.proto b/protos/blacklist.proto
@@ -4,6 +4,7 @@ package blacklist;
 
 service Blacklist {
   rpc PutBlackList (PutBlackListRequest) returns (PutBlackListReply) {}
+  rpc BlockCountry (BlockCountryRequest) returns (BlockCountryReply) {}
   rpc GetBlackList (GetBlackListRequest) returns (stream GetBlackListReply) {}
   rpc PutWhiteList (PutWhiteListRequest) returns (PutWhiteListReply) {}
 }
@@ -15,6 +16,13 @@ message PutBlackListRequest {
 message PutBlackListReply {
 }
 
+message BlockCountryRequest {
+  string countryCode = 1;
+}
+
+message BlockCountryReply {
+}
+
 message GetBlackListRequest {}
 
 message GetBlackListReply {