From af8834f4f4137b31268398692308ff0e7ef2dc44 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Thu, 7 Jul 2022 17:11:23 +0000
Subject: [PATCH 01/29] Lots of config changes

---
 Dockerfile                                    |   2 +-
 .../fail2ban/action.d/apprise-api.conf        |  49 ++
 root/defaults/fail2ban/action.d/apprise.conf  |  40 +-
 .../fail2ban/action.d/discord-webhook.conf    |  42 +
 .../fail2ban/action.d/iptables-common.conf    |   7 -
 .../fail2ban/filter.d/airsonic-http-auth.conf |   3 +-
 .../fail2ban/filter.d/emby-http-auth.conf     |   9 +-
 .../fail2ban/filter.d/filebrowser.conf        |   4 +
 root/defaults/fail2ban/filter.d/gitea.conf    |   7 +-
 .../fail2ban/filter.d/homeassistant.conf      |   3 +-
 .../fail2ban/filter.d/nginx-http-418.conf     |   3 +
 .../fail2ban/filter.d/nginx-http-auth.conf    |  17 -
 .../fail2ban/filter.d/nginx-http-badbots.conf |  21 -
 .../filter.d/nginx-http-botsearch.conf        |  23 -
 .../fail2ban/filter.d/nginx-http-deny.conf    |   2 +
 root/defaults/fail2ban/filter.d/nzbget.conf   |   4 +
 .../defaults/fail2ban/filter.d/overseerr.conf |   4 +
 root/defaults/fail2ban/filter.d/servarr.conf  |   4 +
 .../fail2ban/filter.d/unifi-controller.conf   |   7 +
 .../fail2ban/filter.d/unraid-webgui.conf      |   7 +
 .../fail2ban/filter.d/vaultwarden.conf        |   4 +
 root/defaults/fail2ban/jail.conf              | 738 +++++++++++++++++-
 .../fail2ban/jail.d/airsonic-http-auth.conf   |   2 +
 .../fail2ban/jail.d/emby-http-auth.conf       |   3 +-
 .../defaults/fail2ban/jail.d/filebrowser.conf |   2 +
 root/defaults/fail2ban/jail.d/gitea.conf      |   1 +
 .../fail2ban/jail.d/homeassistant.conf        |   4 +-
 .../fail2ban/jail.d/nginx-http-418.conf       |   2 +
 .../fail2ban/jail.d/nginx-http-auth.conf      |   5 -
 .../fail2ban/jail.d/nginx-http-badbots.conf   |   6 +-
 .../fail2ban/jail.d/nginx-http-botsearch.conf |   5 -
 .../fail2ban/jail.d/nginx-http-deny.conf      |   2 +
 root/defaults/fail2ban/jail.d/nzbget.conf     |   4 +-
 root/defaults/fail2ban/jail.d/overseerr.conf  |   2 +
 root/defaults/fail2ban/jail.d/prowlarr.conf   |   2 +
 root/defaults/fail2ban/jail.d/radarr.conf     |   4 +-
 root/defaults/fail2ban/jail.d/sonarr.conf     |   4 +-
 .../fail2ban/jail.d/unifi-controller.conf     |   9 +
 .../defaults/fail2ban/jail.d/unraid-sshd.conf |   9 +
 .../fail2ban/jail.d/unraid-webgui.conf        |   9 +
 .../defaults/fail2ban/jail.d/vaultwarden.conf |   6 +-
 root/defaults/fail2ban/jail.local             |  26 -
 .../{paths-common.local => paths-lsio.conf}   |   6 +-
 root/etc/logrotate.d/fail2ban                 |   7 +-
 44 files changed, 960 insertions(+), 160 deletions(-)
 create mode 100644 root/defaults/fail2ban/action.d/apprise-api.conf
 create mode 100644 root/defaults/fail2ban/action.d/discord-webhook.conf
 delete mode 100644 root/defaults/fail2ban/action.d/iptables-common.conf
 delete mode 100644 root/defaults/fail2ban/filter.d/nginx-http-auth.conf
 delete mode 100644 root/defaults/fail2ban/filter.d/nginx-http-badbots.conf
 delete mode 100644 root/defaults/fail2ban/filter.d/nginx-http-botsearch.conf
 create mode 100644 root/defaults/fail2ban/filter.d/unifi-controller.conf
 create mode 100644 root/defaults/fail2ban/filter.d/unraid-webgui.conf
 delete mode 100644 root/defaults/fail2ban/jail.d/nginx-http-auth.conf
 delete mode 100644 root/defaults/fail2ban/jail.d/nginx-http-botsearch.conf
 create mode 100644 root/defaults/fail2ban/jail.d/unifi-controller.conf
 create mode 100644 root/defaults/fail2ban/jail.d/unraid-sshd.conf
 create mode 100644 root/defaults/fail2ban/jail.d/unraid-webgui.conf
 delete mode 100644 root/defaults/fail2ban/jail.local
 rename root/defaults/fail2ban/{paths-common.local => paths-lsio.conf} (83%)

diff --git a/Dockerfile b/Dockerfile
index a5232c5..586e7ff 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/linuxserver/baseimage-alpine:3.14
+FROM ghcr.io/linuxserver/baseimage-alpine:3.16
 
 # set version label
 ARG BUILD_DATE
diff --git a/root/defaults/fail2ban/action.d/apprise-api.conf b/root/defaults/fail2ban/action.d/apprise-api.conf
new file mode 100644
index 0000000..ef0e683
--- /dev/null
+++ b/root/defaults/fail2ban/action.d/apprise-api.conf
@@ -0,0 +1,49 @@
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = curl -X POST -d '{"tag": "f2b", "type": "info", "body": "The jail <name> as been started successfully."}' \
+          -H "Content-Type: application/json" \
+          <url>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = curl -X POST -d '{"tag": "f2b", "type": "info", "body": "The jail <name> has been stopped."}' \
+          -H "Content-Type: application/json" \
+          <url>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+
+actionban = curl -X POST -d '{"tag": "f2b", "type": "warning", "body": "The IP <ip> has just been banned from <name> after <failures> attempts."}' \
+          -H "Content-Type: application/json" \
+          <url>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+
+actionunban = curl -X POST -d '{"tag": "f2b", "type": "success", "body": "The IP <ip> has just been unbanned from <name>."}' \
+          -H "Content-Type: application/json" \
+          <url>
+
+[Init]
+
+url = http://apprise:8000/notify/default
diff --git a/root/defaults/fail2ban/action.d/apprise.conf b/root/defaults/fail2ban/action.d/apprise.conf
index c4c6c1c..e3cee2b 100644
--- a/root/defaults/fail2ban/action.d/apprise.conf
+++ b/root/defaults/fail2ban/action.d/apprise.conf
@@ -1,18 +1,22 @@
+# Fail2Ban configuration file
+#
+# Author: Chris Caron <lead2gold@gmail.com>
+#
+#
+
 [Definition]
 
 # Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = curl -X POST -d '{"tag": "f2b", "type": "info", "body": "The guard in <name> is waking up."}' \
-          -H "Content-Type: application/json" \
-          <url>
+actionstart = printf %%b "The jail <name> as been started successfully." | <apprise> -t "[Fail2Ban] <name>: started on `uname -n`"
 
 # Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+# Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop =
+actionstop = printf %%b "The jail <name> has been stopped." | <apprise> -t "[Fail2Ban] <name>: stopped on `uname -n`"
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
@@ -23,29 +27,23 @@ actioncheck =
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <time>  unix timestamp of the ban time
+# Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-
-actionban = curl -X POST -d '{"tag": "f2b", "type": "warning", "body": "#I smell blood in <name>.\n<ip> has been banned."}' \
-          -H "Content-Type: application/json" \
-          <url>
+actionban = printf %%b "The IP <ip> has just been banned from <name> after <failures> attempts." | <apprise> -n "warning" -t "[Fail2Ban] <name>: banned <ip> from `uname -n`"
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <time>  unix timestamp of the ban time
+# Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-
-actionunban = curl -X POST -d '{"tag": "f2b", "type": "success", "body": "#Someone have seen the light in <name>.\n<ip> has been unbanned."}' \
-          -H "Content-Type: application/json" \
-          <url>
+actionunban = printf %%b "The IP <ip> has just been unbanned from <name>." | <apprise> -t "[Fail2Ban] <name>: unbanned <ip> from `uname -n`"
 
 [Init]
 
-url = http://apprise:8000/notify/default
\ No newline at end of file
+# Define location of the default apprise configuration file to use
+#
+config = /etc/fail2ban/apprise.conf
+#
+apprise = apprise -c "<config>"
diff --git a/root/defaults/fail2ban/action.d/discord-webhook.conf b/root/defaults/fail2ban/action.d/discord-webhook.conf
new file mode 100644
index 0000000..0854610
--- /dev/null
+++ b/root/defaults/fail2ban/action.d/discord-webhook.conf
@@ -0,0 +1,42 @@
+# Author: Gilbn from https://technicalramblings.com
+# Adapted Source: https://gist.github.com/sander1/075736a42db2c66bc6ce0fab159ca683
+# Create the Discord Webhook in: Server settings -> Webhooks -> Create Webhooks
+
+[Definition]
+
+# Notify on Startup
+actionstart = curl -X POST "<webhook>" \
+            -H "Content-Type: application/json" \
+            -d '{"username": "Fail2Ban", "content":":white_check_mark: The **[<name>]** jail has started"}'
+
+# Notify on Shutdown
+actionstop = curl -X POST "<webhook>" \
+            -H "Content-Type: application/json" \
+            -d '{"username": "Fail2Ban", "content":":no_entry: The **[<name>]** jail has been stopped"}'
+
+#
+actioncheck =
+
+# Notify on Banned 
+actionban = curl -X POST "<webhook>" \
+            -H "Content-Type: application/json" \
+            -d '{"username":"Fail2Ban", "content":":bell: Hey <discord_userid>! **[<name>]** :hammer:**BANNED**:hammer: IP: `<ip>` for <bantime> seconds after **<failures>** failure(s). Here is some info about the IP: <url_check_ip><ip>"}' 
+            curl -X POST "<webhook>" \
+            -H "Content-Type: application/json" \
+            -d '{"username":"Fail2Ban", "content":"If you want to unban the IP run: `fail2ban-client unban <ip>`"}'
+
+# Notify on Unbanned
+actionunban = curl -X POST "<webhook>" \
+            -H "Content-Type: application/json" \
+            -d '{"username":"Fail2Ban", "content":":bell: **[<name>]** **UNBANNED** IP: [<ip>](<url_check_ip><ip>)"}'
+[Init]
+
+# Name of the jail in your jail.local file. default = [your-jail-name]
+name = default
+
+# URL prefix for an IP checking website
+# abuseipdb is used by default since there is also an action to report an IP to their API
+url_check_ip = https://www.abuseipdb.com/check/
+
+# Discord Webhook URL
+webhook = https://discordapp.com/api/webhooks/XXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
diff --git a/root/defaults/fail2ban/action.d/iptables-common.conf b/root/defaults/fail2ban/action.d/iptables-common.conf
deleted file mode 100644
index f6332ff..0000000
--- a/root/defaults/fail2ban/action.d/iptables-common.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-[Init]
-
-# Option:  chain
-# Notes    specifies the iptables chain to which the Fail2Ban rules should be
-#          added
-# Values:  STRING  Default: INPUT
-chain = DOCKER-USER
diff --git a/root/defaults/fail2ban/filter.d/airsonic-http-auth.conf b/root/defaults/fail2ban/filter.d/airsonic-http-auth.conf
index 7627e00..8e6da20 100644
--- a/root/defaults/fail2ban/filter.d/airsonic-http-auth.conf
+++ b/root/defaults/fail2ban/filter.d/airsonic-http-auth.conf
@@ -1,9 +1,10 @@
 # fail2ban filter configuration for airsonic
 
+[INCLUDES]
+before = common.conf
 
 [Definition]
 
-
 failregex = ^.*: Login failed from \[<HOST>\]$
 ignoreregex =
 
diff --git a/root/defaults/fail2ban/filter.d/emby-http-auth.conf b/root/defaults/fail2ban/filter.d/emby-http-auth.conf
index d9ef5a4..8c50518 100644
--- a/root/defaults/fail2ban/filter.d/emby-http-auth.conf
+++ b/root/defaults/fail2ban/filter.d/emby-http-auth.conf
@@ -1,19 +1,14 @@
 # Fail2Ban filter for emby
-#
 
 [INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
 before = common.conf
 
-
 [Definition]
 
 _daemon = emby-server
 
-failregex = Info HttpServer: HTTP Response 401 to <HOST>.*authenticatebyname
-            Info HttpServer: HTTP Response 500 to <HOST>.*mediabrowser/Users/None
+failregex = ^.*Info HttpServer: HTTP Response 401 to <HOST>.*authenticatebyname.*$
+            ^.*Info HttpServer: HTTP Response 500 to <HOST>.*mediabrowser/Users/None.*$
 
 ignoreregex =
 
diff --git a/root/defaults/fail2ban/filter.d/filebrowser.conf b/root/defaults/fail2ban/filter.d/filebrowser.conf
index e86055b..a8b530b 100644
--- a/root/defaults/fail2ban/filter.d/filebrowser.conf
+++ b/root/defaults/fail2ban/filter.d/filebrowser.conf
@@ -1,3 +1,7 @@
+[INCLUDES]
+before = common.conf
+
 [Definition]
+
 failregex = ^.*/api/login: 403 <HOST> \<nil\>.*$
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/gitea.conf b/root/defaults/fail2ban/filter.d/gitea.conf
index 3da10ac..e66e17d 100644
--- a/root/defaults/fail2ban/filter.d/gitea.conf
+++ b/root/defaults/fail2ban/filter.d/gitea.conf
@@ -1,4 +1,7 @@
+[INCLUDES]
+before = common.conf
+
 [Definition]
 
-failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
-ignoreregex =
\ No newline at end of file
+failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>.*$
+ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/homeassistant.conf b/root/defaults/fail2ban/filter.d/homeassistant.conf
index fd699d1..8044b56 100644
--- a/root/defaults/fail2ban/filter.d/homeassistant.conf
+++ b/root/defaults/fail2ban/filter.d/homeassistant.conf
@@ -2,7 +2,8 @@
 before = common.conf
 
 [Definition]
+
 failregex = ^%(__prefix_line)s.*\[homeassistant.components.http.ban\] Login attempt or request with invalid authentication from <HOST>.*$
 
 [Init]
-datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
\ No newline at end of file
+datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
diff --git a/root/defaults/fail2ban/filter.d/nginx-http-418.conf b/root/defaults/fail2ban/filter.d/nginx-http-418.conf
index c78c495..0e29867 100644
--- a/root/defaults/fail2ban/filter.d/nginx-http-418.conf
+++ b/root/defaults/fail2ban/filter.d/nginx-http-418.conf
@@ -3,6 +3,9 @@
 # 418 I'm a teapot
 # Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout.
 
+[INCLUDES]
+before = common.conf
+
 [Definition]
 
 failregex = ^<HOST>.*"(GET|POST).*" (418) .*$
diff --git a/root/defaults/fail2ban/filter.d/nginx-http-auth.conf b/root/defaults/fail2ban/filter.d/nginx-http-auth.conf
deleted file mode 100644
index 93341cd..0000000
--- a/root/defaults/fail2ban/filter.d/nginx-http-auth.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# fail2ban filter configuration for nginx
-
-
-[Definition]
-
-
-failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
-
-ignoreregex = 
-
-datepattern = {^LN-BEG}
-
-# DEV NOTES:
-# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
-# Extensive search of all nginx auth failures not done yet.
-# 
-# Author: Daniel Black
diff --git a/root/defaults/fail2ban/filter.d/nginx-http-badbots.conf b/root/defaults/fail2ban/filter.d/nginx-http-badbots.conf
deleted file mode 100644
index 48b3066..0000000
--- a/root/defaults/fail2ban/filter.d/nginx-http-badbots.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Fail2Ban configuration file
-#
-# Regexp to catch known spambots and software alike. Please verify
-# that it is your intent to block IPs which were driven by
-# above mentioned bots.
-
-
-[Definition]
-
-badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
-badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
-
-failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
-
-ignoreregex =
-
-# DEV Notes:
-# List of bad bots fetched from http://www.user-agents.org
-# Generated on Thu Nov  7 14:23:35 PST 2013 by files/gen_badbots.
-#
-# Author: Yaroslav Halchenko
diff --git a/root/defaults/fail2ban/filter.d/nginx-http-botsearch.conf b/root/defaults/fail2ban/filter.d/nginx-http-botsearch.conf
deleted file mode 100644
index 0be895b..0000000
--- a/root/defaults/fail2ban/filter.d/nginx-http-botsearch.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Fail2Ban filter to match web requests for selected URLs that don't exist
-#
-
-[INCLUDES]
-
-# Load regexes for filtering
-before = botsearch-common.conf
-
-[Definition]
-
-failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
-            ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) \/<block> \S+\"\, .*?$
-
-ignoreregex = 
-
-datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
-              ^[^\[]*\[({DATE})
-              {^LN-BEG}
-
-# DEV Notes:
-# Based on apache-botsearch filter
-# 
-# Author: Frantisek Sumsal
\ No newline at end of file
diff --git a/root/defaults/fail2ban/filter.d/nginx-http-deny.conf b/root/defaults/fail2ban/filter.d/nginx-http-deny.conf
index d9f4694..f934d83 100644
--- a/root/defaults/fail2ban/filter.d/nginx-http-deny.conf
+++ b/root/defaults/fail2ban/filter.d/nginx-http-deny.conf
@@ -1,5 +1,7 @@
 # fail2ban filter configuration for nginx
 
+[INCLUDES]
+before = common.conf
 
 [Definition]
 
diff --git a/root/defaults/fail2ban/filter.d/nzbget.conf b/root/defaults/fail2ban/filter.d/nzbget.conf
index 6defc38..ec61b63 100644
--- a/root/defaults/fail2ban/filter.d/nzbget.conf
+++ b/root/defaults/fail2ban/filter.d/nzbget.conf
@@ -1,3 +1,7 @@
+[INCLUDES]
+before = common.conf
+
 [Definition]
+
 failregex = ^.*WARNING	Request received on port .* from .* \(forwarded for: <HOST>.*\), but username .* or password invalid$
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/overseerr.conf b/root/defaults/fail2ban/filter.d/overseerr.conf
index 0ec1b62..77ade73 100644
--- a/root/defaults/fail2ban/filter.d/overseerr.conf
+++ b/root/defaults/fail2ban/filter.d/overseerr.conf
@@ -1,3 +1,7 @@
+[INCLUDES]
+before = common.conf
+
 [Definition]
+
 failregex = ^.*\[info\]\[Auth\]\: Failed sign-in attempt.*"ip":"<HOST>".*$
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/servarr.conf b/root/defaults/fail2ban/filter.d/servarr.conf
index b3a5632..58db507 100644
--- a/root/defaults/fail2ban/filter.d/servarr.conf
+++ b/root/defaults/fail2ban/filter.d/servarr.conf
@@ -1,3 +1,7 @@
+[INCLUDES]
+before = common.conf
+
 [Definition]
+
 failregex = ^.*\|Warn\|Auth\|Auth-Failure ip <HOST> username .*$
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/unifi-controller.conf b/root/defaults/fail2ban/filter.d/unifi-controller.conf
new file mode 100644
index 0000000..99f51fc
--- /dev/null
+++ b/root/defaults/fail2ban/filter.d/unifi-controller.conf
@@ -0,0 +1,7 @@
+[INCLUDES]
+before = common.conf
+
+[Definition]
+
+failregex = ^(.*)Failed admin login for (.*) from <HOST>$
+ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/unraid-webgui.conf b/root/defaults/fail2ban/filter.d/unraid-webgui.conf
new file mode 100644
index 0000000..1f2ac1e
--- /dev/null
+++ b/root/defaults/fail2ban/filter.d/unraid-webgui.conf
@@ -0,0 +1,7 @@
+[INCLUDES]
+before = common.conf
+
+[Definition]
+
+failregex = ^.*webGUI: Unsuccessful login user .* from <HOST>$
+ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/vaultwarden.conf b/root/defaults/fail2ban/filter.d/vaultwarden.conf
index 68a0ffe..39c1006 100644
--- a/root/defaults/fail2ban/filter.d/vaultwarden.conf
+++ b/root/defaults/fail2ban/filter.d/vaultwarden.conf
@@ -1,3 +1,7 @@
+[INCLUDES]
+before = common.conf
+
 [Definition]
+
 failregex = ^.*(Username or password is incorrect\. Try again|Invalid admin token)\. IP: <HOST>.*$
 ignoreregex =
diff --git a/root/defaults/fail2ban/jail.conf b/root/defaults/fail2ban/jail.conf
index 1811bfa..5250596 100644
--- a/root/defaults/fail2ban/jail.conf
+++ b/root/defaults/fail2ban/jail.conf
@@ -1,4 +1,4 @@
-
+#
 # WARNING: heavily refactored in 0.9.0 release.  Please review and
 #          customize settings for your setup.
 #
@@ -33,6 +33,8 @@
 [INCLUDES]
 
 #before = paths-distro.conf
+before = paths-lsio.conf
+
 # The DEFAULT allows a global definition of the options. They can be overridden
 # in each jail afterwards.
 
