Merge pull request #10 from linuxserver-labs/dev-conf

.github/workflows/call-baseimage-update.yml

@@ -0,0 +1,16 @@
+name: Check for base image updates
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "52 0 * * 0"
+
+jobs:
+  call-workflow:
+    uses: linuxserver-labs/docker-actions/.github/workflows/check-baseimage-update.yml@v5
+    with:
+      repo_owner: ${{ github.repository_owner }}
+      baseimage: "alpine"
+      basebranch: "master"
+      app_name: "fail2Ban"
+    secrets:
+      repo_release_token: ${{ secrets.repo_release_token }}

.github/workflows/call-build-image.yml

@@ -3,10 +3,15 @@ name: Build Image On Release
 on:
   release:
     types: [published]
+  pull_request:
 
 jobs:
   call-workflow:
-    uses: linuxserver-labs/docker-actions/.github/workflows/build-image.yml@v2
+    uses: linuxserver-labs/docker-actions/.github/workflows/build-image.yml@v5
     with:
       repo_owner: ${{ github.repository_owner }}
-      app_name: "fail2ban"
+      app_name: fail2ban
+      release_type: alpine
+      release_name: fail2Ban
+    secrets:
+      scarf_token: ${{ secrets.SCARF_TOKEN }}

.vscode/settings.json

@@ -0,0 +1,6 @@
+{
+    "files.associations": {
+        "**/fail2ban/**/**.conf": "ini",
+        "**/fail2ban/**/**.local": "ini"
+    }
+}

Dockerfile

@@ -10,19 +10,12 @@ LABEL maintainer="nomandera"
 ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
 
 RUN \
- echo "**** install runtime packages ****" && \
- apk add --no-cache --upgrade \
+  echo "**** install runtime packages ****" && \
+  apk add --no-cache --upgrade \
     curl \
     fail2ban \
-    fail2ban-doc && \
- echo "**** remove unnecessary fail2ban filters ****" && \
-    rm \
-    	/etc/fail2ban/jail.d/alpine-ssh.conf && \
-echo "**** copy fail2ban default action and filter to /default ****" && \
-mkdir -p /defaults/fail2ban && \
-mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
-mv /etc/fail2ban/filter.d /defaults/fail2ban/
-
+    fail2ban-doc
+
 
 # add local files
 COPY root/ /

readme-vars.yml

@@ -1,20 +1,18 @@
 ---
-
 # project information
 project_name: fail2ban
 project_url: "https://github.com/fail2ban/fail2ban"
 project_logo: "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/fail2ban-banner.png"
 project_blurb: "[{{ project_name|capitalize }}]({{ project_url }}) Fail2Ban can do many things but at its core it scans log files and bans IP addresses with too many failed login attempts by adding firewall rules to reject new connections from those IP addresses, for a configurable amount of time."
 
-
 project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}"
 project_blurb_optional_extras_enabled: false
 
 # supported architectures
 available_architectures:
-  - { arch: "{{ arch_x86_64 }}", tag: "amd64-latest"}
-  - { arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"}
-  - { arch: "{{ arch_armhf }}", tag: "arm32v7-latest"}
+  - { arch: "{{ arch_x86_64 }}", tag: "amd64-latest" }
+  - { arch: "{{ arch_arm64 }}", tag: "arm64v8-latest" }
+  - { arch: "{{ arch_armhf }}", tag: "arm32v7-latest" }
 