@@ -42,19 +44,19 @@
 # MISCELLANEOUS OPTIONS
 #
 
-# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
+# "bantime.increment" allows to use database for searching of previously banned ip's to increase a 
 # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
 #bantime.increment = true
 
-# "bantime.rndtime" is the max number of seconds using for mixing with random time
+# "bantime.rndtime" is the max number of seconds using for mixing with random time 
 # to prevent "clever" botnets calculate exact time IP can be unbanned again:
-#bantime.rndtime =
+#bantime.rndtime = 
 
 # "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
-#bantime.maxtime =
+#bantime.maxtime = 
 
 # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
-# default value of factor is 1 and with default value of formula, the ban time
+# default value of factor is 1 and with default value of formula, the ban time 
 # grows by 1, 2, 4, 8, 16 ...
 #bantime.factor = 1
 
@@ -65,16 +67,16 @@
 # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
 #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
 
-# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding
+# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding 
 # previously ban count and given "bantime.factor" (for multipliers default is 1);
-# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count,
+# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 
 # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
 #bantime.multipliers = 1 2 4 8 16 32 64
 # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
 # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
 #bantime.multipliers = 1 5 30 60 300 720 1440 2880
 
-# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
+# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 
 # cross over all jails, if false (dafault), only current jail of the ban IP will be searched
 #bantime.overalljails = false
 
@@ -171,6 +173,18 @@ filter = %(__name__)s[mode=%(mode)s]
 
 # Some options used for actions
 
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+destemail = root@localhost
+
+# Sender email address used solely for some actions
+sender = root@<fq-hostname>
+
+# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
+# mailing. Change mta configuration parameter to mail if you want to
+# revert to conventional 'mail'.
+mta = sendmail
+
 # Default protocol
 protocol = tcp
 
@@ -197,6 +211,57 @@ banaction_allports = iptables-allports
 # The simplest action to take: ban only
 action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(action_)s
+            %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(action_)s
+             %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
+
+# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
+#
+# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
+# to the destemail.
+action_xarf = %(action_)s
+             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
+
+# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
+                %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
+
+# Report block via blocklist.de fail2ban reporting service API
+# 
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
+# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
+# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
+# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
+# corresponding jail.d/my-jail.local file).
+#
+action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
+
+# Report ban via badips.com, and use as blacklist
+#
+# See BadIPsAction docstring in config/action.d/badips.py for
+# documentation for this action.
+#
+# NOTE: This action relies on banaction being present on start and therefore
+# should be last action defined for a jail.
+#
+action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
+#
+# Report ban via badips.com (uses action.d/badips.conf for reporting only)
+#
+action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
+
+# Report ban via abuseipdb.com.
+#
+# See action.d/abuseipdb.conf for usage example and details.
+#
+action_abuseipdb = abuseipdb
+
 # Choose default action.  To change, just override value of 'action' with the
 # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
 # globally (section [DEFAULT]) or per specific section
@@ -207,15 +272,121 @@ action = %(action_)s
 # JAILS
 #
 
+#
+# SSH servers
+#
+
+[sshd]
+
+# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
+# normal (default), ddos, extra or aggressive (combines all).
+# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
+#mode   = normal
+port    = ssh
+logpath = %(sshd_log)s
+backend = %(sshd_backend)s
+
+
+[dropbear]
+
+port     = ssh
+logpath  = %(dropbear_log)s
+backend  = %(dropbear_backend)s
+
+
+[selinux-ssh]
+
+port     = ssh
+logpath  = %(auditd_log)s
+
+
 #
 # HTTP servers
 #
 
+[apache-auth]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+
+
+[apache-badbots]
+# Ban hosts which agent identifies spammer robots crawling the web
+# for email addresses. The mail outputs are buffered.
+port     = http,https
+logpath  = %(apache_access_log)s
+bantime  = 48h
+maxretry = 1
+
+
+[apache-noscript]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+
+
+[apache-overflows]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-nohome]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-botsearch]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-fakegooglebot]
+
+port     = http,https
+logpath  = %(apache_access_log)s
+maxretry = 1
+ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
+
+
+[apache-modsecurity]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-shellshock]
+
+port    = http,https
+logpath = %(apache_error_log)s
+maxretry = 1
+
+
+[openhab-auth]
+
+filter = openhab
+banaction = %(banaction_allports)s
+logpath = /opt/openhab/logs/request.log
+
+
 [nginx-http-auth]
 
 port    = http,https
 logpath = %(nginx_error_log)s
 
+# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
+# and define `limit_req` and `limit_req_zone` as described in nginx documentation
+# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
+# or for example see in 'config/filter.d/nginx-limit-req.conf'
+[nginx-limit-req]
+port    = http,https
+logpath = %(nginx_error_log)s
 
 [nginx-botsearch]
 
@@ -224,6 +395,415 @@ logpath  = %(nginx_error_log)s
 maxretry = 2
 
 
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+port    = http,https
+logpath = %(nginx_access_log)s
+          %(apache_access_log)s
+
+
+[suhosin]
+
+port    = http,https
+logpath = %(suhosin_log)s
+
+
+[lighttpd-auth]
+# Same as above for Apache's mod_auth
+# It catches wrong authentifications
+port    = http,https
+logpath = %(lighttpd_error_log)s
+
+
+#
+# Webmail and groupware servers
+#
+
+[roundcube-auth]
+
+port     = http,https
+logpath  = %(roundcube_errors_log)s
+# Use following line in your jail.local if roundcube logs to journal.
+#backend = %(syslog_backend)s
+
+
+[openwebmail]
+
+port     = http,https
+logpath  = /var/log/openwebmail.log
+
+
+[horde]
+
+port     = http,https
+logpath  = /var/log/horde/horde.log
+
+
+[groupoffice]
+
+port     = http,https
+logpath  = /home/groupoffice/log/info.log
+
+
+[sogo-auth]
+# Monitor SOGo groupware server
+# without proxy this would be:
+# port    = 20000
+port     = http,https
+logpath  = /var/log/sogo/sogo.log
+
+
+[tine20]
+
+logpath  = /var/log/tine20/tine20.log
+port     = http,https
+
+
+#
+# Web Applications
+#
+#
+
+[drupal-auth]
+
+port     = http,https
+logpath  = %(syslog_daemon)s
+backend  = %(syslog_backend)s
+
+[guacamole]
+
+port     = http,https
+logpath  = /var/log/tomcat*/catalina.out
+#logpath  = /var/log/guacamole.log
+
+[monit]
+#Ban clients brute-forcing the monit gui login
+port = 2812
+logpath  = /var/log/monit
+           /var/log/monit.log
+
+
+[webmin-auth]
+
+port    = 10000
+logpath = %(syslog_authpriv)s
+backend = %(syslog_backend)s
+
+
+[froxlor-auth]
+
+port    = http,https
+logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
+
+
+#
+# HTTP Proxy servers
+#
+#
+
+[squid]
+
+port     =  80,443,3128,8080
+logpath = /var/log/squid/access.log
+
+
+[3proxy]
+
+port    = 3128
+logpath = /var/log/3proxy.log
+
+
+#
+# FTP servers
+#
+
+
+[proftpd]
+
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(proftpd_log)s
+backend  = %(proftpd_backend)s
+
+
+[pure-ftpd]
+
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(pureftpd_log)s
+backend  = %(pureftpd_backend)s
+
+
+[gssftpd]
+
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(syslog_daemon)s
+backend  = %(syslog_backend)s
+
+
+[wuftpd]
+
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(wuftpd_log)s
+backend  = %(wuftpd_backend)s
+
+
+[vsftpd]
+# or overwrite it in jails.local to be
+# logpath = %(syslog_authpriv)s
+# if you want to rely on PAM failed login attempts
+# vsftpd's failregex should match both of those formats
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(vsftpd_log)s
+
+
+#
+# Mail servers
+#
+
+# ASSP SMTP Proxy Jail
+[assp]
+
+port     = smtp,465,submission
+logpath  = /root/path/to/assp/logs/maillog.txt
+
+
+[courier-smtp]
+
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+
+
+[postfix]
+# To use another modes set filter parameter "mode" in jail.local:
+mode    = more
+port    = smtp,465,submission
+logpath = %(postfix_log)s
+backend = %(postfix_backend)s
+
+
+[postfix-rbl]
+
+filter   = postfix[mode=rbl]
+port     = smtp,465,submission
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+maxretry = 1
+
+
+[sendmail-auth]
+
+port    = submission,465,smtp
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+[sendmail-reject]
+# To use more aggressive modes set filter parameter "mode" in jail.local:
+# normal (default), extra or aggressive
+# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
+#mode    = normal
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+
+
+[qmail-rbl]
+
+filter  = qmail
+port    = smtp,465,submission
+logpath = /service/qmail/log/main/current
+
+
+# dovecot defaults to logging to the mail syslog facility
+# but can be set by syslog_facility in the dovecot configuration.
+[dovecot]
+
+port    = pop3,pop3s,imap,imaps,submission,465,sieve
+logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
+
+
+[sieve]
+
+port   = smtp,465,submission
+logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
+
+
+[solid-pop3d]
+
+port    = pop3,pop3s
+logpath = %(solidpop3d_log)s
+
+
+[exim]
+# see filter.d/exim.conf for further modes supported from filter:
+#mode = normal
+port   = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[exim-spam]
+
+port   = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[kerio]
+
+port    = imap,smtp,imaps,465
+logpath = /opt/kerio/mailserver/store/logs/security.log
+
+
+#
+# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
+# all relevant ports get banned
+#
+
+[courier-auth]
+
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+
+
+[postfix-sasl]
+
+filter   = postfix[mode=auth]
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+
+
+[perdition]
+
+port   = imap,imaps,pop3,pop3s
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+[squirrelmail]
+
+port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
+logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
+
+
+[cyrus-imap]
+
+port   = imap,imaps
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+[uwimap-auth]
+
+port   = imap,imaps
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+#
+#
+# DNS servers
+#
+
+
+# !!! WARNING !!!
+#   Since UDP is connection-less protocol, spoofing of IP and imitation
+#   of illegal actions is way too simple.  Thus enabling of this filter
+#   might provide an easy way for implementing a DoS against a chosen
+#   victim. See
+#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+#   Please DO NOT USE this jail unless you know what you are doing.
+#
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks UDP traffic for DNS requests.
+# [named-refused-udp]
+#
+# filter   = named-refused
+# port     = domain,953
+# protocol = udp
+# logpath  = /var/log/named/security.log
+
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks TCP traffic for DNS requests.
+
+[named-refused]
+
+port     = domain,953
+logpath  = /var/log/named/security.log
+
+
+[nsd]
+
+port     = 53
+action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
+logpath = /var/log/nsd.log
+
+
+#
+# Miscellaneous
+#
+
+[asterisk]
+
+port     = 5060,5061
+action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
+logpath  = /var/log/asterisk/messages
+maxretry = 10
+
+
+[freeswitch]
+
+port     = 5060,5061
+action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
+logpath  = /var/log/freeswitch.log
+maxretry = 10
+
+
+# enable adminlog; it will log to a file inside znc's directory by default.
+[znc-adminlog]
+
+port     = 6667
+logpath  = /var/lib/znc/moddata/adminlog/znc.log
+
+
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
+# equivalent section:
+# log-warnings = 2
+#
+# for syslog (daemon facility)
+# [mysqld_safe]
+# syslog
+#
+# for own logfile
+# [mysqld]
+# log-error=/var/log/mysqld.log
+[mysqld-auth]
+
+port     = 3306
+logpath  = %(mysql_log)s
+backend  = %(mysql_backend)s
+
+
+# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
+[mongodb-auth]
+# change port when running with "--shardsvr" or "--configsvr" runtime operation
+port     = 27017
+logpath  = /var/log/mongodb/mongodb.log
+
+
 # Jail for more extended banning of persistent abusers
 # !!! WARNINGS !!!
 # 1. Make sure that your loglevel specified in fail2ban.conf/.local
@@ -239,6 +819,146 @@ bantime  = 1w
 findtime = 1d
 
 
+# Generic filter for PAM. Has to be used with action which bans all
+# ports such as iptables-allports, shorewall
+
+[pam-generic]
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+banaction = %(banaction_allports)s
+logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
+
+
+[xinetd-fail]
+
+banaction = iptables-multiport-log
+logpath   = %(syslog_daemon)s
+backend   = %(syslog_backend)s
+maxretry  = 2
+
+
+# stunnel - need to set port for this
+[stunnel]
+
+logpath = /var/log/stunnel4/stunnel.log
+
+
+[ejabberd-auth]
+
+port    = 5222
+logpath = /var/log/ejabberd/ejabberd.log
+
+
+[counter-strike]
+
+logpath = /opt/cstrike/logs/L[0-9]*.log
+tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
+udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
+action_  = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"]
+           %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"]
+
+[softethervpn]
+port     = 500,4500
+protocol = udp
+logpath  = /usr/local/vpnserver/security_log/*/sec.log
+
+[gitlab]
+port    = http,https
+logpath = /var/log/gitlab/gitlab-rails/application.log
+
 [grafana]
 port    = http,https
 logpath = /var/log/grafana/grafana.log
+
+[bitwarden]
+port    = http,https
+logpath = /home/*/bwdata/logs/identity/Identity/log.txt
+
+[centreon]
+port    = http,https
+logpath = /var/log/centreon/login.log
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+
+logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
+backend  = %(syslog_backend)s
+maxretry = 1
+
+
+[oracleims]
+# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
+logpath = /opt/sun/comms/messaging64/log/mail.log_current
+banaction = %(banaction_allports)s
+
+[directadmin]
+logpath = /var/log/directadmin/login.log
+port = 2222
+
+[portsentry]
+logpath  = /var/lib/portsentry/portsentry.history
+maxretry = 1
+
+[pass2allow-ftp]
+# this pass2allow example allows FTP traffic after successful HTTP authentication
+port         = ftp,ftp-data,ftps,ftps-data
+# knocking_url variable must be overridden to some secret value in jail.local
+knocking_url = /knocking/
+filter       = apache-pass[knocking_url="%(knocking_url)s"]
+# access log of the website with HTTP auth
+logpath      = %(apache_access_log)s
+blocktype    = RETURN
+returntype   = DROP
+action       = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,
+                        actionstart_on_demand=false, actionrepair_on_unban=true]
+bantime      = 1h
+maxretry     = 1
+findtime     = 1
+
+
+[murmur]
+# AKA mumble-server
+port     = 64738
+action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
+logpath  = /var/log/mumble-server/mumble-server.log
+
+
+[screensharingd]
+# For Mac OS Screen Sharing Service (VNC)
+logpath  = /var/log/system.log
+logencoding = utf-8
+
+[haproxy-http-auth]
+# HAProxy by default doesn't log to file you'll need to set it up to forward
+# logs to a syslog server which would then write them to disk.
+# See "haproxy-http-auth" filter for a brief cautionary note when setting
+# maxretry and findtime.
+logpath  = /var/log/haproxy.log
+
+[slapd]
+port    = ldap,ldaps
+logpath = /var/log/slapd.log
+
+[domino-smtp]
+port    = smtp,ssmtp
+logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
+
+[phpmyadmin-syslog]
+port    = http,https
+logpath = %(syslog_authpriv)s
+backend = %(syslog_backend)s
+
+
+[zoneminder]
+# Zoneminder HTTP/HTTPS web interface auth
+# Logs auth failures to apache2 error log
+port    = http,https
+logpath = %(apache_error_log)s
+
+[traefik-auth]
+# to use 'traefik-auth' filter you have to configure your Traefik instance,
+# see `filter.d/traefik-auth.conf` for details and service example.
+port    = http,https
+logpath = /var/log/traefik/access.log
diff --git a/root/defaults/fail2ban/jail.d/airsonic-http-auth.conf b/root/defaults/fail2ban/jail.d/airsonic-http-auth.conf
index 3dd625e..5369036 100644
--- a/root/defaults/fail2ban/jail.d/airsonic-http-auth.conf
+++ b/root/defaults/fail2ban/jail.d/airsonic-http-auth.conf
@@ -1,5 +1,7 @@
 [airsonic-http-auth]
 
 enabled  = false
+chain    = DOCKER-USER
+port     = 4040
 filter   = airsonic-http-auth
 logpath  = %(remote_logs)s/airsonic/airsonic.log
diff --git a/root/defaults/fail2ban/jail.d/emby-http-auth.conf b/root/defaults/fail2ban/jail.d/emby-http-auth.conf
index fd90a5c..5da4c05 100644
--- a/root/defaults/fail2ban/jail.d/emby-http-auth.conf
+++ b/root/defaults/fail2ban/jail.d/emby-http-auth.conf
@@ -1,6 +1,7 @@
 [emby-http-auth]
 
 enabled  = false
-port     = 8920
+chain    = DOCKER-USER
+port     = 8096,8920
 filter   = emby-http-auth
 logpath  = %(remote_logs)s/emby/embyserver.txt
diff --git a/root/defaults/fail2ban/jail.d/filebrowser.conf b/root/defaults/fail2ban/jail.d/filebrowser.conf
index e4df717..d9bf71c 100644
--- a/root/defaults/fail2ban/jail.d/filebrowser.conf
+++ b/root/defaults/fail2ban/jail.d/filebrowser.conf
@@ -9,5 +9,7 @@
 [filebrowser]
 
 enabled  = false
+chain    = DOCKER-USER
+port     = http,https
 filter   = filebrowser
 logpath  = %(remote_logs)s/filebrowser/filebrowser.log
diff --git a/root/defaults/fail2ban/jail.d/gitea.conf b/root/defaults/fail2ban/jail.d/gitea.conf
index e8b1c7a..9c77469 100644
--- a/root/defaults/fail2ban/jail.d/gitea.conf
+++ b/root/defaults/fail2ban/jail.d/gitea.conf
@@ -21,6 +21,7 @@
 [gitea]
 
 enabled  = false
+chain    = DOCKER-USER
 port     = http,https,822
 filter   = gitea
 logpath  = %(remote_logs)s/gitea/gitea.log
diff --git a/root/defaults/fail2ban/jail.d/homeassistant.conf b/root/defaults/fail2ban/jail.d/homeassistant.conf
index 8db3d87..4ec3ae9 100644
--- a/root/defaults/fail2ban/jail.d/homeassistant.conf
+++ b/root/defaults/fail2ban/jail.d/homeassistant.conf
@@ -11,6 +11,8 @@
 [homeassistant]
 
 enabled  = false
+chain    = DOCKER-USER
+port     = 8123
 filter   = homeassistant
 logpath  = %(remote_logs)s/homeassistant/home-assistant.log
-maxretry = 2
\ No newline at end of file
+maxretry = 2
diff --git a/root/defaults/fail2ban/jail.d/nginx-http-418.conf b/root/defaults/fail2ban/jail.d/nginx-http-418.conf
index 4f53fbb..4752178 100644
--- a/root/defaults/fail2ban/jail.d/nginx-http-418.conf
+++ b/root/defaults/fail2ban/jail.d/nginx-http-418.conf
@@ -1,6 +1,8 @@
 [nginx-http-418]
 
 enabled  = false
+chain    = DOCKER-USER
+port     = http,https
 filter   = nginx-http-418
 logpath  = %(nginx_access_log)s
 maxretry = 10
diff --git a/root/defaults/fail2ban/jail.d/nginx-http-auth.conf b/root/defaults/fail2ban/jail.d/nginx-http-auth.conf
deleted file mode 100644
index 56d0049..0000000
--- a/root/defaults/fail2ban/jail.d/nginx-http-auth.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-[nginx-http-auth]
-
-enabled  = false
-filter   = nginx-http-auth
-logpath  = %(nginx_error_log)s
\ No newline at end of file
diff --git a/root/defaults/fail2ban/jail.d/nginx-http-badbots.conf b/root/defaults/fail2ban/jail.d/nginx-http-badbots.conf
index 2921934..05fa450 100644
--- a/root/defaults/fail2ban/jail.d/nginx-http-badbots.conf
+++ b/root/defaults/fail2ban/jail.d/nginx-http-badbots.conf
@@ -1,6 +1,8 @@
 [nginx-http-badbots]
 
 enabled  = false
-filter   = nginx-http-badbots
-logpath  = %(remote_logs)s/nginx/access.log
+chain    = DOCKER-USER
+port     = http,https
+filter   = apache-badbots
+logpath  = %(nginx_access_log)s
 maxretry = 2
diff --git a/root/defaults/fail2ban/jail.d/nginx-http-botsearch.conf b/root/defaults/fail2ban/jail.d/nginx-http-botsearch.conf
deleted file mode 100644
index 3f63956..0000000
--- a/root/defaults/fail2ban/jail.d/nginx-http-botsearch.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-[nginx-http-botsearch]
-
-enabled  = false
-filter   = nginx-botsearch
-logpath  = %(nginx_access_log)s
\ No newline at end of file
diff --git a/root/defaults/fail2ban/jail.d/nginx-http-deny.conf b/root/defaults/fail2ban/jail.d/nginx-http-deny.conf
index 35beb76..31ef77d 100644
--- a/root/defaults/fail2ban/jail.d/nginx-http-deny.conf
+++ b/root/defaults/fail2ban/jail.d/nginx-http-deny.conf
@@ -1,5 +1,7 @@
 [nginx-http-deny]
 
 enabled  = false
+chain    = DOCKER-USER
+port     = http,https
 filter   = nginx-http-deny
 logpath  = %(nginx_error_log)s
diff --git a/root/defaults/fail2ban/jail.d/nzbget.conf b/root/defaults/fail2ban/jail.d/nzbget.conf
index ba92683..57ffbf0 100644
--- a/root/defaults/fail2ban/jail.d/nzbget.conf
+++ b/root/defaults/fail2ban/jail.d/nzbget.conf
@@ -3,5 +3,7 @@
 [nzbget]
 
 enabled  = false
+chain    = DOCKER-USER
+port     = 6789
 filter   = nzbget
-logpath  = %(remote_logs)s/nzbget/nzbget*.log
\ No newline at end of file
+logpath  = %(remote_logs)s/nzbget/nzbget*.log
diff --git a/root/defaults/fail2ban/jail.d/overseerr.conf b/root/defaults/fail2ban/jail.d/overseerr.conf
index ee6e5d8..56bd991 100644
--- a/root/defaults/fail2ban/jail.d/overseerr.conf
+++ b/root/defaults/fail2ban/jail.d/overseerr.conf
@@ -5,5 +5,7 @@
 [overseerr]
 
 enabled  = false
+chain    = DOCKER-USER
+port     = 5055
 filter   = overseerr
 logpath  = %(remote_logs)s/overseerr/overseerr.log
diff --git a/root/defaults/fail2ban/jail.d/prowlarr.conf b/root/defaults/fail2ban/jail.d/prowlarr.conf
index 907c7b2..30e23ff 100644
--- a/root/defaults/fail2ban/jail.d/prowlarr.conf
+++ b/root/defaults/fail2ban/jail.d/prowlarr.conf
@@ -3,5 +3,7 @@
 [prowlarr]
 
 enabled  = false
+chain    = DOCKER-USER
+port     = 9696
 filter   = servarr
 logpath  = %(remote_logs)s/prowlarr/prowlarr.txt
diff --git a/root/defaults/fail2ban/jail.d/radarr.conf b/root/defaults/fail2ban/jail.d/radarr.conf
index f2f538e..4ca81ee 100644
--- a/root/defaults/fail2ban/jail.d/radarr.conf
+++ b/root/defaults/fail2ban/jail.d/radarr.conf
@@ -3,5 +3,7 @@
 [radarr]
 
 enabled  = false
+chain    = DOCKER-USER
+port     = 7878
 filter   = servarr
-logpath  = %(remote_logs)s/radarr/radarr.txt
\ No newline at end of file
+logpath  = %(remote_logs)s/radarr/radarr.txt
diff --git a/root/defaults/fail2ban/jail.d/sonarr.conf b/root/defaults/fail2ban/jail.d/sonarr.conf
index e54e535..3adb424 100644
--- a/root/defaults/fail2ban/jail.d/sonarr.conf
+++ b/root/defaults/fail2ban/jail.d/sonarr.conf
@@ -3,5 +3,7 @@
 [sonarr]
 
 enabled  = false
+chain    = DOCKER-USER
+port     = 8989
 filter   = servarr
-logpath  = %(remote_logs)s/sonarr/sonarr.txt
\ No newline at end of file
+logpath  = %(remote_logs)s/sonarr/sonarr.txt
diff --git a/root/defaults/fail2ban/jail.d/unifi-controller.conf b/root/defaults/fail2ban/jail.d/unifi-controller.conf
new file mode 100644
index 0000000..b42dbc8
--- /dev/null
+++ b/root/defaults/fail2ban/jail.d/unifi-controller.conf
@@ -0,0 +1,9 @@
+; Works OOTB with defaults
+
+[unifi-controller]
+
+enabled  = false
+chain    = DOCKER-USER
+port     = 8080,8443
+filter   = unifi-controller
+logpath  = %(remote_logs)s/unificontroller/server.log
diff --git a/root/defaults/fail2ban/jail.d/unraid-sshd.conf b/root/defaults/fail2ban/jail.d/unraid-sshd.conf
new file mode 100644
index 0000000..10e8f79
--- /dev/null
+++ b/root/defaults/fail2ban/jail.d/unraid-sshd.conf
@@ -0,0 +1,9 @@
+; Works OOTB with defaults
+
+[unraid-ssh]
+
+enabled  = false
+chain    = INPUT
+port     = ssh
+filter   = sshd[mode=aggressive]
+logpath  = /var/log/syslog
diff --git a/root/defaults/fail2ban/jail.d/unraid-webgui.conf b/root/defaults/fail2ban/jail.d/unraid-webgui.conf
new file mode 100644
index 0000000..8e2b127
--- /dev/null
+++ b/root/defaults/fail2ban/jail.d/unraid-webgui.conf
@@ -0,0 +1,9 @@
+; Works OOTB with defaults
+
+[unraid-webgui]
+
+enabled  = false
+chain    = INPUT
+port     = http,https
+filter   = unraid-webgui
+logpath  = /var/log/syslog
diff --git a/root/defaults/fail2ban/jail.d/vaultwarden.conf b/root/defaults/fail2ban/jail.d/vaultwarden.conf
index 5c29a5a..151a929 100644
--- a/root/defaults/fail2ban/jail.d/vaultwarden.conf
+++ b/root/defaults/fail2ban/jail.d/vaultwarden.conf
@@ -7,6 +7,8 @@
 [vaultwarden]
 
 enabled  = false
+chain    = DOCKER-USER
+port     = http,https
 filter   = vaultwarden
-logpath  = %(remote_logs)s/bitwarden/bitwarden.log
-maxretry = 3
\ No newline at end of file
+logpath  = %(remote_logs)s/vaultwarden/vaultwarden.log
+maxretry = 3
diff --git a/root/defaults/fail2ban/jail.local b/root/defaults/fail2ban/jail.local
deleted file mode 100644
index ffcb496..0000000
--- a/root/defaults/fail2ban/jail.local
+++ /dev/null
@@ -1,26 +0,0 @@
-## Version 2020/05/10 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local
-# This is the custom version of the jail.conf for fail2ban
-# Feel free to modify this and add additional filters
-# Then you can drop the new filter conf files into the fail2ban-filters
-# folder and restart the container
-
-[INCLUDES]
-
-before = paths-common.local
-
-[DEFAULT]
-
-# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
-banaction = apprise
-
-# "bantime" is the number of seconds that a host is banned.
-bantime  = 600
-
-# A host is banned if it has generated "maxretry" during the last "findtime"
-# seconds.
-findtime  = 600
-
-# "maxretry" is the number of failures before a host get banned.
-maxretry = 5
-
-port     = http,https
\ No newline at end of file
diff --git a/root/defaults/fail2ban/paths-common.local b/root/defaults/fail2ban/paths-lsio.conf
similarity index 83%
rename from root/defaults/fail2ban/paths-common.local
rename to root/defaults/fail2ban/paths-lsio.conf
index 70127c7..5a69b7f 100644
--- a/root/defaults/fail2ban/paths-common.local
+++ b/root/defaults/fail2ban/paths-lsio.conf
@@ -1,10 +1,12 @@
-# Common
-#
+# linuxserver.io
 
 [INCLUDES]
 
+before = paths-common.conf
+
 after  = paths-overrides.local
 
+
 [DEFAULT]
 
 default_backend     = %(default/backend)s
diff --git a/root/etc/logrotate.d/fail2ban b/root/etc/logrotate.d/fail2ban
index 787ea1c..0404983 100644
--- a/root/etc/logrotate.d/fail2ban
+++ b/root/etc/logrotate.d/fail2ban
@@ -1,12 +1,13 @@
 /config/log/fail2ban/fail2ban.log {
     weekly
     rotate 7
-    missingok
     compress
     delaycompress
     nodateext
+    su abc abc
+    missingok
+    notifempty
     postrotate
-        /usr/bin/fail2ban-client flushlogs 1>/dev/null || true
+      /usr/bin/fail2ban-client flushlogs >/dev/null || true
     endscript
-    su abc abc
 }
\ No newline at end of file

From 67178725c2a0e9c49d1ca926865687e5af2086e5 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Fri, 8 Jul 2022 00:17:38 +0000
Subject: [PATCH 02/29] Config comments

---
 .../fail2ban/action.d/apprise-api.conf        |  3 ++
 .../fail2ban/action.d/discord-webhook.conf    | 16 +++++-----
 .../fail2ban/filter.d/airsonic-http-auth.conf |  2 +-
 .../fail2ban/filter.d/filebrowser.conf        |  2 ++
 root/defaults/fail2ban/filter.d/gitea.conf    |  2 ++
 .../fail2ban/filter.d/homeassistant.conf      |  2 ++
 .../fail2ban/filter.d/nginx-http-418.conf     |  2 +-
 .../fail2ban/filter.d/nginx-http-deny.conf    |  2 +-
 root/defaults/fail2ban/filter.d/nzbget.conf   |  2 ++
 .../defaults/fail2ban/filter.d/overseerr.conf |  2 ++
 root/defaults/fail2ban/filter.d/servarr.conf  |  2 ++
 .../fail2ban/filter.d/unifi-controller.conf   |  2 ++
 .../fail2ban/filter.d/unraid-webgui.conf      |  2 ++
 .../fail2ban/filter.d/vaultwarden.conf        |  2 ++
 .../fail2ban/jail.d/airsonic-http-auth.conf   |  3 ++
 .../fail2ban/jail.d/emby-http-auth.conf       |  3 ++
 .../defaults/fail2ban/jail.d/filebrowser.conf | 11 ++++---
 root/defaults/fail2ban/jail.d/gitea.conf      | 30 +++++++++----------
 .../fail2ban/jail.d/homeassistant.conf        | 14 ++++-----
 .../fail2ban/jail.d/nginx-http-418.conf       |  2 ++
 .../fail2ban/jail.d/nginx-http-badbots.conf   |  2 ++
 .../fail2ban/jail.d/nginx-http-deny.conf      |  2 ++
 root/defaults/fail2ban/jail.d/nzbget.conf     |  3 +-
 root/defaults/fail2ban/jail.d/overseerr.conf  |  6 ++--
 root/defaults/fail2ban/jail.d/prowlarr.conf   |  3 +-
 root/defaults/fail2ban/jail.d/radarr.conf     |  3 +-
 root/defaults/fail2ban/jail.d/sonarr.conf     |  3 +-
 .../fail2ban/jail.d/unifi-controller.conf     |  3 +-
 .../defaults/fail2ban/jail.d/unraid-sshd.conf |  5 ++--
 .../fail2ban/jail.d/unraid-webgui.conf        |  3 +-
 .../defaults/fail2ban/jail.d/vaultwarden.conf |  9 +++---
 31 files changed, 93 insertions(+), 55 deletions(-)

diff --git a/root/defaults/fail2ban/action.d/apprise-api.conf b/root/defaults/fail2ban/action.d/apprise-api.conf
index ef0e683..01720e8 100644
--- a/root/defaults/fail2ban/action.d/apprise-api.conf
+++ b/root/defaults/fail2ban/action.d/apprise-api.conf
@@ -1,3 +1,6 @@
+# Fail2Ban action configuration for apprise-api
+# Author: Roxedus https://github.com/Roxedus
+
 [Definition]
 
 # Option:  actionstart
diff --git a/root/defaults/fail2ban/action.d/discord-webhook.conf b/root/defaults/fail2ban/action.d/discord-webhook.conf
index 0854610..5074ac5 100644
--- a/root/defaults/fail2ban/action.d/discord-webhook.conf
+++ b/root/defaults/fail2ban/action.d/discord-webhook.conf
@@ -20,23 +20,23 @@ actioncheck =
 # Notify on Banned 
 actionban = curl -X POST "<webhook>" \
             -H "Content-Type: application/json" \
-            -d '{"username":"Fail2Ban", "content":":bell: Hey <discord_userid>! **[<name>]** :hammer:**BANNED**:hammer: IP: `<ip>` for <bantime> seconds after **<failures>** failure(s). Here is some info about the IP: <url_check_ip><ip>"}' 
+            -d '{"username":"<botname>", "content":":bell: Hey <discord_userid>! **[<name>]** :hammer:**BANNED**:hammer: IP: `<ip>` for <bantime> seconds after **<failures>** failure(s). Here is some info about the IP: <url_check_ip><ip>"}' 
             curl -X POST "<webhook>" \
             -H "Content-Type: application/json" \
-            -d '{"username":"Fail2Ban", "content":"If you want to unban the IP run: `fail2ban-client unban <ip>`"}'
+            -d '{"username":"<botname>", "content":"If you want to unban the IP run: `fail2ban-client unban <ip>`"}'
 
 # Notify on Unbanned
 actionunban = curl -X POST "<webhook>" \
             -H "Content-Type: application/json" \
-            -d '{"username":"Fail2Ban", "content":":bell: **[<name>]** **UNBANNED** IP: [<ip>](<url_check_ip><ip>)"}'
+            -d '{"username":"<botname>", "content":":bell: **[<name>]** **UNBANNED** IP: [<ip>](<url_check_ip><ip>)"}'
 [Init]
 
-# Name of the jail in your jail.local file. default = [your-jail-name]
-name = default
+# Discord Webhook URL
+webhook = https://discordapp.com/api/webhooks/XXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+# Discord Bot Username
+botname = Fail2Ban
 
 # URL prefix for an IP checking website
 # abuseipdb is used by default since there is also an action to report an IP to their API
 url_check_ip = https://www.abuseipdb.com/check/
-
-# Discord Webhook URL
-webhook = https://discordapp.com/api/webhooks/XXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
diff --git a/root/defaults/fail2ban/filter.d/airsonic-http-auth.conf b/root/defaults/fail2ban/filter.d/airsonic-http-auth.conf
index 8e6da20..7c375e8 100644
--- a/root/defaults/fail2ban/filter.d/airsonic-http-auth.conf
+++ b/root/defaults/fail2ban/filter.d/airsonic-http-auth.conf
@@ -1,4 +1,4 @@
-# fail2ban filter configuration for airsonic
+# Fail2Ban filter configuration for airsonic
 
 [INCLUDES]
 before = common.conf
diff --git a/root/defaults/fail2ban/filter.d/filebrowser.conf b/root/defaults/fail2ban/filter.d/filebrowser.conf
index a8b530b..bf32f40 100644
--- a/root/defaults/fail2ban/filter.d/filebrowser.conf
+++ b/root/defaults/fail2ban/filter.d/filebrowser.conf
@@ -1,3 +1,5 @@
+# Fail2Ban filter configuration for filebrowser
+
 [INCLUDES]
 before = common.conf
 
diff --git a/root/defaults/fail2ban/filter.d/gitea.conf b/root/defaults/fail2ban/filter.d/gitea.conf
index e66e17d..cfd67aa 100644
--- a/root/defaults/fail2ban/filter.d/gitea.conf
+++ b/root/defaults/fail2ban/filter.d/gitea.conf
@@ -1,3 +1,5 @@
+# Fail2Ban filter configuration for gitea
+
 [INCLUDES]
 before = common.conf
 
diff --git a/root/defaults/fail2ban/filter.d/homeassistant.conf b/root/defaults/fail2ban/filter.d/homeassistant.conf
index 8044b56..3900194 100644
--- a/root/defaults/fail2ban/filter.d/homeassistant.conf
+++ b/root/defaults/fail2ban/filter.d/homeassistant.conf
@@ -1,3 +1,5 @@
+# Fail2Ban filter configuration for homeassistant
+
 [INCLUDES]
 before = common.conf
 
diff --git a/root/defaults/fail2ban/filter.d/nginx-http-418.conf b/root/defaults/fail2ban/filter.d/nginx-http-418.conf
index 0e29867..d21c7ab 100644
--- a/root/defaults/fail2ban/filter.d/nginx-http-418.conf
+++ b/root/defaults/fail2ban/filter.d/nginx-http-418.conf
@@ -1,4 +1,4 @@
-# fail2ban filter configuration for nginx
+# Fail2Ban filter configuration for nginx http 418
 # Track RFC2324
 # 418 I'm a teapot
 # Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout.
diff --git a/root/defaults/fail2ban/filter.d/nginx-http-deny.conf b/root/defaults/fail2ban/filter.d/nginx-http-deny.conf
index f934d83..9ed29c8 100644
--- a/root/defaults/fail2ban/filter.d/nginx-http-deny.conf
+++ b/root/defaults/fail2ban/filter.d/nginx-http-deny.conf
@@ -1,4 +1,4 @@
-# fail2ban filter configuration for nginx
+# Fail2Ban filter configuration for nginx http deny
 
 [INCLUDES]
 before = common.conf
diff --git a/root/defaults/fail2ban/filter.d/nzbget.conf b/root/defaults/fail2ban/filter.d/nzbget.conf
index ec61b63..f33c4a0 100644
--- a/root/defaults/fail2ban/filter.d/nzbget.conf
+++ b/root/defaults/fail2ban/filter.d/nzbget.conf
@@ -1,3 +1,5 @@
+# Fail2Ban filter configuration for nzbget
+
 [INCLUDES]
 before = common.conf
 
diff --git a/root/defaults/fail2ban/filter.d/overseerr.conf b/root/defaults/fail2ban/filter.d/overseerr.conf
index 77ade73..7b381b8 100644
--- a/root/defaults/fail2ban/filter.d/overseerr.conf
+++ b/root/defaults/fail2ban/filter.d/overseerr.conf
@@ -1,3 +1,5 @@
+# Fail2Ban filter configuration for overseerr
+
 [INCLUDES]
 before = common.conf
 
diff --git a/root/defaults/fail2ban/filter.d/servarr.conf b/root/defaults/fail2ban/filter.d/servarr.conf
index 58db507..62f849f 100644
--- a/root/defaults/fail2ban/filter.d/servarr.conf
+++ b/root/defaults/fail2ban/filter.d/servarr.conf
@@ -1,3 +1,5 @@
+# Fail2Ban filter configuration for servarr (sonarr/radarr & derivatives)
+
 [INCLUDES]
 before = common.conf
 
diff --git a/root/defaults/fail2ban/filter.d/unifi-controller.conf b/root/defaults/fail2ban/filter.d/unifi-controller.conf
index 99f51fc..ab523f5 100644
--- a/root/defaults/fail2ban/filter.d/unifi-controller.conf
+++ b/root/defaults/fail2ban/filter.d/unifi-controller.conf
@@ -1,3 +1,5 @@
+# Fail2Ban filter configuration for unifi controller
+
 [INCLUDES]
 before = common.conf
 
diff --git a/root/defaults/fail2ban/filter.d/unraid-webgui.conf b/root/defaults/fail2ban/filter.d/unraid-webgui.conf
index 1f2ac1e..2a8f2cd 100644
--- a/root/defaults/fail2ban/filter.d/unraid-webgui.conf
+++ b/root/defaults/fail2ban/filter.d/unraid-webgui.conf
@@ -1,3 +1,5 @@
+# Fail2Ban filter configuration for unRAID web GUI
+
 [INCLUDES]
 before = common.conf
 
diff --git a/root/defaults/fail2ban/filter.d/vaultwarden.conf b/root/defaults/fail2ban/filter.d/vaultwarden.conf
index 39c1006..bb35094 100644
--- a/root/defaults/fail2ban/filter.d/vaultwarden.conf
+++ b/root/defaults/fail2ban/filter.d/vaultwarden.conf
@@ -1,3 +1,5 @@
+# Fail2Ban filter configuration for vaultwarden
+
 [INCLUDES]
 before = common.conf
 
diff --git a/root/defaults/fail2ban/jail.d/airsonic-http-auth.conf b/root/defaults/fail2ban/jail.d/airsonic-http-auth.conf
index 5369036..cb33eb6 100644
--- a/root/defaults/fail2ban/jail.d/airsonic-http-auth.conf
+++ b/root/defaults/fail2ban/jail.d/airsonic-http-auth.conf
@@ -1,3 +1,6 @@
+# Fail2Ban jail configuration for airsonic
+# Works OOTB with defaults
+
 [airsonic-http-auth]
 
 enabled  = false
diff --git a/root/defaults/fail2ban/jail.d/emby-http-auth.conf b/root/defaults/fail2ban/jail.d/emby-http-auth.conf
index 5da4c05..7dff5bf 100644
--- a/root/defaults/fail2ban/jail.d/emby-http-auth.conf
+++ b/root/defaults/fail2ban/jail.d/emby-http-auth.conf
@@ -1,3 +1,6 @@
+# Fail2Ban jail configuration for emby
+# Works OOTB with defaults
+
 [emby-http-auth]
 
 enabled  = false
diff --git a/root/defaults/fail2ban/jail.d/filebrowser.conf b/root/defaults/fail2ban/jail.d/filebrowser.conf
index d9bf71c..93fe347 100644
--- a/root/defaults/fail2ban/jail.d/filebrowser.conf
+++ b/root/defaults/fail2ban/jail.d/filebrowser.conf
@@ -1,10 +1,9 @@
-; Requires modification to Filebrowsers settings.
+# Fail2Ban jail configuration for filebrowser
+# Requires modification to Filebrowsers settings
+# https://filebrowser.org/cli/filebrowser#options
+# Enabling logs
 
-; https://filebrowser.org/cli/filebrowser#options
-
-; Enabling logs
-
-; -e 'FB_LOG'='/log/filebrowser.log'
+# -e 'FB_LOG'='/log/filebrowser.log'
 
 [filebrowser]
 
diff --git a/root/defaults/fail2ban/jail.d/gitea.conf b/root/defaults/fail2ban/jail.d/gitea.conf
index 9c77469..e52fbfa 100644
--- a/root/defaults/fail2ban/jail.d/gitea.conf
+++ b/root/defaults/fail2ban/jail.d/gitea.conf
@@ -1,22 +1,22 @@
-; Requires modification to Giteas settings.
+# Fail2Ban jail configuration for emby
+# Requires modification to Giteas settings
+# https://docs.gitea.io/en-us/fail2ban-setup/
 
-; https://docs.gitea.io/en-us/fail2ban-setup/
+# Enabling, and depending on Giteas built in SSH server
 
-; Enabling, and depending on Giteas built in SSH server
+# [server]
+# [DISABLE_SSH      = false
+# [SSH_PORT         = 22
+# [SSH_LISTEN_PORT  = 822
+# [START_SSH_SERVER = true
 
-; [server]
-; [DISABLE_SSH      = false
-; [SSH_PORT         = 22
-; [SSH_LISTEN_PORT  = 822
-; [START_SSH_SERVER = true
+# Enabling logs
 
-; Enabling logs
-
-; [log]
-; ROOT_PATH = /data/gitea/log
-; ENABLE_SSH_LOG = true
-; LEVEL     = Info
-; MODE      = file
+# [log]
+# ROOT_PATH = /data/gitea/log
+# ENABLE_SSH_LOG = true
+# LEVEL     = Info
+# MODE      = file
 
 [gitea]
 
diff --git a/root/defaults/fail2ban/jail.d/homeassistant.conf b/root/defaults/fail2ban/jail.d/homeassistant.conf
index 4ec3ae9..f6b9681 100644
--- a/root/defaults/fail2ban/jail.d/homeassistant.conf
+++ b/root/defaults/fail2ban/jail.d/homeassistant.conf
@@ -1,12 +1,12 @@
-; Requires modification to Homeassitants settings.
+# Fail2Ban jail configuration for emby
+# Requires modification to Homeassitants settings
+# https://www.home-assistant.io/integrations/fail2ban/
 
-; https://www.home-assistant.io/integrations/fail2ban/
+# Enabling logging
 
-; Enabling logging
-
-; logger:
-;   logs:
-;     homeassistant.components.http.ban: warning
+# logger:
+#   logs:
+#     homeassistant.components.http.ban: warning
 
 [homeassistant]
 
diff --git a/root/defaults/fail2ban/jail.d/nginx-http-418.conf b/root/defaults/fail2ban/jail.d/nginx-http-418.conf
index 4752178..c132af5 100644
--- a/root/defaults/fail2ban/jail.d/nginx-http-418.conf
+++ b/root/defaults/fail2ban/jail.d/nginx-http-418.conf
@@ -1,3 +1,5 @@
+# Fail2Ban jail configuration for nginx http 418
+
 [nginx-http-418]
 
 enabled  = false
diff --git a/root/defaults/fail2ban/jail.d/nginx-http-badbots.conf b/root/defaults/fail2ban/jail.d/nginx-http-badbots.conf
index 05fa450..e69557b 100644
--- a/root/defaults/fail2ban/jail.d/nginx-http-badbots.conf
+++ b/root/defaults/fail2ban/jail.d/nginx-http-badbots.conf
@@ -1,3 +1,5 @@
+# Fail2Ban jail configuration for nginx http badbots
+
 [nginx-http-badbots]
 
 enabled  = false
diff --git a/root/defaults/fail2ban/jail.d/nginx-http-deny.conf b/root/defaults/fail2ban/jail.d/nginx-http-deny.conf
index 31ef77d..20463de 100644
--- a/root/defaults/fail2ban/jail.d/nginx-http-deny.conf
+++ b/root/defaults/fail2ban/jail.d/nginx-http-deny.conf
@@ -1,3 +1,5 @@
+# Fail2Ban jail configuration for nginx http deny
+
 [nginx-http-deny]
 
 enabled  = false
diff --git a/root/defaults/fail2ban/jail.d/nzbget.conf b/root/defaults/fail2ban/jail.d/nzbget.conf
index 57ffbf0..ec84b6c 100644
--- a/root/defaults/fail2ban/jail.d/nzbget.conf
+++ b/root/defaults/fail2ban/jail.d/nzbget.conf
@@ -1,4 +1,5 @@
-; Works OOTB with defaults
+# Fail2Ban jail configuration for nzbget
+# Works OOTB with defaults
 
 [nzbget]
 
diff --git a/root/defaults/fail2ban/jail.d/overseerr.conf b/root/defaults/fail2ban/jail.d/overseerr.conf
index 56bd991..094654d 100644
--- a/root/defaults/fail2ban/jail.d/overseerr.conf
+++ b/root/defaults/fail2ban/jail.d/overseerr.conf
@@ -1,6 +1,6 @@
-; Requires modification to Overseerrs settings.
-
-; https://docs.overseerr.dev/extending-overseerr/fail2ban
+# Fail2Ban jail configuration for overseerr
+# Requires modification to Overseerrs settings
+# https://docs.overseerr.dev/extending-overseerr/fail2ban
 
 [overseerr]
 
diff --git a/root/defaults/fail2ban/jail.d/prowlarr.conf b/root/defaults/fail2ban/jail.d/prowlarr.conf
index 30e23ff..fc8edc6 100644
--- a/root/defaults/fail2ban/jail.d/prowlarr.conf
+++ b/root/defaults/fail2ban/jail.d/prowlarr.conf
@@ -1,4 +1,5 @@
-; Works OOTB with defaults
+# Fail2Ban jail configuration for prowlarr
+# Works OOTB with defaults
 
 [prowlarr]
 
diff --git a/root/defaults/fail2ban/jail.d/radarr.conf b/root/defaults/fail2ban/jail.d/radarr.conf
index 4ca81ee..16684ac 100644
--- a/root/defaults/fail2ban/jail.d/radarr.conf
+++ b/root/defaults/fail2ban/jail.d/radarr.conf
@@ -1,4 +1,5 @@
-; Works OOTB with defaults
+# Fail2Ban jail configuration for radarr
+# Works OOTB with defaults
 
 [radarr]
 
diff --git a/root/defaults/fail2ban/jail.d/sonarr.conf b/root/defaults/fail2ban/jail.d/sonarr.conf
index 3adb424..cc71ca0 100644
--- a/root/defaults/fail2ban/jail.d/sonarr.conf
+++ b/root/defaults/fail2ban/jail.d/sonarr.conf
@@ -1,4 +1,5 @@
-; Works OOTB with defaults
+# Fail2Ban jail configuration for sonarr
+# Works OOTB with defaults
 