 # development version
 development_versions: true
@@ -28,12 +26,28 @@ param_container_name: "{{ project_name }}"
 param_usage_include_net: false
 param_usage_include_env: true
 param_env_vars:
-  - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." }
+  - {
+      env_var: "TZ",
+      env_value: "Europe/London",
+      desc: "Specify a timezone to use EG Europe/London.",
+    }
 param_usage_include_vols: true
 param_volumes:
-  - { vol_path: "/config", vol_host_path: "<path to data>", desc: "Where Fail2ban should store its config file." }
-  - { vol_path: "/remotelog/applicationX/applicationX.log", vol_host_path: "<path to applicationX.log>", desc: "Path to a specific named log file." }
-  - { vol_path: "/remotelog/applicationY/", vol_host_path: "<path to applicationY log directory>", desc: "Path to an application log directory with multiple logs." } 
+  - {
+      vol_path: "/config",
+      vol_host_path: "<path to data>",
+      desc: "Where Fail2ban should store its config file.",
+    }
+  - {
+      vol_path: "/remotelog/applicationX/applicationX.log",
+      vol_host_path: "<path to applicationX.log>",
+      desc: "Path to a specific named log file.",
+    }
+  - {
+      vol_path: "/remotelog/applicationY/",
+      vol_host_path: "<path to applicationY log directory>",
+      desc: "Path to an application log directory with multiple logs.",
+    }
 param_usage_include_ports: false
 param_ports:
 param_device_map: false
@@ -51,80 +65,78 @@ optional_block_1: false
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
-  This docker specific implementation of fail2ban can read an arbitrary number of log files from other containers, monitor them for abuse as a single large entity
-  and apply IP bans that will protect ALL docker containers on the host but not the host itself.
- 
+  This docker specific implementation of fail2ban can read an arbitrary number of log files from other containers, monitor them for abuse as a single large entity and apply IP bans that will protect ALL docker containers on the host but not the host itself.
+
   To do this it takes advantage of the DOCKER-USER iptables chain that exists in all modern docker installs.
- 
+
   Note: Internal Docker iptables rules are added to the DOCKER chain which is separate to the DOCKER-USER chain and should never be manipulated directly by the user.
- 
+
   Since DOCKER-USER rules are applied before any rules Docker itself creates fail2ban blocks automatically apply to all local native and custom docker bridge networks without risking breaking docker itself.
- 
-  IMPORTANT: Both the DOCKER and DOCKER-USER chains are evaluated BEFORE the FORWARD chain. This is often overlooked by users who expected existing firewall restrictions to
-  apply to docker services which they do not resulting in the false assumption that services are protected and private when they are not.
- 
+
+  > IMPORTANT: Both the DOCKER and DOCKER-USER chains are evaluated BEFORE the FORWARD chain. This is often overlooked by users who expected existing firewall restrictions to apply to docker services which they do not resulting in the false assumption that services are protected and private when they are not.
+
   If none of this make sense to you don't worry you do not need to understand firewalling to make use of this container.
- 
+
   Fail2ban configuration can seem daunting at first but most of the complexity can be ignored for most users.
- 
+
   In simple terms Fail2ban has three steps with associated configuration files:
- 
-  filters. Think of these as a list of patterns used to match abuse in your log files.
-  jails. These are used to tell Fail2ban which log files match which filters and other basics such as how how many failed logins are allowed etc
-  actions. As the name suggests these define what actions Fail2ban takes when a jail is triggered. Typical users will never alter these.
- 
+
+  `filters` - Think of these as a list of patterns used to match abuse in your log files.
+  `jails` - These are used to tell Fail2ban which log files match which filters and other basics such as how how many failed logins are allowed etc
+  `actions` - As the name suggests these define what actions Fail2ban takes when a jail is triggered. Typical users will never alter these.
+
   Fail2ban continues this one step further with a system that can merge multiple configuration files into one. This is a fairly unusual methodology which can seem confusing at first but is a critical and powerful skill to learn.
- 
+
   This is best explained using an example:
- 
+
   If we ignore actions since almost all users will be happy with the "block IP action" we can concentrate on filters and jails.
- 
+
   Each jail is defined in a .conf file located in /config/fail2ban/jail.d/ so for example nginx-http-auth.conf with contents like:
- 
+
+  ```ini
   [nginx-http-auth]
 
   enabled  = false
   filter   = nginx-http-auth
   port     = http,https
   logpath  = /remotelog/nginx/error.log
- 
+  ```
+
   This file is relatively simple to understand but it is important you do not edit it directly. If you wish to alter this file you have two options:
- 
+
   1. Create a file called nginx-http-auth.local with just the changes you wish to make and the [] header. So for example if you wanted to enable this jail we
   could create a file called nginx-http-auth.local beside the existing nginx-http-auth.conf with contents of
- 
+
+  ```ini
   [nginx-http-auth]
 
   enabled  = true
- 
+  ```
+
   At load tile Fail2ban will read every .conf and .local and merge them internally resulting in this example of turning nginx-http-auth on.
- 
+
   2. Fail2ban also has a jail.conf file that contains global settings but it can also accept jail specific changes.
   As previously you should not edit a conf file so in this case we would create jail.local and enter the same two lines we changed in the previous nginx-http-auth.local example/
- 
+
   Which method is preferable? The choice is yours and both have merits but jail.local is probably easier at first. Should you wish to change later the effort to do so it relatively minimal.
- 
-  At this point you may be asking yourself why all this complication? Once you get used to the setup it soon becomes second nature and it allows lsio and the fail2ban project to push new
-  config files and changes such as security fixes without the risk of altering existing user changes.
- 
+
+  At this point you may be asking yourself why all this complication? Once you get used to the setup it soon becomes second nature and it allows lsio and the fail2ban project to push new config files and changes such as security fixes without the risk of altering existing user changes.
+
   So how do you actually turn on a jail? It is actually relatively simple.
- 
+
   Step 1: In docker volume mount the log file or folder of log files from the container to be protected into this one.
   Step 2: Find the filter that matches the application log type. Most are included by default and more are being added all the time.
   Step 3: Activate the jail using either the global jail.local or jail-specific.local as described above. Normally you only need to change two variables `enabled  = true` and the `logpath  = /match/your/volume/mount/from/step/1.log`
- 
+
   For neatness we would recommend logs are mount read only using the convention of `/remotelog/containername/nativefilename.log`. So for example our Airsonic container would be:
- 
-  -v <path to containers>/airsonic/airsonic.log:/remotelog/airsonic/airsonic.log:ro
 