 [sonarr]
 
diff --git a/root/defaults/fail2ban/jail.d/unifi-controller.conf b/root/defaults/fail2ban/jail.d/unifi-controller.conf
index b42dbc8..6edbad4 100644
--- a/root/defaults/fail2ban/jail.d/unifi-controller.conf
+++ b/root/defaults/fail2ban/jail.d/unifi-controller.conf
@@ -1,4 +1,5 @@
-; Works OOTB with defaults
+# Fail2Ban jail configuration for unifi controller
+# Works OOTB with defaults
 
 [unifi-controller]
 
diff --git a/root/defaults/fail2ban/jail.d/unraid-sshd.conf b/root/defaults/fail2ban/jail.d/unraid-sshd.conf
index 10e8f79..354dcca 100644
--- a/root/defaults/fail2ban/jail.d/unraid-sshd.conf
+++ b/root/defaults/fail2ban/jail.d/unraid-sshd.conf
@@ -1,6 +1,7 @@
-; Works OOTB with defaults
+# Fail2Ban jail configuration for unRAID sshd
+# Works OOTB with defaults
 
-[unraid-ssh]
+[unraid-sshd]
 
 enabled  = false
 chain    = INPUT
diff --git a/root/defaults/fail2ban/jail.d/unraid-webgui.conf b/root/defaults/fail2ban/jail.d/unraid-webgui.conf
index 8e2b127..8732f34 100644
--- a/root/defaults/fail2ban/jail.d/unraid-webgui.conf
+++ b/root/defaults/fail2ban/jail.d/unraid-webgui.conf
@@ -1,4 +1,5 @@
-; Works OOTB with defaults
+# Fail2Ban jail configuration for unRAID web GUI
+# Works OOTB with defaults
 
 [unraid-webgui]
 
diff --git a/root/defaults/fail2ban/jail.d/vaultwarden.conf b/root/defaults/fail2ban/jail.d/vaultwarden.conf
index 151a929..b508618 100644
--- a/root/defaults/fail2ban/jail.d/vaultwarden.conf
+++ b/root/defaults/fail2ban/jail.d/vaultwarden.conf
@@ -1,8 +1,7 @@
-; Requires modification to Vaultwardens settings.
-
-; https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
-
-; Enabling logging
+# Fail2Ban jail configuration for vaultwarden
+# Requires modification to Vaultwardens settings
+# https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
+# Enabling logging
 
 [vaultwarden]
 

From ce006fa1e38839e9f32aee65ce6860e79bdf7b0e Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Fri, 8 Jul 2022 00:47:40 +0000
Subject: [PATCH 03/29] Overwrite *.confs in /config

---
 root/etc/cont-init.d/50-config | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config
index 64bd6bf..d43a5e1 100644
--- a/root/etc/cont-init.d/50-config
+++ b/root/etc/cont-init.d/50-config
@@ -2,14 +2,13 @@
 # shellcheck shell=bash
 
 mkdir -p \
-  /config/{log/fail2ban,fail2ban/filter.d}
-
-# copy/update the fail2ban config defaults to/in /config
-cp -nR /defaults/fail2ban /config
-
-cp -nR /etc/fail2ban/filter.d/common.conf /config/fail2ban/filter.d/common.conf
+    /config/log/fail2ban \
+    /config/fail2ban/{action.d,filter.d,jail.d}
 
+# copy/update the fail2ban configs from /etc and then /defaults to /config
+cp -R /etc/fail2ban /config
+cp -R /defaults/fail2ban /config
 
 # permissions
 chown -R abc:abc \
-  /config
+    /config

From 6dd101a7493d9f6673080fb197b0876c34c434f9 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Fri, 8 Jul 2022 00:48:33 +0000
Subject: [PATCH 04/29] config updates includes new/unreleased configs in
 upstream master branch

---
 .editorconfig                                 | 20 +++++++
 root/defaults/fail2ban/fail2ban.conf          |  2 +
 .../defaults/fail2ban/filter.d/monitorix.conf | 25 +++++++++
 .../fail2ban/filter.d/mssql-auth.conf         | 15 ++++++
 .../fail2ban/filter.d/nginx-bad-request.conf  | 16 ++++++
 root/defaults/fail2ban/filter.d/scanlogd.conf | 17 ++++++
 root/defaults/fail2ban/jail.conf              | 54 ++++++++++++-------
 root/defaults/fail2ban/paths-lsio.conf        |  4 --
 root/etc/logrotate.d/fail2ban                 | 24 ++++-----
 9 files changed, 143 insertions(+), 34 deletions(-)
 create mode 100644 .editorconfig
 create mode 100644 root/defaults/fail2ban/filter.d/monitorix.conf
 create mode 100644 root/defaults/fail2ban/filter.d/mssql-auth.conf
 create mode 100644 root/defaults/fail2ban/filter.d/nginx-bad-request.conf
 create mode 100644 root/defaults/fail2ban/filter.d/scanlogd.conf

diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..a92f7df
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,20 @@
+# This file is globally distributed to all container image projects from
+# https://github.com/linuxserver/docker-jenkins-builder/blob/master/.editorconfig
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+end_of_line = lf
+insert_final_newline = true
+# trim_trailing_whitespace may cause unintended issues and should not be globally set true
+trim_trailing_whitespace = false
+
+[{Dockerfile*,**.yml}]
+indent_style = space
+indent_size = 2
+
+[{**.sh,root/etc/cont-init.d/**,root/etc/services.d/**}]
+indent_style = space
+indent_size = 4
diff --git a/root/defaults/fail2ban/fail2ban.conf b/root/defaults/fail2ban/fail2ban.conf
index a7329e1..b41b00d 100644
--- a/root/defaults/fail2ban/fail2ban.conf
+++ b/root/defaults/fail2ban/fail2ban.conf
@@ -32,6 +32,7 @@ loglevel = INFO
 #         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
 # Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ]  Default: STDERR
 #
+# lsio value
 logtarget = /config/log/fail2ban/fail2ban.log
 
 # Option: syslogsocket
@@ -61,6 +62,7 @@ pidfile = /var/run/fail2ban/fail2ban.pid
 #         and data is lost when fail2ban is stopped.
 #         A value of "None" disables the database.
 # Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
+# lsio value
 dbfile = /config/fail2ban/fail2ban.sqlite3
 
 # Options: dbpurgeage
diff --git a/root/defaults/fail2ban/filter.d/monitorix.conf b/root/defaults/fail2ban/filter.d/monitorix.conf
new file mode 100644
index 0000000..ff69f1b
--- /dev/null
+++ b/root/defaults/fail2ban/filter.d/monitorix.conf
@@ -0,0 +1,25 @@
+# Fail2Ban filter for Monitorix (HTTP built-in server)
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = monitorix-httpd
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+#
+failregex = ^(?:\s+-)?\s*(?:NOTEXIST|AUTHERR|NOTALLOWED) - <ADDR>\b
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/mssql-auth.conf b/root/defaults/fail2ban/filter.d/mssql-auth.conf
new file mode 100644
index 0000000..d2e01b6
--- /dev/null
+++ b/root/defaults/fail2ban/filter.d/mssql-auth.conf
@@ -0,0 +1,15 @@
+# Fail2Ban filter for failed MSSQL Server authentication attempts
+
+[Definition]
+
+failregex = ^\s*Logon\s+Login failed for user '<F-USER>(?:[^']*|.*)</F-USER>'\. [^'\[]+\[CLIENT: <ADDR>\]$
+
+
+# DEV Notes:
+#	Tested with SQL Server 2019 on Ubuntu 18.04
+#
+# Example:
+#	2020-02-24 14:48:55.12 Logon       Login failed for user 'root'. Reason: Could not find a login matching the name provided. [CLIENT: 127.0.0.1]
+#
+# Author: Rüdiger Olschewsky
+#
diff --git a/root/defaults/fail2ban/filter.d/nginx-bad-request.conf b/root/defaults/fail2ban/filter.d/nginx-bad-request.conf
new file mode 100644
index 0000000..12c14ab
--- /dev/null
+++ b/root/defaults/fail2ban/filter.d/nginx-bad-request.conf
@@ -0,0 +1,16 @@
+# Fail2Ban filter to match bad requests to nginx
+#
+
+[Definition]
+
+# The request often doesn't contain a method, only some encoded garbage
+# This will also match requests that are entirely empty
+failregex = ^<HOST> - \S+ \[\] "[^"]*" 400
+
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
+
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+
+# Author: Jan Przybylak
diff --git a/root/defaults/fail2ban/filter.d/scanlogd.conf b/root/defaults/fail2ban/filter.d/scanlogd.conf
new file mode 100644
index 0000000..d3fe78b
--- /dev/null
+++ b/root/defaults/fail2ban/filter.d/scanlogd.conf
@@ -0,0 +1,17 @@
+# Fail2Ban filter for port scans detected by scanlogd
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = scanlogd
+
+failregex =  ^%(__prefix_line)s<ADDR>(?::<F-PORT/>)? to \S+ ports\b
+
+ignoreregex =
+
+# Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
diff --git a/root/defaults/fail2ban/jail.conf b/root/defaults/fail2ban/jail.conf
index 5250596..c9ca0ad 100644
--- a/root/defaults/fail2ban/jail.conf
+++ b/root/defaults/fail2ban/jail.conf
@@ -33,6 +33,7 @@
 [INCLUDES]
 
 #before = paths-distro.conf
+# lsio value
 before = paths-lsio.conf
 
 # The DEFAULT allows a global definition of the options. They can be overridden
@@ -67,7 +68,7 @@ before = paths-lsio.conf
 # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
 #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
 
-# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding 
+# "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding
 # previously ban count and given "bantime.factor" (for multipliers default is 1);
 # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 
 # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
@@ -77,7 +78,7 @@ before = paths-lsio.conf
 #bantime.multipliers = 1 5 30 60 300 720 1440 2880
 
 # "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 
-# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
+# cross over all jails, if false (default), only current jail of the ban IP will be searched
 #bantime.overalljails = false
 
 # --------------------
@@ -227,6 +228,15 @@ action_mwl = %(action_)s
 action_xarf = %(action_)s
              xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
 
+# ban & send a notification to one or more of the 50+ services supported by Apprise.
+# See https://github.com/caronc/apprise/wiki for details on what is supported.
+#
+# You may optionally over-ride the default configuration line (containing the Apprise URLs)
+# by using 'apprise[config="/alternate/path/to/apprise.cfg"]' otherwise
+# /etc/fail2ban/apprise.conf is sourced for your supported notification configuration.
+# action = %(action_)s
+#          apprise
+
 # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
@@ -242,20 +252,6 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
 #
 action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
 
-# Report ban via badips.com, and use as blacklist
-#
-# See BadIPsAction docstring in config/action.d/badips.py for
-# documentation for this action.
-#
-# NOTE: This action relies on banaction being present on start and therefore
-# should be last action defined for a jail.
-#
-action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
-#
-# Report ban via badips.com (uses action.d/badips.conf for reporting only)
-#
-action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
-
 # Report ban via abuseipdb.com.
 #
 # See action.d/abuseipdb.conf for usage example and details.
@@ -375,8 +371,11 @@ banaction = %(banaction_allports)s
 logpath = /opt/openhab/logs/request.log
 
 
+# To use more aggressive http-auth modes set filter parameter "mode" in jail.local:
+# normal (default), aggressive (combines all), auth or fallback
+# See "tests/files/logs/nginx-http-auth" or "filter.d/nginx-http-auth.conf" for usage example and details.
 [nginx-http-auth]
-
+# mode = normal
 port    = http,https
 logpath = %(nginx_error_log)s
 
@@ -392,8 +391,10 @@ logpath = %(nginx_error_log)s
 
 port     = http,https
 logpath  = %(nginx_error_log)s
-maxretry = 2
 
+[nginx-bad-request]
+port    = http,https
+logpath = %(nginx_access_log)s
 
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
@@ -797,6 +798,14 @@ logpath  = %(mysql_log)s
 backend  = %(mysql_backend)s
 
 
+[mssql-auth]
+# Default configuration for Microsoft SQL Server for Linux
+# See the 'mssql-conf' manpage how to change logpath or port
+logpath = /var/opt/mssql/log/errorlog
+port = 1433
+filter = mssql-auth
+
+
 # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
 [mongodb-auth]
 # change port when running with "--shardsvr" or "--configsvr" runtime operation
@@ -813,6 +822,7 @@ logpath  = /var/log/mongodb/mongodb.log
 #    to maintain entries for failed logins for sufficient amount of time
 [recidive]
 
+# lsio value
 logpath  = /config/log/fail2ban/fail2ban.log
 banaction = %(banaction_allports)s
 bantime  = 1w
@@ -962,3 +972,11 @@ logpath = %(apache_error_log)s
 # see `filter.d/traefik-auth.conf` for details and service example.
 port    = http,https
 logpath = /var/log/traefik/access.log
+
+[scanlogd]
+logpath = %(syslog_local0)s
+banaction = %(banaction_allports)s
+
+[monitorix]
+port	= 8080
+logpath = /var/log/monitorix-httpd
diff --git a/root/defaults/fail2ban/paths-lsio.conf b/root/defaults/fail2ban/paths-lsio.conf
index 5a69b7f..99ca8f0 100644
--- a/root/defaults/fail2ban/paths-lsio.conf
+++ b/root/defaults/fail2ban/paths-lsio.conf
@@ -3,16 +3,12 @@
 [INCLUDES]
 
 before = paths-common.conf
-
 after  = paths-overrides.local
 
 
 [DEFAULT]
 
 default_backend     = %(default/backend)s
-
 remote_logs         = /remotelogs
-
 nginx_error_log     = /config/log/nginx/*error.log
-
 nginx_access_log    = /config/log/nginx/*access.log
diff --git a/root/etc/logrotate.d/fail2ban b/root/etc/logrotate.d/fail2ban
index 0404983..772afa6 100644
--- a/root/etc/logrotate.d/fail2ban
+++ b/root/etc/logrotate.d/fail2ban
@@ -1,13 +1,13 @@
 /config/log/fail2ban/fail2ban.log {
-    weekly
-    rotate 7
-    compress
-    delaycompress
-    nodateext
-    su abc abc
-    missingok
-    notifempty
-    postrotate
-      /usr/bin/fail2ban-client flushlogs >/dev/null || true
-    endscript
-}
\ No newline at end of file
+  weekly
+  rotate 7
+  compress
+  delaycompress
+  nodateext
+  su abc abc
+  missingok
+  notifempty
+  postrotate
+    /usr/bin/fail2ban-client flushlogs >/dev/null || true
+  endscript
+}

From 53df0cb286ddd7bdb37fefe908cca0440368ae99 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Fri, 8 Jul 2022 00:53:14 +0000
Subject: [PATCH 05/29] Trim

---
 root/defaults/fail2ban/jail.conf | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/root/defaults/fail2ban/jail.conf b/root/defaults/fail2ban/jail.conf
index c9ca0ad..fe295d5 100644
--- a/root/defaults/fail2ban/jail.conf
+++ b/root/defaults/fail2ban/jail.conf
@@ -45,19 +45,19 @@ before = paths-lsio.conf
 # MISCELLANEOUS OPTIONS
 #
 
-# "bantime.increment" allows to use database for searching of previously banned ip's to increase a 
+# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
 # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
 #bantime.increment = true
 
-# "bantime.rndtime" is the max number of seconds using for mixing with random time 
+# "bantime.rndtime" is the max number of seconds using for mixing with random time
 # to prevent "clever" botnets calculate exact time IP can be unbanned again:
-#bantime.rndtime = 
+#bantime.rndtime =
 
 # "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
-#bantime.maxtime = 
+#bantime.maxtime =
 
 # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
-# default value of factor is 1 and with default value of formula, the ban time 
+# default value of factor is 1 and with default value of formula, the ban time
 # grows by 1, 2, 4, 8, 16 ...
 #bantime.factor = 1
 
@@ -70,14 +70,14 @@ before = paths-lsio.conf
 
 # "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding
 # previously ban count and given "bantime.factor" (for multipliers default is 1);
-# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 
+# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count,
 # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
 #bantime.multipliers = 1 2 4 8 16 32 64
 # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
 # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
 #bantime.multipliers = 1 5 30 60 300 720 1440 2880
 
-# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 
+# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
 # cross over all jails, if false (default), only current jail of the ban IP will be searched
 #bantime.overalljails = false
 
@@ -243,11 +243,11 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                 %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
 
 # Report block via blocklist.de fail2ban reporting service API
-# 
+#
 # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
 # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
 # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
-# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
+# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
 # corresponding jail.d/my-jail.local file).
 #
 action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
@@ -379,7 +379,7 @@ logpath = /opt/openhab/logs/request.log
 port    = http,https
 logpath = %(nginx_error_log)s
 
-# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
+# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
 # and define `limit_req` and `limit_req_zone` as described in nginx documentation
 # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
 # or for example see in 'config/filter.d/nginx-limit-req.conf'

From 42186a8e3e6bfdf27cfe52ab9bc61372bb3b07aa Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Fri, 8 Jul 2022 20:54:26 +0000
Subject: [PATCH 06/29] Move upstream configs to /etc can be removed once they
 are included in an upstream release

---
 .../fail2ban/action.d => etc/fail2ban/actions.d}/apprise.conf     | 0
 root/{defaults => etc}/fail2ban/filter.d/monitorix.conf           | 0
 root/{defaults => etc}/fail2ban/filter.d/mssql-auth.conf          | 0
 root/{defaults => etc}/fail2ban/filter.d/nginx-bad-request.conf   | 0
 root/{defaults => etc}/fail2ban/filter.d/scanlogd.conf            | 0
 5 files changed, 0 insertions(+), 0 deletions(-)
 rename root/{defaults/fail2ban/action.d => etc/fail2ban/actions.d}/apprise.conf (100%)
 rename root/{defaults => etc}/fail2ban/filter.d/monitorix.conf (100%)
 rename root/{defaults => etc}/fail2ban/filter.d/mssql-auth.conf (100%)
 rename root/{defaults => etc}/fail2ban/filter.d/nginx-bad-request.conf (100%)
 rename root/{defaults => etc}/fail2ban/filter.d/scanlogd.conf (100%)

diff --git a/root/defaults/fail2ban/action.d/apprise.conf b/root/etc/fail2ban/actions.d/apprise.conf
similarity index 100%
rename from root/defaults/fail2ban/action.d/apprise.conf
rename to root/etc/fail2ban/actions.d/apprise.conf
diff --git a/root/defaults/fail2ban/filter.d/monitorix.conf b/root/etc/fail2ban/filter.d/monitorix.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/monitorix.conf
rename to root/etc/fail2ban/filter.d/monitorix.conf
diff --git a/root/defaults/fail2ban/filter.d/mssql-auth.conf b/root/etc/fail2ban/filter.d/mssql-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/mssql-auth.conf
rename to root/etc/fail2ban/filter.d/mssql-auth.conf
diff --git a/root/defaults/fail2ban/filter.d/nginx-bad-request.conf b/root/etc/fail2ban/filter.d/nginx-bad-request.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/nginx-bad-request.conf
rename to root/etc/fail2ban/filter.d/nginx-bad-request.conf
diff --git a/root/defaults/fail2ban/filter.d/scanlogd.conf b/root/etc/fail2ban/filter.d/scanlogd.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/scanlogd.conf
rename to root/etc/fail2ban/filter.d/scanlogd.conf

From 2b8c9474ef375b9bcd61a9c38e3d08d842540c85 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Fri, 8 Jul 2022 20:54:50 +0000
Subject: [PATCH 07/29] Add cisco-asa action files

---
 .../defaults/fail2ban/action.d/cisco-asa.conf | 42 +++++++++++++++++
 root/defaults/fail2ban/action.d/cisco-asa.py  | 47 +++++++++++++++++++
 2 files changed, 89 insertions(+)
 create mode 100644 root/defaults/fail2ban/action.d/cisco-asa.conf
 create mode 100644 root/defaults/fail2ban/action.d/cisco-asa.py

diff --git a/root/defaults/fail2ban/action.d/cisco-asa.conf b/root/defaults/fail2ban/action.d/cisco-asa.conf
new file mode 100644
index 0000000..537da57
--- /dev/null
+++ b/root/defaults/fail2ban/action.d/cisco-asa.conf
@@ -0,0 +1,42 @@
+# Fail2Ban action configuration for cisco-asa
+# Author: HalianElf https://github.com/HalianElf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+#actionstart = touch /var/run/fail2ban/ciscoios_acl.txt
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+# actionstop = rm -f /var/run/fail2ban/ciscoios_acl.txt
+actionstop = 
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = python3 /data/action.d/cisco-asa.py ban <ip>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban =  python3 /data/action.d/cisco-asa.py unban <ip>
+
+[Init]
diff --git a/root/defaults/fail2ban/action.d/cisco-asa.py b/root/defaults/fail2ban/action.d/cisco-asa.py
new file mode 100644
index 0000000..73f3527
--- /dev/null
+++ b/root/defaults/fail2ban/action.d/cisco-asa.py
@@ -0,0 +1,47 @@
+#!/usr/bin/python
+# emacs: -*- mode: python; indent-tabs-mode: t -*-
+#
+#
+import sys
+from netmiko import ConnectHandler
+
+platform = 'cisco_asa'
+host ='172.27.1.1'
+username = 'fail2ban'
+password = 'password'
+enable_pass = 'enablepass'
+
+acl_name = 'Fail2Ban'
+
+def main(argv):
+    device = ConnectHandler(device_type=platform, ip=host, username=username, password=password, secret=enable_pass)
+    device.enable()
+    device.config_mode()
+    command = argv[1]
+    ipaddr = argv[2]
+    if command == 'ban':
+        # Ban the IP
+        print("Banning %s" % ipaddr)
+        device.send_command('object-group network %s' % acl_name, expect_string='\(config-network-object-group\)\#')
+        device.send_command('network-object host %s' % ipaddr, expect_string='\(config-network-object-group\)\#')
+        device.send_command('clear conn address %s' % ipaddr, expect_string='\(config-network-object-group\)\#')
+        device.send_command('exit', expect_string='\(config\)\#')
+    elif command == 'unban':
+        # UnBan the IP
+        print("Un-Banning %s" % ipaddr)
+        device.send_command('object-group network %s' % acl_name, expect_string='\(config-network-object-group\)\#')
+        device.send_command('no network-object host %s' % ipaddr, expect_string='\(config-network-object-group\)\#')
+        device.send_command('exit', expect_string='\(config\)\#')
+    else:
+        # Unknown command
+        print("Unknown command")
+    
+    # All done, exit config mode
+    device.send_command('exit', expect_string='\#')
+    #device.send_command('copy running-config startup-config')           # save
+    device.disconnect()
+
+
+# Main
+if __name__ == "__main__":
+   main(sys.argv)

From 8744f96dae7e0b248c12a5d714093d42f57730eb Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sat, 9 Jul 2022 14:41:46 +0000
Subject: [PATCH 08/29] Correct folder name for apprise action

---
 root/etc/fail2ban/{actions.d => action.d}/apprise.conf | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename root/etc/fail2ban/{actions.d => action.d}/apprise.conf (100%)

diff --git a/root/etc/fail2ban/actions.d/apprise.conf b/root/etc/fail2ban/action.d/apprise.conf
similarity index 100%
rename from root/etc/fail2ban/actions.d/apprise.conf
rename to root/etc/fail2ban/action.d/apprise.conf

From c525d84991b3c2d5ca014857a5a9ef1049fc0047 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sat, 9 Jul 2022 14:42:00 +0000
Subject: [PATCH 09/29] Disable defaults

---
 root/etc/cont-init.d/20-disable-defaults | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 root/etc/cont-init.d/20-disable-defaults

diff --git a/root/etc/cont-init.d/20-disable-defaults b/root/etc/cont-init.d/20-disable-defaults
new file mode 100644
index 0000000..6be2852
--- /dev/null
+++ b/root/etc/cont-init.d/20-disable-defaults
@@ -0,0 +1,9 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# Disable anything that ships enabled by default
+# Users can opt to enable what they want
+
+# Alpine ships sshd enabled by default
+# https://git.alpinelinux.org/aports/tree/main/fail2ban/alpine-ssh.jaild
+sed -i 's/enabled  = true/enabled  = false/' /etc/fail2ban/jail.d/alpine-ssh.conf

From 161da74d2894d85fb15117bbca01402d5bce141d Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sat, 9 Jul 2022 14:42:47 +0000
Subject: [PATCH 10/29] Use alpine's logrotate config
 https://git.alpinelinux.org/aports/tree/main/fail2ban/fail2ban.logrotate

---
 root/etc/logrotate.d/fail2ban | 13 -------------
 1 file changed, 13 deletions(-)
 delete mode 100644 root/etc/logrotate.d/fail2ban

diff --git a/root/etc/logrotate.d/fail2ban b/root/etc/logrotate.d/fail2ban
deleted file mode 100644
index 772afa6..0000000
--- a/root/etc/logrotate.d/fail2ban
+++ /dev/null
@@ -1,13 +0,0 @@
-/config/log/fail2ban/fail2ban.log {
-  weekly
-  rotate 7
-  compress
-  delaycompress
-  nodateext
-  su abc abc
-  missingok
-  notifempty
-  postrotate
-    /usr/bin/fail2ban-client flushlogs >/dev/null || true
-  endscript
-}

From 8c538d6840095f5c137968f48538049f4a2baa75 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sat, 9 Jul 2022 15:15:05 +0000
Subject: [PATCH 11/29] Add cron for logrotate

---
 Dockerfile                   | 12 +++++++++---
 root/defaults/crontabs/abc   |  1 +
 root/defaults/crontabs/root  |  1 +
 root/etc/cont-init.d/30-cron | 34 ++++++++++++++++++++++++++++++++++
 root/etc/services.d/cron/run |  4 ++++
 5 files changed, 49 insertions(+), 3 deletions(-)
 create mode 100644 root/defaults/crontabs/abc
 create mode 100644 root/defaults/crontabs/root
 create mode 100644 root/etc/cont-init.d/30-cron
 create mode 100644 root/etc/services.d/cron/run

diff --git a/Dockerfile b/Dockerfile
index 586e7ff..135993b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@ FROM ghcr.io/linuxserver/baseimage-alpine:3.16
 ARG BUILD_DATE
 ARG VERSION
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="nomandera"
+LABEL maintainer="nomandera,nemchik"
 
 # environment settings
 ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
@@ -14,8 +14,14 @@ RUN \
   apk add --no-cache --upgrade \
     curl \
     fail2ban \
-    fail2ban-doc
-
+    fail2ban-doc && \
+  echo "**** cleanup ****" && \
+  rm -rf \
+      /root/.cache \
+      /tmp/*
 
 # add local files
 COPY root/ /
+
+# ports and volumes
+VOLUME /config
diff --git a/root/defaults/crontabs/abc b/root/defaults/crontabs/abc
new file mode 100644
index 0000000..b5e283c
--- /dev/null
+++ b/root/defaults/crontabs/abc
@@ -0,0 +1 @@
+# min   hour    day     month   weekday command
diff --git a/root/defaults/crontabs/root b/root/defaults/crontabs/root
new file mode 100644
index 0000000..b5e283c
--- /dev/null
+++ b/root/defaults/crontabs/root
@@ -0,0 +1 @@
+# min   hour    day     month   weekday command
diff --git a/root/etc/cont-init.d/30-cron b/root/etc/cont-init.d/30-cron
new file mode 100644
index 0000000..cc83288
--- /dev/null
+++ b/root/etc/cont-init.d/30-cron
@@ -0,0 +1,34 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+# make folders
+mkdir -p \
+    /config/crontabs
+
+# if root crontabs do not exist in config
+# copy root crontab from system
+if [[ ! -f /config/crontabs/root ]] && \
+crontab -l -u root; then
+    crontab -l -u root > /config/crontabs/root
+fi
+
+# if root crontabs still do not exist in config (were not copied from system)
+# copy root crontab from included defaults
+[[ ! -f /config/crontabs/root ]] && \
+    cp /defaults/crontabs/root /config/crontabs/
+
+# if abc crontabs do not exist in config
+# copy abc crontab from system
+if [[ ! -f /config/crontabs/abc ]] && \
+crontab -l -u abc; then
+    crontab -l -u abc > /config/crontabs/abc
+fi
+
+# if abc crontabs still do not exist in config (were not copied from system)
+# copy abc crontab from included defaults
+[[ ! -f /config/crontabs/abc ]] && \
+    cp /defaults/crontabs/abc /config/crontabs/
+
+# import user crontabs
+crontab -u root /config/crontabs/root
+crontab -u abc /config/crontabs/abc
diff --git a/root/etc/services.d/cron/run b/root/etc/services.d/cron/run
new file mode 100644
index 0000000..5eaadfd
--- /dev/null
+++ b/root/etc/services.d/cron/run
@@ -0,0 +1,4 @@
+#!/usr/bin/with-contenv bash
+# shellcheck shell=bash
+
+exec /usr/sbin/crond -f -S -l 5

From bacb82bf96accfa5c310c00020ebac279e29a463 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sat, 9 Jul 2022 16:10:35 +0000
Subject: [PATCH 12/29] Path adjustments

---
 root/defaults/fail2ban/paths-lsio.conf | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/root/defaults/fail2ban/paths-lsio.conf b/root/defaults/fail2ban/paths-lsio.conf
index 99ca8f0..dbca131 100644
--- a/root/defaults/fail2ban/paths-lsio.conf
+++ b/root/defaults/fail2ban/paths-lsio.conf
@@ -5,10 +5,22 @@
 before = paths-common.conf
 after  = paths-overrides.local
 
-
 [DEFAULT]
 
-default_backend     = %(default/backend)s
-remote_logs         = /remotelogs
-nginx_error_log     = /config/log/nginx/*error.log
-nginx_access_log    = /config/log/nginx/*access.log
+remote_logs              = /remotelogs
+var_log                  = /var/log
+
+# When fail2ban is installed natively on a host system these logs are normally in /var/log/
+# This config assumes any of the applications below will be run via docker containers
+# If any are run on the host, add a line to your jail.local to use the var_log variable
+# nginx_access_log         = %(var_log)s/nginx/*access.log
+
+apache_access_log        = %(remote_logs)s/apache2/*access.log
+apache_error_log         = %(remote_logs)s/apache2/*error.log
+auditd_log               = %(remote_logs)s/audit/audit.log
+exim_main_log            = %(remote_logs)s/exim/mainlog
+lighttpd_error_log       = %(remote_logs)s/lighttpd/error.log
+nginx_access_log         = %(remote_logs)s/nginx/*access.log
+nginx_error_log          = %(remote_logs)s/nginx/*error.log
+roundcube_errors_log     = %(remote_logs)s/roundcube/errors
+vsftpd_log               = %(remote_logs)s/vsftpd.log

From 67c88f62c4248b9cf471c42b23166d20c863dd7e Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sat, 9 Jul 2022 16:11:25 +0000
Subject: [PATCH 13/29] Add authelia confs

---
 root/defaults/fail2ban/filter.d/authelia.conf | 21 +++++++++++++++++++
 root/defaults/fail2ban/jail.d/authelia.conf   | 10 +++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 root/defaults/fail2ban/filter.d/authelia.conf
 create mode 100644 root/defaults/fail2ban/jail.d/authelia.conf

diff --git a/root/defaults/fail2ban/filter.d/authelia.conf b/root/defaults/fail2ban/filter.d/authelia.conf
new file mode 100644
index 0000000..706d4e6
--- /dev/null
+++ b/root/defaults/fail2ban/filter.d/authelia.conf
@@ -0,0 +1,21 @@
+# Fail2Ban filter configuration for authelia
+
+[INCLUDES]
+before = common.conf
+
+# Make sure that the HTTP header "X-Forwarded-For" received by Authelia's backend
+# only contains a single IP address (the one from the end-user), and not the proxy chain
+# (it is misleading: usually, this is the purpose of this header).
+
+[Definition]
+
+# this counts every failed login (wrong username or password) and failed TOTP entry as a failure
+failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+            ^.*Unsuccessful (TOTP|Duo|U2F) authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+            (?i)^.*access to .*is not authorized.*remote_ip=<HOST>
+            ^.* is banned until .*remote_ip=<HOST> stack.*
+
+# we can ignore debug, info and warning messages as all authentication failures are flagged as level=error by Authelia
+ignoreregex = ^.*level=debug.*
+              ^.*level=info.*
+              ^.*level=warning.*
diff --git a/root/defaults/fail2ban/jail.d/authelia.conf b/root/defaults/fail2ban/jail.d/authelia.conf
new file mode 100644
index 0000000..349a371
--- /dev/null
+++ b/root/defaults/fail2ban/jail.d/authelia.conf
@@ -0,0 +1,10 @@
+# Fail2Ban jail configuration for authelia
+# Works OOTB with defaults
+
+[authelia]
+
+enabled  = false
+chain    = DOCKER-USER
+port     = http,https,9091
+filter   = authelia
+logpath  = %(remote_logs)s/authelia/authelia.log

From f5fb96205a2a2f09579b8f782c96f341f15c2690 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sat, 9 Jul 2022 23:26:21 +0000
Subject: [PATCH 14/29] Add local networks to ignoreip

---
 root/defaults/fail2ban/jail.conf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/root/defaults/fail2ban/jail.conf b/root/defaults/fail2ban/jail.conf
index fe295d5..62a7635 100644
--- a/root/defaults/fail2ban/jail.conf
+++ b/root/defaults/fail2ban/jail.conf
@@ -90,7 +90,11 @@ before = paths-lsio.conf
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses
 # can be defined using space (and/or comma) separator.
-#ignoreip = 127.0.0.1/8 ::1
+# lsio value
+ignoreip = 127.0.0.1/8 ::1
+           10.0.0.0/8
+           172.16.0.0/12
+           192.168.0.0/16
 
 # External command that will take an tagged arguments to ignore, e.g. <ip>,
 # and return true if the IP is to be ignored. False otherwise.

From 87ab57805456dae745df193e8f58514813ba8e36 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sat, 9 Jul 2022 23:50:29 +0000
Subject: [PATCH 15/29] Adjust apprise-api action

---
 root/defaults/fail2ban/action.d/apprise-api.conf | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/root/defaults/fail2ban/action.d/apprise-api.conf b/root/defaults/fail2ban/action.d/apprise-api.conf
index 01720e8..e777d96 100644
--- a/root/defaults/fail2ban/action.d/apprise-api.conf
+++ b/root/defaults/fail2ban/action.d/apprise-api.conf
@@ -7,7 +7,7 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = curl -X POST -d '{"tag": "f2b", "type": "info", "body": "The jail <name> as been started successfully."}' \
+actionstart = curl -X POST -d '{"tag": "fail2ban", "type": "info", "body": "The jail <name> as been started successfully."}' \
           -H "Content-Type: application/json" \
           <url>
 
@@ -15,7 +15,7 @@ actionstart = curl -X POST -d '{"tag": "f2b", "type": "info", "body": "The jail
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = curl -X POST -d '{"tag": "f2b", "type": "info", "body": "The jail <name> has been stopped."}' \
+actionstop = curl -X POST -d '{"tag": "fail2ban", "type": "info", "body": "The jail <name> has been stopped."}' \
           -H "Content-Type: application/json" \
           <url>
 
@@ -32,7 +32,7 @@ actioncheck =
 # Values:  CMD
 #
 
-actionban = curl -X POST -d '{"tag": "f2b", "type": "warning", "body": "The IP <ip> has just been banned from <name> after <failures> attempts."}' \
+actionban = curl -X POST -d '{"tag": "fail2ban", "type": "warning", "body": "The IP <ip> has just been banned from <name> after <failures> attempts."}' \
           -H "Content-Type: application/json" \
           <url>
 
@@ -43,10 +43,10 @@ actionban = curl -X POST -d '{"tag": "f2b", "type": "warning", "body": "The IP <
 # Values:  CMD
 #
 
-actionunban = curl -X POST -d '{"tag": "f2b", "type": "success", "body": "The IP <ip> has just been unbanned from <name>."}' \
+actionunban = curl -X POST -d '{"tag": "fail2ban", "type": "success", "body": "The IP <ip> has just been unbanned from <name>."}' \
           -H "Content-Type: application/json" \
           <url>
 
 [Init]
 
-url = http://apprise:8000/notify/default
+url = http://apprise:8000/notify/apprise

From f691a99b9ee50be25a8358c72a3c57557bd5897c Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 10 Jul 2022 00:32:37 +0000
Subject: [PATCH 16/29] Add more apprise-api variables

---
 root/defaults/fail2ban/action.d/apprise-api.conf | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/root/defaults/fail2ban/action.d/apprise-api.conf b/root/defaults/fail2ban/action.d/apprise-api.conf
index e777d96..ece272a 100644
--- a/root/defaults/fail2ban/action.d/apprise-api.conf
+++ b/root/defaults/fail2ban/action.d/apprise-api.conf
@@ -7,7 +7,7 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = curl -X POST -d '{"tag": "fail2ban", "type": "info", "body": "The jail <name> as been started successfully."}' \
+actionstart = curl -X POST -d '{"tag": "<tag>", "type": "info", "body": "The jail <name> as been started successfully."}' \
           -H "Content-Type: application/json" \
           <url>
 
@@ -15,7 +15,7 @@ actionstart = curl -X POST -d '{"tag": "fail2ban", "type": "info", "body": "The
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = curl -X POST -d '{"tag": "fail2ban", "type": "info", "body": "The jail <name> has been stopped."}' \
+actionstop = curl -X POST -d '{"tag": "<tag>", "type": "info", "body": "The jail <name> has been stopped."}' \
           -H "Content-Type: application/json" \
           <url>
 
@@ -32,7 +32,7 @@ actioncheck =
 # Values:  CMD
 #
 
-actionban = curl -X POST -d '{"tag": "fail2ban", "type": "warning", "body": "The IP <ip> has just been banned from <name> after <failures> attempts."}' \
+actionban = curl -X POST -d '{"tag": "<tag>", "type": "warning", "body": "The IP <ip> has just been banned from <name> after <failures> attempts."}' \
           -H "Content-Type: application/json" \
           <url>
 
@@ -43,10 +43,16 @@ actionban = curl -X POST -d '{"tag": "fail2ban", "type": "warning", "body": "The
 # Values:  CMD
 #
 
-actionunban = curl -X POST -d '{"tag": "fail2ban", "type": "success", "body": "The IP <ip> has just been unbanned from <name>."}' \
+actionunban = curl -X POST -d '{"tag": "<tag>", "type": "success", "body": "The IP <ip> has just been unbanned from <name>."}' \
           -H "Content-Type: application/json" \
           <url>
 
 [Init]
 
-url = http://apprise:8000/notify/apprise
+proto = http
+host = apprise
+port = 8000
+key = apprise
+url = <proto>://<host>:<port>/notify/<key>
+#tag = fail2ban
+tag = all

From b87f37792b2d5d3f8654b8026b1fa160c3d849db Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 10 Jul 2022 01:12:22 +0000
Subject: [PATCH 17/29] Add Configuration README

---
 root/defaults/fail2ban/README.md | 54 ++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 root/defaults/fail2ban/README.md

diff --git a/root/defaults/fail2ban/README.md b/root/defaults/fail2ban/README.md
new file mode 100644
index 0000000..d97be38
--- /dev/null
+++ b/root/defaults/fail2ban/README.md
@@ -0,0 +1,54 @@
+# Configuration README
+
+!! NOTICE !!
+
+The `*.conf` files in this directory and its subdirectories will be replaced every time the container restarts. The files are meant to be easily viewed so that you can reference them.
+
+If you would like to customize anything, create a `*.local` file with the same name as the `*.conf` file and apply your customizations. You do not need to copy the entire `*.conf` file to `*.local`, you only need to include things you want to change.
+
+For example, to adjust `jail.conf`, create `jail.local` and apply your customizations there.
+
+## Example jail.local
+
+This example uses `apprise-api` for notifications, `cloudflare` for additional web proxy banning, and `abuseipdb` to report bad actors. You can remove any of these, or add more as you see fit.
+
+```yaml
+[DEFAULT]
+# Change the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
+#banaction = %(banaction_allports)s
+
+# Add additional actions
+action = %(action_)s
+         apprise-api[host="127.0.0.1", tag="fail2ban"]
+         cloudflare[cfuser="YOUR-EMAIL", cftoken="YOUR-TOKEN"]
+
+abuseipdb_apikey = YOUR-API-KEY
+
+# "bantime" is the number of seconds that a host is banned.
+bantime = 4h
+
+# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
+findtime = 4h
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
+[unraid-ssh]
+# configuration inherits from jail.d/unraid-ssh.conf
+enabled  = true
+action   = %(known/action)s
+           abuseipdb[abuseipdb_apikey="%(known/abuseipdb_apikey)s", abuseipdb_category="18,22"]
+
+[unraid-webgui]
+# configuration inherits from jail.d/unraid-webgui.conf
+enabled  = true
+port     = http,https,YOUR-UNRAID-MY-SERVERS-WAN-PORT
+action   = %(known/action)s
+           abuseipdb[abuseipdb_apikey="%(known/abuseipdb_apikey)s", abuseipdb_category="18,21"]
+
+[unifi-controller]
+# configuration inherits from jail.d/unifi-controller.conf
+enabled  = true
+action   = %(known/action)s
+           abuseipdb[abuseipdb_apikey="%(known/abuseipdb_apikey)s", abuseipdb_category="18,21"]
+```

From 39fa5e91ea88a261ad608a91debdb2fdb1d88867 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 10 Jul 2022 01:51:06 +0000
Subject: [PATCH 18/29] Comment adjustment

---
 root/defaults/fail2ban/action.d/apprise-api.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/root/defaults/fail2ban/action.d/apprise-api.conf b/root/defaults/fail2ban/action.d/apprise-api.conf
index ece272a..da01325 100644
--- a/root/defaults/fail2ban/action.d/apprise-api.conf
+++ b/root/defaults/fail2ban/action.d/apprise-api.conf
@@ -1,5 +1,6 @@
 # Fail2Ban action configuration for apprise-api
 # Author: Roxedus https://github.com/Roxedus
+# Modified by: nemchik https://github.com/nemchik
 
 [Definition]
 

From 923c4ffca2da8c1f982cf364e37b899774d49d3e Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 10 Jul 2022 16:11:32 +0000
Subject: [PATCH 19/29] fix unraid sshd readme example

---
 root/defaults/fail2ban/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/root/defaults/fail2ban/README.md b/root/defaults/fail2ban/README.md
index d97be38..afc80fb 100644
--- a/root/defaults/fail2ban/README.md
+++ b/root/defaults/fail2ban/README.md
@@ -33,8 +33,8 @@ findtime = 4h
 # "maxretry" is the number of failures before a host get banned.
 maxretry = 5
 
-[unraid-ssh]
-# configuration inherits from jail.d/unraid-ssh.conf
+[unraid-sshd]
+# configuration inherits from jail.d/unraid-sshd.conf
 enabled  = true
 action   = %(known/action)s
            abuseipdb[abuseipdb_apikey="%(known/abuseipdb_apikey)s", abuseipdb_category="18,22"]

From a12a7df6f297a08e8256aca28ac5c36b38681acc Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 10 Jul 2022 16:11:57 +0000
Subject: [PATCH 20/29] Fix cisco asa path

---
 root/defaults/fail2ban/action.d/cisco-asa.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/root/defaults/fail2ban/action.d/cisco-asa.conf b/root/defaults/fail2ban/action.d/cisco-asa.conf
index 537da57..8b5b0c6 100644
--- a/root/defaults/fail2ban/action.d/cisco-asa.conf
+++ b/root/defaults/fail2ban/action.d/cisco-asa.conf
@@ -29,7 +29,7 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = python3 /data/action.d/cisco-asa.py ban <ip>
+actionban = python3 /config/fail2ban/action.d/cisco-asa.py ban <ip>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -37,6 +37,6 @@ actionban = python3 /data/action.d/cisco-asa.py ban <ip>
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban =  python3 /data/action.d/cisco-asa.py unban <ip>
+actionunban =  python3 /config/fail2ban/action.d/cisco-asa.py unban <ip>
 
 [Init]

From afc8d2ed6b88e8fac4173bc8145523058f4cf35e Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 10 Jul 2022 16:12:13 +0000
Subject: [PATCH 21/29] Add unifi-controller action