-  Once these three simple steps are taken restart fail2ban and protection should be in place. You can repeat this process to protect any number of containers and given how noisy the internet is in no time you will see
-  bad actors being banned.
- 
+  `-v <path to containers>/airsonic/airsonic.log:/remotelog/airsonic/airsonic.log:ro`
+
+  Once these three simple steps are taken restart fail2ban and protection should be in place. You can repeat this process to protect any number of containers and given how noisy the internet is in no time you will see bad actors being banned.
+
   Note: As a safety measure we ship this container with a default ignore list of all IANA private addresses to ensure you do not ban yourself or your LAN users by default. You can alter this using jail.local if you wish.
- 
 
 # changelog
 
 changelogs:
   - { date: "xx.xx.20:", desc: "Initial Release." }
-

root/defaults/fail2ban/action.d/apprise.conf

@@ -0,0 +1,51 @@
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values:  CMD
+#
+actionstart = curl -X POST -d '{"tag": "f2b", "type": "info", "body": "The guard in <name> is waking up."}' \
+          -H "Content-Type: application/json" \
+          <url>
+
+# Option:  actionstop
+# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+
+actionban = curl -X POST -d '{"tag": "f2b", "type": "warning", "body": "#I smell blood in <name>.\n<ip> has been banned."}' \
+          -H "Content-Type: application/json" \
+          <url>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+
+actionunban = curl -X POST -d '{"tag": "f2b", "type": "success", "body": "#Someone have seen the light in <name>.\n<ip> has been unbanned."}' \
+          -H "Content-Type: application/json" \
+          <url>
+
+[Init]
+
+url = http://apprise:8000/notify/default

root/defaults/fail2ban/fail2ban.conf

@@ -0,0 +1,86 @@
+# Fail2Ban main configuration file
+#
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+#
+# Changes:  in most of the cases you should not modify this
+#           file, but provide customizations in fail2ban.local file, e.g.:
+#
+# [DEFAULT]
+# loglevel = DEBUG
+#
+
+[DEFAULT]
+
+# Option: loglevel
+# Notes.: Set the log level output.
+#         CRITICAL
+#         ERROR
+#         WARNING
+#         NOTICE
+#         INFO
+#         DEBUG
+# Values: [ LEVEL ]  Default: INFO
+#
+loglevel = INFO
+
+# Option: logtarget
+# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+#         Only one log target can be specified.
+#         If you change logtarget from the default value and you are
+#         using logrotate -- also adjust or disable rotation in the
+#         corresponding configuration file
+#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
+# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ]  Default: STDERR
+#
+logtarget = /config/log/fail2ban/fail2ban.log
+
+# Option: syslogsocket
+# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
+#        auto uses platform.system() to determine predefined paths
+# Values: [ auto | FILE ]  Default: auto
+syslogsocket = auto
+
+# Option: socket
+# Notes.: Set the socket file. This is used to communicate with the daemon. Do
+#         not remove this file when Fail2ban runs. It will not be possible to
+#         communicate with the server afterwards.
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
+#
+socket = /var/run/fail2ban/fail2ban.sock
+
+# Option: pidfile
+# Notes.: Set the PID file. This is used to store the process ID of the
+#         fail2ban server.
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
+#
+pidfile = /var/run/fail2ban/fail2ban.pid
+
+# Options: dbfile
+# Notes.: Set the file for the fail2ban persistent data to be stored.
+#         A value of ":memory:" means database is only stored in memory
+#         and data is lost when fail2ban is stopped.
+#         A value of "None" disables the database.
+# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
+dbfile = /config/fail2ban/fail2ban.sqlite3
+
+# Options: dbpurgeage
+# Notes.: Sets age at which bans should be purged from the database
+# Values: [ SECONDS ] Default: 86400 (24hours)
+dbpurgeage = 1d
+
+# Options: dbmaxmatches
+# Notes.: Number of matches stored in database per ticket (resolvable via
+#         tags <ipmatches>/<ipjailmatches> in actions)
+# Values: [ INT ] Default: 10
+dbmaxmatches = 10
+
+[Definition]
+
+
+[Thread]
+
+# Options: stacksize
+# Notes.: Specifies the stack size (in KiB) to be used for subsequently created threads,
+#         and must be 0 or a positive integer value of at least 32.
+# Values: [ SIZE ] Default: 0 (use platform or configured default)
+#stacksize = 0

root/defaults/fail2ban/filter.d/filebrowser.conf

@@ -0,0 +1,3 @@
+[Definition]
+failregex = ^.*/api/login: 403 <HOST> \<nil\>.*$
+ignoreregex =

root/defaults/fail2ban/filter.d/gitea.conf

@@ -0,0 +1,4 @@
+[Definition]
+
+failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+ignoreregex =