---
 .../fail2ban/action.d/unifi-controller.conf   |  40 +++++++
 .../fail2ban/action.d/unifi-controller.py     | 107 ++++++++++++++++++
 2 files changed, 147 insertions(+)
 create mode 100644 root/defaults/fail2ban/action.d/unifi-controller.conf
 create mode 100644 root/defaults/fail2ban/action.d/unifi-controller.py

diff --git a/root/defaults/fail2ban/action.d/unifi-controller.conf b/root/defaults/fail2ban/action.d/unifi-controller.conf
new file mode 100644
index 0000000..56ba3f8
--- /dev/null
+++ b/root/defaults/fail2ban/action.d/unifi-controller.conf
@@ -0,0 +1,40 @@
+# Fail2Ban action configuration for unifi-controller
+# Author: HalianElf https://github.com/HalianElf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = 
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = python3 /config/fail2ban/action.d/unifi-controller.py ban <ip>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = python3 /config/fail2ban/action.d/unifi-controller.py unban <ip>
+
+[Init]
diff --git a/root/defaults/fail2ban/action.d/unifi-controller.py b/root/defaults/fail2ban/action.d/unifi-controller.py
new file mode 100644
index 0000000..c8b7cc8
--- /dev/null
+++ b/root/defaults/fail2ban/action.d/unifi-controller.py
@@ -0,0 +1,107 @@
+#!/usr/bin/env python3
+import sys
+import requests
+
+# Unifi Controller
+url = "https://172.27.1.164:8443"
+username = "apiuser"
+password = "password"
+group_id = "group"
+
+class UnifiAuthenticationException(Exception):
+    pass
+
+class Unifi:
+    """Unifi API wrapper"""
+
+    def __init__(self, username, password, base_url, site='default', ignore_ssl=True, authenticate=True):
+        """
+        Initialize the Unifi API
+        :param ignore_ssl: Ignore Unifi SSL certificate validity
+        :param username: Unifi username
+        :param password: Unifi password
+        :param base_url: Unifi API base URL
+        :param site: Site (defaults to the default site)
+        :param authenticate: Authenticate after instantiating class
+        """
+        # Set class-level variables
+        self.ignore_ssl = ignore_ssl
+        self.username = username
+        self.password = password
+        self.base_url = base_url
+        self.site = site
+        self.session = requests.Session()
+
+        if ignore_ssl:
+            self.session.verify = False
+            import urllib3
+            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+        # Authenticate
+        if authenticate:
+            self.authenticate()
+    # Authenticate against the Unifi API
+    def authenticate(self):
+        """
+        Authenticate against the Unifi API
+        :return: authentication successful
+        """
+        self.session.headers.update({'referrer': f"{self.base_url}/login"})
+        # Send credentials to API, check if successful
+        if self.session.post(f"{self.base_url}/api/login",
+                             json={'username': self.username, 'password': self.password}).json().get('meta').get(
+            'rc') == 'ok':
+            return True
+        else:
+            raise UnifiAuthenticationException
+
+    def getFirewallGroup(self, group_id):
+        """
+        Get existing firewall group
+        :return: firewall group info
+        """
+        firewallGroup = ''
+        response = self.session.get(f"{self.base_url}/api/s/{self.site}/rest/firewallgroup/{group_id}", verify=False).json()
+        if response.get('meta').get('rc') == 'ok' and len(response.get('data')) == 1:
+            firewallGroup = response.get('data')[0]
+        return firewallGroup if firewallGroup else False
+
+    def editFirewallGroup(self, group_id, data):
+        """
+        Edit firewall group
+        :return: edit successful
+        """
+        response = self.session.put(f"{self.base_url}/api/s/{self.site}/rest/firewallgroup/{group_id}", json=data, verify=False)
+        if response.status_code == 200:
+            return True
+        return False
+
+def main(argv):
+    unifi = Unifi(username, password, url)
+    command = argv[1]
+    ipaddr = argv[2]
+    current_rule = unifi.getFirewallGroup(group_id)
+    new_rule = ""
+
+    if current_rule == False:
+        sys.exit("Error: Something went wrong getting the existing group")
+    
+    if command == 'ban':
+        print(f"Banning {ipaddr}")
+        current_rule["group_members"].append(ipaddr)
+        new_rule = unifi.editFirewallGroup(group_id,current_rule)
+    elif command == 'unban':
+        print(f"Un-Banning {ipaddr}")
+        if ipaddr not in current_rule["group_members"]:
+            sys.exit(f"Error: {ipaddr} is not banned")
+        current_rule["group_members"].remove(ipaddr)
+        new_rule = unifi.editFirewallGroup(group_id,current_rule)
+    else:
+        sys.exit("Unknown command")
+    
+    if new_rule == False:
+        sys.exit("Error: Something went wrong when updating the group")
+
+# Main
+if __name__ == "__main__":
+   main(sys.argv)

From ef44050cafea3e2d5062f461698d3349541a4b2b Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Sun, 10 Jul 2022 22:54:32 +0000
Subject: [PATCH 22/29] Add jq

---
 Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 135993b..6a622f7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,7 +14,8 @@ RUN \
   apk add --no-cache --upgrade \
     curl \
     fail2ban \
-    fail2ban-doc && \
+    fail2ban-doc \
+    jq && \
   echo "**** cleanup ****" && \
   rm -rf \
       /root/.cache \

From 924e6d67b5484d8a855178f6c2180a044e18e664 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Mon, 11 Jul 2022 23:26:08 +0000
Subject: [PATCH 23/29] Rename configs

---
 root/defaults/fail2ban/README.md              | 23 ++++++++-----------
 ...onic-http-auth.conf => airsonic-auth.conf} |  0
 .../{authelia.conf => authelia-auth.conf}     |  0
 .../{emby-http-auth.conf => emby-auth.conf}   |  0
 ...filebrowser.conf => filebrowser-auth.conf} |  0
 .../filter.d/{gitea.conf => gitea-auth.conf}  |  0
 ...assistant.conf => homeassistant-auth.conf} |  0
 .../{nginx-http-418.conf => nginx-418.conf}   |  2 +-
 .../{nginx-http-deny.conf => nginx-deny.conf} |  2 +-
 .../{nzbget.conf => nzbget-auth.conf}         |  0
 .../{overseerr.conf => overseerr-auth.conf}   |  0
 .../{servarr.conf => servarr-auth.conf}       |  0
 ...roller.conf => unifi-controller-auth.conf} |  0
 ...id-webgui.conf => unraid-webgui-auth.conf} |  0
 ...vaultwarden.conf => vaultwarden-auth.conf} |  0
 root/defaults/fail2ban/jail.conf              |  6 +----
 ...onic-http-auth.conf => airsonic-auth.conf} |  4 ++--
 .../{authelia.conf => authelia-auth.conf}     |  4 ++--
 .../{emby-http-auth.conf => emby-auth.conf}   |  4 ++--
 ...filebrowser.conf => filebrowser-auth.conf} |  4 ++--
 .../jail.d/{gitea.conf => gitea-auth.conf}    |  4 ++--
 ...assistant.conf => homeassistant-auth.conf} |  6 ++---
 .../{nginx-http-418.conf => nginx-418.conf}   |  6 ++---
 ...x-http-badbots.conf => nginx-badbots.conf} |  4 ++--
 .../{nginx-http-deny.conf => nginx-deny.conf} |  6 ++---
 .../jail.d/{nzbget.conf => nzbget-auth.conf}  |  4 ++--
 .../{overseerr.conf => overseerr-auth.conf}   |  4 ++--
 .../{prowlarr.conf => prowlarr-auth.conf}     |  4 ++--
 .../jail.d/{radarr.conf => radarr-auth.conf}  |  4 ++--
 .../jail.d/{sonarr.conf => sonarr-auth.conf}  |  4 ++--
 ...roller.conf => unifi-controller-auth.conf} |  4 ++--
 ...id-webgui.conf => unraid-webgui-auth.conf} |  4 ++--
 ...vaultwarden.conf => vaultwarden-auth.conf} |  4 ++--
 33 files changed, 50 insertions(+), 57 deletions(-)
 rename root/defaults/fail2ban/filter.d/{airsonic-http-auth.conf => airsonic-auth.conf} (100%)
 rename root/defaults/fail2ban/filter.d/{authelia.conf => authelia-auth.conf} (100%)
 rename root/defaults/fail2ban/filter.d/{emby-http-auth.conf => emby-auth.conf} (100%)
 rename root/defaults/fail2ban/filter.d/{filebrowser.conf => filebrowser-auth.conf} (100%)
 rename root/defaults/fail2ban/filter.d/{gitea.conf => gitea-auth.conf} (100%)
 rename root/defaults/fail2ban/filter.d/{homeassistant.conf => homeassistant-auth.conf} (100%)
 rename root/defaults/fail2ban/filter.d/{nginx-http-418.conf => nginx-418.conf} (84%)
 rename root/defaults/fail2ban/filter.d/{nginx-http-deny.conf => nginx-deny.conf} (85%)
 rename root/defaults/fail2ban/filter.d/{nzbget.conf => nzbget-auth.conf} (100%)
 rename root/defaults/fail2ban/filter.d/{overseerr.conf => overseerr-auth.conf} (100%)
 rename root/defaults/fail2ban/filter.d/{servarr.conf => servarr-auth.conf} (100%)
 rename root/defaults/fail2ban/filter.d/{unifi-controller.conf => unifi-controller-auth.conf} (100%)
 rename root/defaults/fail2ban/filter.d/{unraid-webgui.conf => unraid-webgui-auth.conf} (100%)
 rename root/defaults/fail2ban/filter.d/{vaultwarden.conf => vaultwarden-auth.conf} (100%)
 rename root/defaults/fail2ban/jail.d/{airsonic-http-auth.conf => airsonic-auth.conf} (77%)
 rename root/defaults/fail2ban/jail.d/{authelia.conf => authelia-auth.conf} (82%)
 rename root/defaults/fail2ban/jail.d/{emby-http-auth.conf => emby-auth.conf} (80%)
 rename root/defaults/fail2ban/jail.d/{filebrowser.conf => filebrowser-auth.conf} (87%)
 rename root/defaults/fail2ban/jail.d/{gitea.conf => gitea-auth.conf} (93%)
 rename root/defaults/fail2ban/jail.d/{homeassistant.conf => homeassistant-auth.conf} (76%)
 rename root/defaults/fail2ban/jail.d/{nginx-http-418.conf => nginx-418.conf} (54%)
 rename root/defaults/fail2ban/jail.d/{nginx-http-badbots.conf => nginx-badbots.conf} (64%)
 rename root/defaults/fail2ban/jail.d/{nginx-http-deny.conf => nginx-deny.conf} (50%)
 rename root/defaults/fail2ban/jail.d/{nzbget.conf => nzbget-auth.conf} (82%)
 rename root/defaults/fail2ban/jail.d/{overseerr.conf => overseerr-auth.conf} (85%)
 rename root/defaults/fail2ban/jail.d/{prowlarr.conf => prowlarr-auth.conf} (81%)
 rename root/defaults/fail2ban/jail.d/{radarr.conf => radarr-auth.conf} (81%)
 rename root/defaults/fail2ban/jail.d/{sonarr.conf => sonarr-auth.conf} (81%)
 rename root/defaults/fail2ban/jail.d/{unifi-controller.conf => unifi-controller-auth.conf} (77%)
 rename root/defaults/fail2ban/jail.d/{unraid-webgui.conf => unraid-webgui-auth.conf} (75%)
 rename root/defaults/fail2ban/jail.d/{vaultwarden.conf => vaultwarden-auth.conf} (86%)

diff --git a/root/defaults/fail2ban/README.md b/root/defaults/fail2ban/README.md
index afc80fb..eb1670a 100644
--- a/root/defaults/fail2ban/README.md
+++ b/root/defaults/fail2ban/README.md
@@ -14,6 +14,12 @@ This example uses `apprise-api` for notifications, `cloudflare` for additional w
 
 ```yaml
 [DEFAULT]
+# Prevents banning LAN subnets
+ignoreip = 127.0.0.1/8 ::1
+           10.0.0.0/8
+           172.16.0.0/12
+           192.168.0.0/16
+
 # Change the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
 #banaction = %(banaction_allports)s
 
@@ -24,30 +30,21 @@ action = %(action_)s
 
 abuseipdb_apikey = YOUR-API-KEY
 
-# "bantime" is the number of seconds that a host is banned.
-bantime = 4h
-
-# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
-findtime = 4h
-
-# "maxretry" is the number of failures before a host get banned.
-maxretry = 5
-
 [unraid-sshd]
 # configuration inherits from jail.d/unraid-sshd.conf
 enabled  = true
 action   = %(known/action)s
            abuseipdb[abuseipdb_apikey="%(known/abuseipdb_apikey)s", abuseipdb_category="18,22"]
 
-[unraid-webgui]
-# configuration inherits from jail.d/unraid-webgui.conf
+[unraid-webgui-auth]
+# configuration inherits from jail.d/unraid-webgui-auth.conf
 enabled  = true
 port     = http,https,YOUR-UNRAID-MY-SERVERS-WAN-PORT
 action   = %(known/action)s
            abuseipdb[abuseipdb_apikey="%(known/abuseipdb_apikey)s", abuseipdb_category="18,21"]
 
-[unifi-controller]
-# configuration inherits from jail.d/unifi-controller.conf
+[unifi-controller-auth]
+# configuration inherits from jail.d/unifi-controller-auth.conf
 enabled  = true
 action   = %(known/action)s
            abuseipdb[abuseipdb_apikey="%(known/abuseipdb_apikey)s", abuseipdb_category="18,21"]
diff --git a/root/defaults/fail2ban/filter.d/airsonic-http-auth.conf b/root/defaults/fail2ban/filter.d/airsonic-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/airsonic-http-auth.conf
rename to root/defaults/fail2ban/filter.d/airsonic-auth.conf
diff --git a/root/defaults/fail2ban/filter.d/authelia.conf b/root/defaults/fail2ban/filter.d/authelia-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/authelia.conf
rename to root/defaults/fail2ban/filter.d/authelia-auth.conf
diff --git a/root/defaults/fail2ban/filter.d/emby-http-auth.conf b/root/defaults/fail2ban/filter.d/emby-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/emby-http-auth.conf
rename to root/defaults/fail2ban/filter.d/emby-auth.conf
diff --git a/root/defaults/fail2ban/filter.d/filebrowser.conf b/root/defaults/fail2ban/filter.d/filebrowser-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/filebrowser.conf
rename to root/defaults/fail2ban/filter.d/filebrowser-auth.conf
diff --git a/root/defaults/fail2ban/filter.d/gitea.conf b/root/defaults/fail2ban/filter.d/gitea-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/gitea.conf
rename to root/defaults/fail2ban/filter.d/gitea-auth.conf
diff --git a/root/defaults/fail2ban/filter.d/homeassistant.conf b/root/defaults/fail2ban/filter.d/homeassistant-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/homeassistant.conf
rename to root/defaults/fail2ban/filter.d/homeassistant-auth.conf
diff --git a/root/defaults/fail2ban/filter.d/nginx-http-418.conf b/root/defaults/fail2ban/filter.d/nginx-418.conf
similarity index 84%
rename from root/defaults/fail2ban/filter.d/nginx-http-418.conf
rename to root/defaults/fail2ban/filter.d/nginx-418.conf
index d21c7ab..18a3fab 100644
--- a/root/defaults/fail2ban/filter.d/nginx-http-418.conf
+++ b/root/defaults/fail2ban/filter.d/nginx-418.conf
@@ -1,4 +1,4 @@
-# Fail2Ban filter configuration for nginx http 418
+# Fail2Ban filter configuration for nginx 418
 # Track RFC2324
 # 418 I'm a teapot
 # Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout.
diff --git a/root/defaults/fail2ban/filter.d/nginx-http-deny.conf b/root/defaults/fail2ban/filter.d/nginx-deny.conf
similarity index 85%
rename from root/defaults/fail2ban/filter.d/nginx-http-deny.conf
rename to root/defaults/fail2ban/filter.d/nginx-deny.conf
index 9ed29c8..14ec02e 100644
--- a/root/defaults/fail2ban/filter.d/nginx-http-deny.conf
+++ b/root/defaults/fail2ban/filter.d/nginx-deny.conf
@@ -1,4 +1,4 @@
-# Fail2Ban filter configuration for nginx http deny
+# Fail2Ban filter configuration for nginx deny
 
 [INCLUDES]
 before = common.conf
diff --git a/root/defaults/fail2ban/filter.d/nzbget.conf b/root/defaults/fail2ban/filter.d/nzbget-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/nzbget.conf
rename to root/defaults/fail2ban/filter.d/nzbget-auth.conf
diff --git a/root/defaults/fail2ban/filter.d/overseerr.conf b/root/defaults/fail2ban/filter.d/overseerr-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/overseerr.conf
rename to root/defaults/fail2ban/filter.d/overseerr-auth.conf
diff --git a/root/defaults/fail2ban/filter.d/servarr.conf b/root/defaults/fail2ban/filter.d/servarr-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/servarr.conf
rename to root/defaults/fail2ban/filter.d/servarr-auth.conf
diff --git a/root/defaults/fail2ban/filter.d/unifi-controller.conf b/root/defaults/fail2ban/filter.d/unifi-controller-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/unifi-controller.conf
rename to root/defaults/fail2ban/filter.d/unifi-controller-auth.conf
diff --git a/root/defaults/fail2ban/filter.d/unraid-webgui.conf b/root/defaults/fail2ban/filter.d/unraid-webgui-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/unraid-webgui.conf
rename to root/defaults/fail2ban/filter.d/unraid-webgui-auth.conf
diff --git a/root/defaults/fail2ban/filter.d/vaultwarden.conf b/root/defaults/fail2ban/filter.d/vaultwarden-auth.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/vaultwarden.conf
rename to root/defaults/fail2ban/filter.d/vaultwarden-auth.conf
diff --git a/root/defaults/fail2ban/jail.conf b/root/defaults/fail2ban/jail.conf
index 62a7635..fe295d5 100644
--- a/root/defaults/fail2ban/jail.conf
+++ b/root/defaults/fail2ban/jail.conf
@@ -90,11 +90,7 @@ before = paths-lsio.conf
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses
 # can be defined using space (and/or comma) separator.
-# lsio value
-ignoreip = 127.0.0.1/8 ::1
-           10.0.0.0/8
-           172.16.0.0/12
-           192.168.0.0/16
+#ignoreip = 127.0.0.1/8 ::1
 
 # External command that will take an tagged arguments to ignore, e.g. <ip>,
 # and return true if the IP is to be ignored. False otherwise.
diff --git a/root/defaults/fail2ban/jail.d/airsonic-http-auth.conf b/root/defaults/fail2ban/jail.d/airsonic-auth.conf
similarity index 77%
rename from root/defaults/fail2ban/jail.d/airsonic-http-auth.conf
rename to root/defaults/fail2ban/jail.d/airsonic-auth.conf
index cb33eb6..7cdd06c 100644
--- a/root/defaults/fail2ban/jail.d/airsonic-http-auth.conf
+++ b/root/defaults/fail2ban/jail.d/airsonic-auth.conf
@@ -1,10 +1,10 @@
 # Fail2Ban jail configuration for airsonic
 # Works OOTB with defaults
 
-[airsonic-http-auth]
+[airsonic-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = 4040
-filter   = airsonic-http-auth
+filter   = airsonic-auth
 logpath  = %(remote_logs)s/airsonic/airsonic.log
diff --git a/root/defaults/fail2ban/jail.d/authelia.conf b/root/defaults/fail2ban/jail.d/authelia-auth.conf
similarity index 82%
rename from root/defaults/fail2ban/jail.d/authelia.conf
rename to root/defaults/fail2ban/jail.d/authelia-auth.conf
index 349a371..069d663 100644
--- a/root/defaults/fail2ban/jail.d/authelia.conf
+++ b/root/defaults/fail2ban/jail.d/authelia-auth.conf
@@ -1,10 +1,10 @@
 # Fail2Ban jail configuration for authelia
 # Works OOTB with defaults
 
-[authelia]
+[authelia-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https,9091
-filter   = authelia
+filter   = authelia-auth
 logpath  = %(remote_logs)s/authelia/authelia.log
diff --git a/root/defaults/fail2ban/jail.d/emby-http-auth.conf b/root/defaults/fail2ban/jail.d/emby-auth.conf
similarity index 80%
rename from root/defaults/fail2ban/jail.d/emby-http-auth.conf
rename to root/defaults/fail2ban/jail.d/emby-auth.conf
index 7dff5bf..d42a92f 100644
--- a/root/defaults/fail2ban/jail.d/emby-http-auth.conf
+++ b/root/defaults/fail2ban/jail.d/emby-auth.conf
@@ -1,10 +1,10 @@
 # Fail2Ban jail configuration for emby
 # Works OOTB with defaults
 
-[emby-http-auth]
+[emby-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = 8096,8920
-filter   = emby-http-auth
+filter   = emby-auth
 logpath  = %(remote_logs)s/emby/embyserver.txt
diff --git a/root/defaults/fail2ban/jail.d/filebrowser.conf b/root/defaults/fail2ban/jail.d/filebrowser-auth.conf
similarity index 87%
rename from root/defaults/fail2ban/jail.d/filebrowser.conf
rename to root/defaults/fail2ban/jail.d/filebrowser-auth.conf
index 93fe347..c3ab376 100644
--- a/root/defaults/fail2ban/jail.d/filebrowser.conf
+++ b/root/defaults/fail2ban/jail.d/filebrowser-auth.conf
@@ -5,10 +5,10 @@
 
 # -e 'FB_LOG'='/log/filebrowser.log'
 
-[filebrowser]
+[filebrowser-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https
-filter   = filebrowser
+filter   = filebrowser-auth
 logpath  = %(remote_logs)s/filebrowser/filebrowser.log
diff --git a/root/defaults/fail2ban/jail.d/gitea.conf b/root/defaults/fail2ban/jail.d/gitea-auth.conf
similarity index 93%
rename from root/defaults/fail2ban/jail.d/gitea.conf
rename to root/defaults/fail2ban/jail.d/gitea-auth.conf
index e52fbfa..1e8f73d 100644
--- a/root/defaults/fail2ban/jail.d/gitea.conf
+++ b/root/defaults/fail2ban/jail.d/gitea-auth.conf
@@ -18,11 +18,11 @@
 # LEVEL     = Info
 # MODE      = file
 
-[gitea]
+[gitea-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https,822
-filter   = gitea
+filter   = gitea-auth
 logpath  = %(remote_logs)s/gitea/gitea.log
 maxretry = 3
diff --git a/root/defaults/fail2ban/jail.d/homeassistant.conf b/root/defaults/fail2ban/jail.d/homeassistant-auth.conf
similarity index 76%
rename from root/defaults/fail2ban/jail.d/homeassistant.conf
rename to root/defaults/fail2ban/jail.d/homeassistant-auth.conf
index f6b9681..6771d55 100644
--- a/root/defaults/fail2ban/jail.d/homeassistant.conf
+++ b/root/defaults/fail2ban/jail.d/homeassistant-auth.conf
@@ -1,4 +1,4 @@
-# Fail2Ban jail configuration for emby
+# Fail2Ban jail configuration for homeassistant
 # Requires modification to Homeassitants settings
 # https://www.home-assistant.io/integrations/fail2ban/
 
@@ -8,11 +8,11 @@
 #   logs:
 #     homeassistant.components.http.ban: warning
 
-[homeassistant]
+[homeassistant-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = 8123
-filter   = homeassistant
+filter   = homeassistant-auth
 logpath  = %(remote_logs)s/homeassistant/home-assistant.log
 maxretry = 2
diff --git a/root/defaults/fail2ban/jail.d/nginx-http-418.conf b/root/defaults/fail2ban/jail.d/nginx-418.conf
similarity index 54%
rename from root/defaults/fail2ban/jail.d/nginx-http-418.conf
rename to root/defaults/fail2ban/jail.d/nginx-418.conf
index c132af5..a16c351 100644
--- a/root/defaults/fail2ban/jail.d/nginx-http-418.conf
+++ b/root/defaults/fail2ban/jail.d/nginx-418.conf
@@ -1,10 +1,10 @@
-# Fail2Ban jail configuration for nginx http 418
+# Fail2Ban jail configuration for nginx 418
 
-[nginx-http-418]
+[nginx-418]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https
-filter   = nginx-http-418
+filter   = nginx-418
 logpath  = %(nginx_access_log)s
 maxretry = 10
diff --git a/root/defaults/fail2ban/jail.d/nginx-http-badbots.conf b/root/defaults/fail2ban/jail.d/nginx-badbots.conf
similarity index 64%
rename from root/defaults/fail2ban/jail.d/nginx-http-badbots.conf
rename to root/defaults/fail2ban/jail.d/nginx-badbots.conf
index e69557b..0903478 100644
--- a/root/defaults/fail2ban/jail.d/nginx-http-badbots.conf
+++ b/root/defaults/fail2ban/jail.d/nginx-badbots.conf
@@ -1,6 +1,6 @@
-# Fail2Ban jail configuration for nginx http badbots
+# Fail2Ban jail configuration for nginx badbots
 
-[nginx-http-badbots]
+[nginx-badbots]
 
 enabled  = false
 chain    = DOCKER-USER
diff --git a/root/defaults/fail2ban/jail.d/nginx-http-deny.conf b/root/defaults/fail2ban/jail.d/nginx-deny.conf
similarity index 50%
rename from root/defaults/fail2ban/jail.d/nginx-http-deny.conf
rename to root/defaults/fail2ban/jail.d/nginx-deny.conf
index 20463de..4aa00cb 100644
--- a/root/defaults/fail2ban/jail.d/nginx-http-deny.conf
+++ b/root/defaults/fail2ban/jail.d/nginx-deny.conf
@@ -1,9 +1,9 @@
-# Fail2Ban jail configuration for nginx http deny
+# Fail2Ban jail configuration for nginx deny
 
-[nginx-http-deny]
+[nginx-deny]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https
-filter   = nginx-http-deny
+filter   = nginx-deny
 logpath  = %(nginx_error_log)s
diff --git a/root/defaults/fail2ban/jail.d/nzbget.conf b/root/defaults/fail2ban/jail.d/nzbget-auth.conf
similarity index 82%
rename from root/defaults/fail2ban/jail.d/nzbget.conf
rename to root/defaults/fail2ban/jail.d/nzbget-auth.conf
index ec84b6c..5524655 100644
--- a/root/defaults/fail2ban/jail.d/nzbget.conf
+++ b/root/defaults/fail2ban/jail.d/nzbget-auth.conf
@@ -1,10 +1,10 @@
 # Fail2Ban jail configuration for nzbget
 # Works OOTB with defaults
 
-[nzbget]
+[nzbget-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = 6789
-filter   = nzbget
+filter   = nzbget-auth
 logpath  = %(remote_logs)s/nzbget/nzbget*.log
diff --git a/root/defaults/fail2ban/jail.d/overseerr.conf b/root/defaults/fail2ban/jail.d/overseerr-auth.conf
similarity index 85%
rename from root/defaults/fail2ban/jail.d/overseerr.conf
rename to root/defaults/fail2ban/jail.d/overseerr-auth.conf
index 094654d..f28fba3 100644
--- a/root/defaults/fail2ban/jail.d/overseerr.conf
+++ b/root/defaults/fail2ban/jail.d/overseerr-auth.conf
@@ -2,10 +2,10 @@
 # Requires modification to Overseerrs settings
 # https://docs.overseerr.dev/extending-overseerr/fail2ban
 
-[overseerr]
+[overseerr-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = 5055
-filter   = overseerr
+filter   = overseerr-auth
 logpath  = %(remote_logs)s/overseerr/overseerr.log
diff --git a/root/defaults/fail2ban/jail.d/prowlarr.conf b/root/defaults/fail2ban/jail.d/prowlarr-auth.conf
similarity index 81%
rename from root/defaults/fail2ban/jail.d/prowlarr.conf
rename to root/defaults/fail2ban/jail.d/prowlarr-auth.conf
index fc8edc6..a6df40d 100644
--- a/root/defaults/fail2ban/jail.d/prowlarr.conf
+++ b/root/defaults/fail2ban/jail.d/prowlarr-auth.conf
@@ -1,10 +1,10 @@
 # Fail2Ban jail configuration for prowlarr
 # Works OOTB with defaults
 
-[prowlarr]
+[prowlarr-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = 9696
-filter   = servarr
+filter   = servarr-auth
 logpath  = %(remote_logs)s/prowlarr/prowlarr.txt
diff --git a/root/defaults/fail2ban/jail.d/radarr.conf b/root/defaults/fail2ban/jail.d/radarr-auth.conf
similarity index 81%
rename from root/defaults/fail2ban/jail.d/radarr.conf
rename to root/defaults/fail2ban/jail.d/radarr-auth.conf
index 16684ac..cbe9c33 100644
--- a/root/defaults/fail2ban/jail.d/radarr.conf
+++ b/root/defaults/fail2ban/jail.d/radarr-auth.conf
@@ -1,10 +1,10 @@
 # Fail2Ban jail configuration for radarr
 # Works OOTB with defaults
 
-[radarr]
+[radarr-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = 7878
-filter   = servarr
+filter   = servarr-auth
 logpath  = %(remote_logs)s/radarr/radarr.txt
diff --git a/root/defaults/fail2ban/jail.d/sonarr.conf b/root/defaults/fail2ban/jail.d/sonarr-auth.conf
similarity index 81%
rename from root/defaults/fail2ban/jail.d/sonarr.conf
rename to root/defaults/fail2ban/jail.d/sonarr-auth.conf
index cc71ca0..ad1d902 100644
--- a/root/defaults/fail2ban/jail.d/sonarr.conf
+++ b/root/defaults/fail2ban/jail.d/sonarr-auth.conf
@@ -1,10 +1,10 @@
 # Fail2Ban jail configuration for sonarr
 # Works OOTB with defaults
 
-[sonarr]
+[sonarr-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = 8989
-filter   = servarr
+filter   = servarr-auth
 logpath  = %(remote_logs)s/sonarr/sonarr.txt
diff --git a/root/defaults/fail2ban/jail.d/unifi-controller.conf b/root/defaults/fail2ban/jail.d/unifi-controller-auth.conf
similarity index 77%
rename from root/defaults/fail2ban/jail.d/unifi-controller.conf
rename to root/defaults/fail2ban/jail.d/unifi-controller-auth.conf
index 6edbad4..97c2ca4 100644
--- a/root/defaults/fail2ban/jail.d/unifi-controller.conf
+++ b/root/defaults/fail2ban/jail.d/unifi-controller-auth.conf
@@ -1,10 +1,10 @@
 # Fail2Ban jail configuration for unifi controller
 # Works OOTB with defaults
 
-[unifi-controller]
+[unifi-controller-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = 8080,8443
-filter   = unifi-controller
+filter   = unifi-controller-auth
 logpath  = %(remote_logs)s/unificontroller/server.log
diff --git a/root/defaults/fail2ban/jail.d/unraid-webgui.conf b/root/defaults/fail2ban/jail.d/unraid-webgui-auth.conf
similarity index 75%
rename from root/defaults/fail2ban/jail.d/unraid-webgui.conf
rename to root/defaults/fail2ban/jail.d/unraid-webgui-auth.conf
index 8732f34..c706b42 100644
--- a/root/defaults/fail2ban/jail.d/unraid-webgui.conf
+++ b/root/defaults/fail2ban/jail.d/unraid-webgui-auth.conf
@@ -1,10 +1,10 @@
 # Fail2Ban jail configuration for unRAID web GUI
 # Works OOTB with defaults
 
-[unraid-webgui]
+[unraid-webgui-auth]
 
 enabled  = false
 chain    = INPUT
 port     = http,https
-filter   = unraid-webgui
+filter   = unraid-webgui-auth
 logpath  = /var/log/syslog
diff --git a/root/defaults/fail2ban/jail.d/vaultwarden.conf b/root/defaults/fail2ban/jail.d/vaultwarden-auth.conf
similarity index 86%
rename from root/defaults/fail2ban/jail.d/vaultwarden.conf
rename to root/defaults/fail2ban/jail.d/vaultwarden-auth.conf
index b508618..d9f09c9 100644
--- a/root/defaults/fail2ban/jail.d/vaultwarden.conf
+++ b/root/defaults/fail2ban/jail.d/vaultwarden-auth.conf
@@ -3,11 +3,11 @@
 # https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
 # Enabling logging
 
-[vaultwarden]
+[vaultwarden-auth]
 
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https
-filter   = vaultwarden
+filter   = vaultwarden-auth
 logpath  = %(remote_logs)s/vaultwarden/vaultwarden.log
 maxretry = 3

From 3f1a89e011d1b2d347a5e8d9963cde301ad25006 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Mon, 11 Jul 2022 23:28:34 +0000
Subject: [PATCH 24/29] fix markdown code fence

---
 root/defaults/fail2ban/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/root/defaults/fail2ban/README.md b/root/defaults/fail2ban/README.md
index eb1670a..353b227 100644
--- a/root/defaults/fail2ban/README.md
+++ b/root/defaults/fail2ban/README.md
@@ -12,7 +12,7 @@ For example, to adjust `jail.conf`, create `jail.local` and apply your customiza
 
 This example uses `apprise-api` for notifications, `cloudflare` for additional web proxy banning, and `abuseipdb` to report bad actors. You can remove any of these, or add more as you see fit.
 
-```yaml
+```ini
 [DEFAULT]
 # Prevents banning LAN subnets
 ignoreip = 127.0.0.1/8 ::1

From b2621fcbf8bf482e58f209ec5623c453f4649826 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Mon, 11 Jul 2022 20:52:24 -0500
Subject: [PATCH 25/29] Edit discord message

---
 root/defaults/fail2ban/action.d/discord-webhook.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/root/defaults/fail2ban/action.d/discord-webhook.conf b/root/defaults/fail2ban/action.d/discord-webhook.conf
index 5074ac5..6f0bed0 100644
--- a/root/defaults/fail2ban/action.d/discord-webhook.conf
+++ b/root/defaults/fail2ban/action.d/discord-webhook.conf
@@ -20,7 +20,7 @@ actioncheck =
 # Notify on Banned 
 actionban = curl -X POST "<webhook>" \
             -H "Content-Type: application/json" \
-            -d '{"username":"<botname>", "content":":bell: Hey <discord_userid>! **[<name>]** :hammer:**BANNED**:hammer: IP: `<ip>` for <bantime> seconds after **<failures>** failure(s). Here is some info about the IP: <url_check_ip><ip>"}' 
+            -d '{"username":"<botname>", "content":":bell: Hey <discord_userid>! **[<name>]** :hammer:**BANNED**:hammer: IP: [<ip>](<url_check_ip><ip>) for **<bantime>** seconds after **<failures>** failure(s)."}' 
             curl -X POST "<webhook>" \
             -H "Content-Type: application/json" \
             -d '{"username":"<botname>", "content":"If you want to unban the IP run: `fail2ban-client unban <ip>`"}'

From f8b31aab6ad25d3025061d1604d8668abcc526de Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Tue, 12 Jul 2022 13:04:16 +0000
Subject: [PATCH 26/29] Conf naming

---
 root/defaults/fail2ban/README.md                              | 4 ++--
 .../filter.d/{unraid-webgui-auth.conf => unraid-webgui.conf}  | 0
 .../jail.d/{unraid-webgui-auth.conf => unraid-webgui.conf}    | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)
 rename root/defaults/fail2ban/filter.d/{unraid-webgui-auth.conf => unraid-webgui.conf} (100%)
 rename root/defaults/fail2ban/jail.d/{unraid-webgui-auth.conf => unraid-webgui.conf} (75%)

diff --git a/root/defaults/fail2ban/README.md b/root/defaults/fail2ban/README.md
index 353b227..fa70b2f 100644
--- a/root/defaults/fail2ban/README.md
+++ b/root/defaults/fail2ban/README.md
@@ -36,8 +36,8 @@ enabled  = true
 action   = %(known/action)s
            abuseipdb[abuseipdb_apikey="%(known/abuseipdb_apikey)s", abuseipdb_category="18,22"]
 
-[unraid-webgui-auth]
-# configuration inherits from jail.d/unraid-webgui-auth.conf
+[unraid-webgui]
+# configuration inherits from jail.d/unraid-webgui.conf
 enabled  = true
 port     = http,https,YOUR-UNRAID-MY-SERVERS-WAN-PORT
 action   = %(known/action)s
diff --git a/root/defaults/fail2ban/filter.d/unraid-webgui-auth.conf b/root/defaults/fail2ban/filter.d/unraid-webgui.conf
similarity index 100%
rename from root/defaults/fail2ban/filter.d/unraid-webgui-auth.conf
rename to root/defaults/fail2ban/filter.d/unraid-webgui.conf
diff --git a/root/defaults/fail2ban/jail.d/unraid-webgui-auth.conf b/root/defaults/fail2ban/jail.d/unraid-webgui.conf
similarity index 75%
rename from root/defaults/fail2ban/jail.d/unraid-webgui-auth.conf
rename to root/defaults/fail2ban/jail.d/unraid-webgui.conf
index c706b42..8732f34 100644
--- a/root/defaults/fail2ban/jail.d/unraid-webgui-auth.conf
+++ b/root/defaults/fail2ban/jail.d/unraid-webgui.conf
@@ -1,10 +1,10 @@
 # Fail2Ban jail configuration for unRAID web GUI
 # Works OOTB with defaults
 
-[unraid-webgui-auth]
+[unraid-webgui]
 
 enabled  = false
 chain    = INPUT
 port     = http,https
-filter   = unraid-webgui-auth
+filter   = unraid-webgui
 logpath  = /var/log/syslog

From fd66f022eea163addbe021d1980aeb2921ae4ced Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Tue, 12 Jul 2022 13:05:02 +0000
Subject: [PATCH 27/29] Move LAN subnet ignore back to conf

---
 root/defaults/fail2ban/README.md | 6 ------
 root/defaults/fail2ban/jail.conf | 7 ++++++-
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/root/defaults/fail2ban/README.md b/root/defaults/fail2ban/README.md
index fa70b2f..d04f3f1 100644
--- a/root/defaults/fail2ban/README.md
+++ b/root/defaults/fail2ban/README.md
@@ -14,12 +14,6 @@ This example uses `apprise-api` for notifications, `cloudflare` for additional w
 
 ```ini
 [DEFAULT]
-# Prevents banning LAN subnets
-ignoreip = 127.0.0.1/8 ::1
-           10.0.0.0/8
-           172.16.0.0/12
-           192.168.0.0/16
-
 # Change the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
 #banaction = %(banaction_allports)s
 
diff --git a/root/defaults/fail2ban/jail.conf b/root/defaults/fail2ban/jail.conf
index fe295d5..bd72306 100644
--- a/root/defaults/fail2ban/jail.conf
+++ b/root/defaults/fail2ban/jail.conf
@@ -90,7 +90,12 @@ before = paths-lsio.conf
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses
 # can be defined using space (and/or comma) separator.
-#ignoreip = 127.0.0.1/8 ::1
+# lsio value
+# Prevents banning LAN subnets
+ignoreip = 127.0.0.1/8 ::1
+           10.0.0.0/8
+           172.16.0.0/12
+           192.168.0.0/16
 
 # External command that will take an tagged arguments to ignore, e.g. <ip>,
 # and return true if the IP is to be ignored. False otherwise.

From 146e2ae4d4c7e89017f93d72012f5a6498984c7a Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Tue, 12 Jul 2022 15:05:55 +0000
Subject: [PATCH 28/29] Revert "Move LAN subnet ignore back to conf"

This reverts commit fd66f022eea163addbe021d1980aeb2921ae4ced.
---
 root/defaults/fail2ban/README.md | 6 ++++++
 root/defaults/fail2ban/jail.conf | 7 +------
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/root/defaults/fail2ban/README.md b/root/defaults/fail2ban/README.md
index d04f3f1..fa70b2f 100644
--- a/root/defaults/fail2ban/README.md
+++ b/root/defaults/fail2ban/README.md
@@ -14,6 +14,12 @@ This example uses `apprise-api` for notifications, `cloudflare` for additional w
 
 ```ini
 [DEFAULT]
+# Prevents banning LAN subnets
+ignoreip = 127.0.0.1/8 ::1
+           10.0.0.0/8
+           172.16.0.0/12
+           192.168.0.0/16
+
 # Change the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
 #banaction = %(banaction_allports)s
 
diff --git a/root/defaults/fail2ban/jail.conf b/root/defaults/fail2ban/jail.conf
index bd72306..fe295d5 100644
--- a/root/defaults/fail2ban/jail.conf
+++ b/root/defaults/fail2ban/jail.conf
@@ -90,12 +90,7 @@ before = paths-lsio.conf
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses
 # can be defined using space (and/or comma) separator.
-# lsio value
-# Prevents banning LAN subnets
-ignoreip = 127.0.0.1/8 ::1
-           10.0.0.0/8
-           172.16.0.0/12
-           192.168.0.0/16
+#ignoreip = 127.0.0.1/8 ::1
 
 # External command that will take an tagged arguments to ignore, e.g. <ip>,
 # and return true if the IP is to be ignored. False otherwise.

From fd6c46a360e51fb5f79becb904643c132d616764 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Wed, 13 Jul 2022 00:29:36 +0000
Subject: [PATCH 29/29] Preliminary jenkins build files

---
 .github/CONTRIBUTING.md                       | 123 +++
 .github/FUNDING.yml                           |   2 +
 .github/ISSUE_TEMPLATE/config.yml             |   2 +-
 .github/ISSUE_TEMPLATE/issue.bug.md           |   4 +-
 .github/ISSUE_TEMPLATE/issue.feature.md       |   2 +-
 .github/PULL_REQUEST_TEMPLATE.md              |   7 +-
 .github/workflows/call-baseimage-update.yml   |   2 +-
 .github/workflows/call-build-image.yml        |   2 +-
 .github/workflows/call-check-and-release.yml  |   2 +-
 .github/workflows/external_trigger.yml        |  93 ++
 .../workflows/external_trigger_scheduler.yml  |  43 +
 .github/workflows/greetings.yml               |   4 +-
 .github/workflows/package_trigger.yml         |  38 +
 .../workflows/package_trigger_scheduler.yml   |  50 +
 .gitignore                                    |   3 +
 Jenkinsfile                                   | 999 ++++++++++++++++++
 README.md                                     | 284 ++++-
 jenkins-vars.yml                              |  29 +
 readme-vars.yml                               |  66 ++
 19 files changed, 1743 insertions(+), 12 deletions(-)
 create mode 100644 .github/CONTRIBUTING.md
 create mode 100644 .github/FUNDING.yml
 create mode 100644 .github/workflows/external_trigger.yml
 create mode 100644 .github/workflows/external_trigger_scheduler.yml
 create mode 100644 .github/workflows/package_trigger.yml
 create mode 100644 .github/workflows/package_trigger_scheduler.yml
 create mode 100644 Jenkinsfile
 create mode 100644 jenkins-vars.yml
 create mode 100644 readme-vars.yml

diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
new file mode 100644
index 0000000..ced3683
--- /dev/null
+++ b/.github/CONTRIBUTING.md
@@ -0,0 +1,123 @@
+# Contributing to fail2ban
+
+## Gotchas
+
+* While contributing make sure to make all your changes before creating a Pull Request, as our pipeline builds each commit after the PR is open.
+* Read, and fill the Pull Request template
+  * If this is a fix for a typo (in code, documentation, or the README) please file an issue and let us sort it out. We do not need a PR
+  * If the PR is addressing an existing issue include, closes #\<issue number>, in the body of the PR commit message
+* If you want to discuss changes, you can also bring it up in [#dev-talk](https://discordapp.com/channels/354974912613449730/757585807061155840) in our [Discord server](https://discord.gg/YWrKVTn)
+
+## Common files
+
+| File | Use case |
+| :----: | --- |
+| `Dockerfile` | Dockerfile used to build amd64 images |
+| `Dockerfile.aarch64` | Dockerfile used to build 64bit ARM architectures |
+| `Dockerfile.armhf` | Dockerfile used to build 32bit ARM architectures |
+| `Jenkinsfile` | This file is a product of our builder and should not be edited directly. This is used to build the image |
+| `jenkins-vars.yml` | This file is used to generate the `Jenkinsfile` mentioned above, it only affects the build-process |
+| `package_versions.txt` | This file is generated as a part of the build-process and should not be edited directly. It lists all the installed packages and their versions |
+| `README.md` | This file is a product of our builder and should not be edited directly. This displays the readme for the repository and image registries |
+| `readme-vars.yml` | This file is used to generate the `README.md` |
+
+## Readme
+
+If you would like to change our readme, please __**do not**__ directly edit the readme, as it is auto-generated on each commit.
+Instead edit the [readme-vars.yml](https://github.com/linuxserver/docker-fail2ban/edit/master/readme-vars.yml).
+
+These variables are used in a template for our [Jenkins Builder](https://github.com/linuxserver/docker-jenkins-builder) as part of an ansible play.
+Most of these variables are also carried over to [docs.linuxserver.io](https://docs.linuxserver.io/images/docker-fail2ban)
+
+### Fixing typos or clarify the text in the readme
+
+There are variables for multiple parts of the readme, the most common ones are:
+
+| Variable | Description |
+| :----: | --- |
+| `project_blurb` | This is the short excerpt shown above the project logo. |
+| `app_setup_block` | This is the text that shows up under "Application Setup" if enabled |
+
+### Parameters
+
+The compose and run examples are also generated from these variables.
+
+We have a [reference file](https://github.com/linuxserver/docker-jenkins-builder/blob/master/vars/_container-vars-blank) in our Jenkins Builder.
+
+These are prefixed with `param_` for required parameters, or `opt_param` for optional parameters, except for `cap_add`.
+Remember to enable param, if currently disabled. This differs between parameters, and can be seen in the reference file.
+
+Devices, environment variables, ports and volumes expects its variables in a certain way.
+
+### Devices
+
+```yml
+param_devices:
+  - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" }
+opt_param_devices:
+  - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" }
+```
+
+### Environment variables
+
+```yml
+param_env_vars:
+  - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." }
+opt_param_env_vars:
+  - { env_var: "VERSION", env_value: "latest", desc: "Supported values are LATEST, PLEXPASS or a specific version number." }
+```
+
+### Ports
+
+```yml
+param_ports:
+  - { external_port: "80", internal_port: "80", port_desc: "Application WebUI" }
+opt_param_ports:
+  - { external_port: "80", internal_port: "80", port_desc: "Application WebUI" }
+```
+
+### Volumes
+
+```yml
+param_volumes:
+  - { vol_path: "/config", vol_host_path: "</path/to/appdata/config>", desc: "Configuration files." }
+opt_param_volumes:
+  - { vol_path: "/config", vol_host_path: "</path/to/appdata/config>", desc: "Configuration files." }
+```
+
+### Testing template changes
+
+After you make any changes to the templates, you can use our [Jenkins Builder](https://github.com/linuxserver/docker-jenkins-builder) to have the files updated from the modified templates. Please use the command found under `Running Locally` [on this page](https://github.com/linuxserver/docker-jenkins-builder/blob/master/README.md) to generate them prior to submitting a PR.
+
+## Dockerfiles
+
+We use multiple Dockerfiles in our repos, this is because sometimes some CPU architectures needs different packages to work.
+If you are proposing additional packages to be added, ensure that you added the packages to all the Dockerfiles in alphabetical order.
+
+### Testing your changes
+
+```bash
+git clone https://github.com/linuxserver/docker-fail2ban.git
+cd docker-fail2ban
+docker build \
+  --no-cache \
+  --pull \
+  -t linuxserver/fail2ban:latest .
+```
+
+The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static`
+
+```bash
+docker run --rm --privileged multiarch/qemu-user-static:register --reset
+```
+
+Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`.
+
+## Update the changelog
+
+If you are modifying the Dockerfiles or any of the startup scripts in [root](https://github.com/linuxserver/docker-fail2ban/tree/master/root), add an entry to the changelog
+
+```yml
+changelogs:
+  - { date: "DD.MM.YY:", desc: "Added some love to templates" }
+```
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..7eaac77
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,2 @@
+github: linuxserver
+open_collective: linuxserver
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
index fa12fe6..77dc35e 100644
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -9,5 +9,5 @@ contact_links:
     about: Post on our community forum.
 
   - name: Documentation
-    url: https://docs.linuxserver.io/images/fail2ban
+    url: https://docs.linuxserver.io/images/docker-fail2ban
     about: Documentation - information about all of our containers.
diff --git a/.github/ISSUE_TEMPLATE/issue.bug.md b/.github/ISSUE_TEMPLATE/issue.bug.md
index cab32e5..ae12ac1 100644
--- a/.github/ISSUE_TEMPLATE/issue.bug.md
+++ b/.github/ISSUE_TEMPLATE/issue.bug.md
@@ -4,7 +4,7 @@ about: Create a report to help us improve
 
 ---
 [linuxserverurl]: https://linuxserver.io
-[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/lsio-labs-wide.png)](https://linuxserver.io)
+[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl]
 
 <!--- If you are new to Docker or this application our issue tracker is **ONLY** used for reporting bugs or requesting features. Please use [our discord server](https://discord.gg/YWrKVTn) for general support. --->
 
@@ -37,4 +37,4 @@ about: Create a report to help us improve
 <!--- Provide your docker create/run command or compose yaml snippet, or a screenshot of settings if using a gui to create the container -->
 
 ## Docker logs
-<!--- Provide a full docker log, output of "docker logs your_spotify" -->
+<!--- Provide a full docker log, output of "docker logs fail2ban" -->
diff --git a/.github/ISSUE_TEMPLATE/issue.feature.md b/.github/ISSUE_TEMPLATE/issue.feature.md
index a45ce2f..20a91fd 100644
--- a/.github/ISSUE_TEMPLATE/issue.feature.md
+++ b/.github/ISSUE_TEMPLATE/issue.feature.md
@@ -4,7 +4,7 @@ about: Suggest an idea for this project
 
 ---
 [linuxserverurl]: https://linuxserver.io
-[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/lsio-labs-wide.png)](https://linuxserver.io)
+[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl]
 
 <!--- If you are new to Docker or this application our issue tracker is **ONLY** used for reporting bugs or requesting features. Please use [our discord server](https://discord.gg/YWrKVTn) for general support. --->
 
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 4855152..6870f1f 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,7 +1,8 @@
 <!--- Provide a general summary of your changes in the Title above -->
 
 [linuxserverurl]: https://linuxserver.io
-[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/lsio-labs-wide.png)](https://linuxserver.io)
+[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl]
+
 
 <!--- Before submitting a pull request please check the following -->
 
@@ -11,6 +12,7 @@
 <!---  You have included links to any files / patches etc your PR may be using in the body of the PR commit message -->
 <!--- We maintain a changelog of major revisions to the container at the end of readme-vars.yml in the root of this repository, please add your changes there if appropriate -->
 
+
 <!--- Coding guidelines: -->
 <!--- 1. Installed packages in the Dockerfiles should be in alphabetical order -->
 <!--- 2. Changes to Dockerfile should be replicated in Dockerfile.armhf and Dockerfile.aarch64 if applicable -->
@@ -19,7 +21,7 @@
 
 ------------------------------
 
- - [ ] I have read the [contributing](https://github.com/linuxserver-labs/docker-fail2ban/blob/main/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications
+ - [ ] I have read the [contributing](https://github.com/linuxserver/docker-fail2ban/blob/master/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications
 
 ------------------------------
 
@@ -36,5 +38,6 @@
 <!--- Include details of your testing environment, and the tests you ran to -->
 <!--- see how your change affects other areas of the code, etc. -->
 
+
 ## Source / References:
 <!--- Please include any forum posts/github links relevant to the PR -->
diff --git a/.github/workflows/call-baseimage-update.yml b/.github/workflows/call-baseimage-update.yml
index 989a208..5092e32 100644
--- a/.github/workflows/call-baseimage-update.yml
+++ b/.github/workflows/call-baseimage-update.yml
@@ -10,7 +10,7 @@ jobs:
     with:
       repo_owner: ${{ github.repository_owner }}
       baseimage: "alpine"
-      basebranch: "3.14"
+      basebranch: "3.16"
       app_name: "fail2ban"
     secrets:
       repo_release_token: ${{ secrets.repo_release_token }}
diff --git a/.github/workflows/call-build-image.yml b/.github/workflows/call-build-image.yml
index 5d14eda..1d0db2f 100644
--- a/.github/workflows/call-build-image.yml
+++ b/.github/workflows/call-build-image.yml
@@ -13,7 +13,7 @@ jobs:
       app_name: fail2ban
       release_type: alpine
       release_name: fail2Ban
-      release_url: "v3.14/main"
+      release_url: "v3.16/main"
       target-arch: "all"
     secrets:
       scarf_token: ${{ secrets.SCARF_TOKEN }}
diff --git a/.github/workflows/call-check-and-release.yml b/.github/workflows/call-check-and-release.yml
index 44be589..e94c210 100644
--- a/.github/workflows/call-check-and-release.yml
+++ b/.github/workflows/call-check-and-release.yml
@@ -12,7 +12,7 @@ jobs:
       repo_owner: ${{ github.repository_owner }}
       app_name: "fail2ban"
       release_type: "alpine"
-      release_url: "v3.14/main"
+      release_url: "v3.16/main"
       release_name: "fail2ban"
       branch: "master"
     secrets:
diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml
new file mode 100644
index 0000000..6a16b12
--- /dev/null
+++ b/.github/workflows/external_trigger.yml
@@ -0,0 +1,93 @@
+name: External Trigger Main
+
+on:
+  workflow_dispatch:
+
+jobs:
+  external-trigger-master:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2.3.3
+
+      - name: External Trigger
+        if: github.ref == 'refs/heads/master'
+        run: |
+          if [ -n "${{ secrets.PAUSE_EXTERNAL_TRIGGER_FAIL2BAN_MASTER }}" ]; then
+            echo "**** Github secret PAUSE_EXTERNAL_TRIGGER_FAIL2BAN_MASTER is set; skipping trigger. ****"
+            exit 0
+          fi
+          echo "**** External trigger running off of master branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_FAIL2BAN_MASTER\". ****"
+          echo "**** Retrieving external version ****"
+          EXT_RELEASE=$(curl -sL "http://nl.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
+            && awk '/^P:'"fail2ban"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://')
+          if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then
+            echo "**** Can't retrieve external version, exiting ****"
+            FAILURE_REASON="Can't retrieve external version for fail2ban branch master"
+            GHA_TRIGGER_URL="https://github.com/linuxserver/docker-fail2ban/actions/runs/${{ github.run_id }}"
+            curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680,
+              "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n**Trigger URL:** '"${GHA_TRIGGER_URL}"' \n"}],
+              "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
+            exit 1
+          fi
+          EXT_RELEASE=$(echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g')
+          echo "**** External version: ${EXT_RELEASE} ****"
+          echo "**** Retrieving last pushed version ****"
+          image="linuxserver/fail2ban"
+          tag="latest"
+          token=$(curl -sX GET \
+            "https://ghcr.io/token?scope=repository%3Alinuxserver%2Ffail2ban%3Apull" \
+            | jq -r '.token')
+            multidigest=$(curl -s \
+              --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
+              --header "Authorization: Bearer ${token}" \
+              "https://ghcr.io/v2/${image}/manifests/${tag}" \
+              | jq -r 'first(.manifests[].digest)')
+            digest=$(curl -s \
+              --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
+              --header "Authorization: Bearer ${token}" \
+              "https://ghcr.io/v2/${image}/manifests/${multidigest}" \
+              | jq -r '.config.digest')
+          image_info=$(curl -sL \
+            --header "Authorization: Bearer ${token}" \
+            "https://ghcr.io/v2/${image}/blobs/${digest}" \
+            | jq -r '.container_config')
+          IMAGE_RELEASE=$(echo ${image_info} | jq -r '.Labels.build_version' | awk '{print $3}')
+          IMAGE_VERSION=$(echo ${IMAGE_RELEASE} | awk -F'-ls' '{print $1}')
+          if [ -z "${IMAGE_VERSION}" ]; then
+            echo "**** Can't retrieve last pushed version, exiting ****"
+            FAILURE_REASON="Can't retrieve last pushed version for fail2ban tag latest"
+            curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680,
+              "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}],
+              "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
+            exit 1
+          fi
+          echo "**** Last pushed version: ${IMAGE_VERSION} ****"
+          if [ "${EXT_RELEASE}" == "${IMAGE_VERSION}" ]; then
+            echo "**** Version ${EXT_RELEASE} already pushed, exiting ****"
+            exit 0
+          elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-fail2ban/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then
+            echo "**** New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting ****"
+            exit 0
+          else
+            echo "**** New version ${EXT_RELEASE} found; old version was ${IMAGE_VERSION}. Triggering new build ****"
+            response=$(curl -iX POST \
+              https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-fail2ban/job/master/buildWithParameters?PACKAGE_CHECK=false \
+              --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
+            echo "**** Jenkins job queue url: ${response%$'\r'} ****"
+            echo "**** Sleeping 10 seconds until job starts ****"
+            sleep 10
+            buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url')
+            buildurl="${buildurl%$'\r'}"
+            echo "**** Jenkins job build url: ${buildurl} ****"
+            echo "**** Attempting to change the Jenkins job description ****"
+            curl -iX POST \
+              "${buildurl}submitDescription" \
+              --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
+              --data-urlencode "description=GHA external trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+              --data-urlencode "Submit=Submit"
+            echo "**** Notifying Discord ****"
+            TRIGGER_REASON="A version change was detected for fail2ban tag latest. Old version:${IMAGE_VERSION} New version:${EXT_RELEASE}"
+            curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
+              "description": "**Build Triggered** \n**Reason:** '"${TRIGGER_REASON}"' \n**Build URL:** '"${buildurl}display/redirect"' \n"}],
+              "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
+          fi
diff --git a/.github/workflows/external_trigger_scheduler.yml b/.github/workflows/external_trigger_scheduler.yml
new file mode 100644
index 0000000..d111ab2
--- /dev/null
+++ b/.github/workflows/external_trigger_scheduler.yml
@@ -0,0 +1,43 @@
+name: External Trigger Scheduler
+
+on:
+  schedule:
+    - cron:  '02 * * * *'
+  workflow_dispatch:
+
+jobs:
+  external-trigger-scheduler:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2.3.3
+        with:
+          fetch-depth: '0'
+
+      - name: External Trigger Scheduler
+        run: |
+          echo "**** Branches found: ****"
+          git for-each-ref --format='%(refname:short)' refs/remotes
+          echo "**** Pulling the yq docker image ****"
+          docker pull ghcr.io/linuxserver/yq
+          for br in $(git for-each-ref --format='%(refname:short)' refs/remotes)
+          do
+            br=$(echo "$br" | sed 's|origin/||g')
+            echo "**** Evaluating branch ${br} ****"
+            ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-fail2ban/${br}/jenkins-vars.yml \
+              | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch)
+            if [ "$br" == "$ls_branch" ]; then
+              echo "**** Branch ${br} appears to be live; checking workflow. ****"
+              if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-fail2ban/${br}/.github/workflows/external_trigger.yml > /dev/null 2>&1; then
+                echo "**** Workflow exists. Triggering external trigger workflow for branch ${br} ****."
+                curl -iX POST \
+                  -H "Authorization: token ${{ secrets.CR_PAT }}" \
+                  -H "Accept: application/vnd.github.v3+json" \
+                  -d "{\"ref\":\"refs/heads/${br}\"}" \
+                  https://api.github.com/repos/linuxserver/docker-fail2ban/actions/workflows/external_trigger.yml/dispatches
+              else
+                echo "**** Workflow doesn't exist; skipping trigger. ****"
+              fi
+            else
+              echo "**** ${br} appears to be a dev branch; skipping trigger. ****"
+            fi
+          done
diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml
index 31152c8..70ba8da 100644
--- a/.github/workflows/greetings.yml
+++ b/.github/workflows/greetings.yml
@@ -8,6 +8,6 @@ jobs:
     steps:
     - uses: actions/first-interaction@v1
       with:
-        issue-message: 'Thanks for opening your first issue here! Be sure to follow the [bug](https://github.com/linuxserver-labs/docker-your_spotify/blob/main/.github/ISSUE_TEMPLATE/issue.bug.md) or [feature](https://github.com/linuxserver-labs/docker-your_spotify/blob/main/.github/ISSUE_TEMPLATE/issue.feature.md) issue templates!'
-        pr-message: 'Thanks for opening this pull request! Be sure to follow the [pull request template](https://github.com/linuxserver-labs/docker-your_spotify/blob/main/.github/PULL_REQUEST_TEMPLATE.md)!'
+        issue-message: 'Thanks for opening your first issue here! Be sure to follow the [bug](https://github.com/linuxserver/docker-fail2ban/blob/master/.github/ISSUE_TEMPLATE/issue.bug.md) or [feature](https://github.com/linuxserver/docker-fail2ban/blob/master/.github/ISSUE_TEMPLATE/issue.feature.md) issue templates!'
+        pr-message: 'Thanks for opening this pull request! Be sure to follow the [pull request template](https://github.com/linuxserver/docker-fail2ban/blob/master/.github/PULL_REQUEST_TEMPLATE.md)!'
         repo-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/package_trigger.yml b/.github/workflows/package_trigger.yml
new file mode 100644
index 0000000..31123a9
--- /dev/null
+++ b/.github/workflows/package_trigger.yml
@@ -0,0 +1,38 @@
+name: Package Trigger Main
+
+on:
+  workflow_dispatch:
+
+jobs:
+  package-trigger-master:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2.3.3
+
+      - name: Package Trigger
+        if: github.ref == 'refs/heads/master'
+        run: |
+          if [ -n "${{ secrets.PAUSE_PACKAGE_TRIGGER_FAIL2BAN_MASTER }}" ]; then
+            echo "**** Github secret PAUSE_PACKAGE_TRIGGER_FAIL2BAN_MASTER is set; skipping trigger. ****"
+            exit 0
+          fi
+          if [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-fail2ban/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then
+            echo "**** There already seems to be an active build on Jenkins; skipping package trigger ****"
+            exit 0
+          fi
+          echo "**** Package trigger running off of master branch. To disable, set a Github secret named \"PAUSE_PACKAGE_TRIGGER_FAIL2BAN_MASTER\". ****"
+          response=$(curl -iX POST \
+            https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-fail2ban/job/master/buildWithParameters?PACKAGE_CHECK=true \
+            --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
+          echo "**** Jenkins job queue url: ${response%$'\r'} ****"
+          echo "**** Sleeping 10 seconds until job starts ****"
+          sleep 10
+          buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url')
+          buildurl="${buildurl%$'\r'}"
+          echo "**** Jenkins job build url: ${buildurl} ****"
+          echo "**** Attempting to change the Jenkins job description ****"
+          curl -iX POST \
+            "${buildurl}submitDescription" \
+            --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
+            --data-urlencode "description=GHA package trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+            --data-urlencode "Submit=Submit"
diff --git a/.github/workflows/package_trigger_scheduler.yml b/.github/workflows/package_trigger_scheduler.yml
new file mode 100644
index 0000000..af73d9d
--- /dev/null
+++ b/.github/workflows/package_trigger_scheduler.yml
@@ -0,0 +1,50 @@
+name: Package Trigger Scheduler
+
+on:
+  schedule:
+    - cron:  '32 11 * * 2'
+  workflow_dispatch:
+
+jobs:
+  package-trigger-scheduler:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2.3.3
+        with:
+          fetch-depth: '0'
+
+      - name: Package Trigger Scheduler
+        run: |
+          echo "**** Branches found: ****"
+          git for-each-ref --format='%(refname:short)' refs/remotes
+          echo "**** Pulling the yq docker image ****"
+          docker pull ghcr.io/linuxserver/yq
+          for br in $(git for-each-ref --format='%(refname:short)' refs/remotes)
+          do
+            br=$(echo "$br" | sed 's|origin/||g')
+            echo "**** Evaluating branch ${br} ****"
+            ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-fail2ban/${br}/jenkins-vars.yml \
+              | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch)
+            if [ "${br}" == "${ls_branch}" ]; then
+              echo "**** Branch ${br} appears to be live; checking workflow. ****"
+              if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-fail2ban/${br}/.github/workflows/package_trigger.yml > /dev/null 2>&1; then
+                echo "**** Workflow exists. Triggering package trigger workflow for branch ${br}. ****"
+                triggered_branches="${triggered_branches}${br} "
+                curl -iX POST \
+                  -H "Authorization: token ${{ secrets.CR_PAT }}" \
+                  -H "Accept: application/vnd.github.v3+json" \
+                  -d "{\"ref\":\"refs/heads/${br}\"}" \
+                  https://api.github.com/repos/linuxserver/docker-fail2ban/actions/workflows/package_trigger.yml/dispatches
+                sleep 30
+              else
+                echo "**** Workflow doesn't exist; skipping trigger. ****"
+              fi
+            else
+              echo "**** ${br} appears to be a dev branch; skipping trigger. ****"
+            fi
+          done
+          echo "**** Package check build(s) triggered for branch(es): ${triggered_branches} ****"
+          echo "**** Notifying Discord ****"
+          curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903,
+            "description": "**Package Check Build(s) Triggered for fail2ban** \n**Branch(es):** '"${triggered_branches}"' \n**Build URL:** '"https://ci.linuxserver.io/blue/organizations/jenkins/Docker-Pipeline-Builders%2Fdocker-fail2ban/activity/"' \n"}],
+            "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }}
diff --git a/.gitignore b/.gitignore
index 96374c4..be9245a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,3 +41,6 @@ $RECYCLE.BIN/
 Network Trash Folder
 Temporary Items
 .apdisk
+
+.history/
+.jenkins-external
diff --git a/Jenkinsfile b/Jenkinsfile
new file mode 100644
index 0000000..e871fe2
--- /dev/null
+++ b/Jenkinsfile
@@ -0,0 +1,999 @@
+pipeline {
+  agent {
+    label 'X86-64-MULTI'
+  }
+  options {
+    buildDiscarder(logRotator(numToKeepStr: '10', daysToKeepStr: '60'))
+    parallelsAlwaysFailFast()
+  }
+  // Input to determine if this is a package check
+  parameters {
+     string(defaultValue: 'false', description: 'package check run', name: 'PACKAGE_CHECK')
+  }
+  // Configuration for the variables used for this specific repo
+  environment {
+    BUILDS_DISCORD=credentials('build_webhook_url')
+    GITHUB_TOKEN=credentials('498b4638-2d02-4ce5-832d-8a57d01d97ab')
+    GITLAB_TOKEN=credentials('b6f0f1dd-6952-4cf6-95d1-9c06380283f0')
+    GITLAB_NAMESPACE=credentials('gitlab-namespace-id')
+    SCARF_TOKEN=credentials('scarf_api_key')
+    BUILD_VERSION_ARG = 'FAIL2BAN_VERSION'
+    LS_USER = 'linuxserver'
+    LS_REPO = 'docker-fail2ban'
+    CONTAINER_NAME = 'fail2ban'
+    DOCKERHUB_IMAGE = 'linuxserver/fail2ban'
+    DEV_DOCKERHUB_IMAGE = 'lsiodev/fail2ban'
+    PR_DOCKERHUB_IMAGE = 'lspipepr/fail2ban'
+    DIST_IMAGE = 'alpine'
+    DIST_TAG = '3.16'
+    DIST_REPO = 'http://nl.alpinelinux.org/alpine/v3.16/main/'
+    DIST_REPO_PACKAGES = 'fail2ban'
+    MULTIARCH='true'
+    CI='true'
+    CI_WEB='false'
+    CI_PORT=''
+    CI_SSL='false'
+    CI_DELAY='120'
+    CI_DOCKERENV='TZ=US/Pacific'
+    CI_AUTH='user:password'
+    CI_WEBPATH=''
+  }
+  stages {
+    // Setup all the basic environment variables needed for the build
+    stage("Set ENV Variables base"){
+      steps{
+        script{
+          env.EXIT_STATUS = ''
+          env.LS_RELEASE = sh(
+            script: '''docker run --rm ghcr.io/linuxserver/alexeiled-skopeo sh -c 'skopeo inspect docker://docker.io/'${DOCKERHUB_IMAGE}':latest 2>/dev/null' | jq -r '.Labels.build_version' | awk '{print $3}' | grep '\\-ls' || : ''',
+            returnStdout: true).trim()
+          env.LS_RELEASE_NOTES = sh(
+            script: '''cat readme-vars.yml | awk -F \\" '/date: "[0-9][0-9].[0-9][0-9].[0-9][0-9]:/ {print $4;exit;}' | sed -E ':a;N;$!ba;s/\\r{0,1}\\n/\\\\n/g' ''',
+            returnStdout: true).trim()
+          env.GITHUB_DATE = sh(
+            script: '''date '+%Y-%m-%dT%H:%M:%S%:z' ''',
+            returnStdout: true).trim()
+          env.COMMIT_SHA = sh(
+            script: '''git rev-parse HEAD''',
+            returnStdout: true).trim()
+          env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/commit/' + env.GIT_COMMIT
+          env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DOCKERHUB_IMAGE + '/tags/'
+          env.PULL_REQUEST = env.CHANGE_ID
+          env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE .editorconfig ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.md ./.github/ISSUE_TEMPLATE/issue.feature.md ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/external_trigger_scheduler.yml ./.github/workflows/greetings.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/stale.yml ./.github/workflows/external_trigger.yml ./.github/workflows/package_trigger.yml'
+        }
+        script{
+          env.LS_RELEASE_NUMBER = sh(
+            script: '''echo ${LS_RELEASE} |sed 's/^.*-ls//g' ''',
+            returnStdout: true).trim()
+        }
+        script{
+          env.LS_TAG_NUMBER = sh(
+            script: '''#! /bin/bash
+                       tagsha=$(git rev-list -n 1 ${LS_RELEASE} 2>/dev/null)
+                       if [ "${tagsha}" == "${COMMIT_SHA}" ]; then
+                         echo ${LS_RELEASE_NUMBER}
+                       elif [ -z "${GIT_COMMIT}" ]; then
+                         echo ${LS_RELEASE_NUMBER}
+                       else
+                         echo $((${LS_RELEASE_NUMBER} + 1))
+                       fi''',
+            returnStdout: true).trim()
+        }
+      }
+    }
+    /* #######################
+       Package Version Tagging
+       ####################### */
+    // Grab the current package versions in Git to determine package tag
+    stage("Set Package tag"){
+      steps{
+        script{
+          env.PACKAGE_TAG = sh(
+            script: '''#!/bin/bash
+                       if [ -e package_versions.txt ] ; then
+                         cat package_versions.txt | md5sum | cut -c1-8
+                       else
+                         echo none
+                       fi''',
+            returnStdout: true).trim()
+        }
+      }
+    }
+    /* ########################
+       External Release Tagging
+       ######################## */
+    // If this is an alpine repo change for external version determine an md5 from the version string
+    stage("Set tag Alpine Repo"){
+      steps{
+        script{
+          env.EXT_RELEASE = sh(
+            script: '''curl -sL "${DIST_REPO}x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
+                       && awk '/^P:'"${DIST_REPO_PACKAGES}"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://' ''',
+            returnStdout: true).trim()
+            env.RELEASE_LINK = 'alpine_repo'
+        }
+      }
+    }
+    // Sanitize the release tag and strip illegal docker or github characters
+    stage("Sanitize tag"){
+      steps{
+        script{
+          env.EXT_RELEASE_CLEAN = sh(
+            script: '''echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g' ''',
+            returnStdout: true).trim()
+
+          def semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)\.(\d+)/
+          if (semver.find()) {
+            env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}"
+          } else {
+            semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)(?:\.(\d+))?(.*)/
+            if (semver.find()) {
+              if (semver[0][3]) {
+                env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}"
+              } else if (!semver[0][3] && !semver[0][4]) {
+                env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${(new Date()).format('YYYYMMdd')}"
+              }
+            }
+          }
+
+          if (env.SEMVER != null) {
+            if (BRANCH_NAME != "master" && BRANCH_NAME != "main") {
+              env.SEMVER = "${env.SEMVER}-${BRANCH_NAME}"
+            }
+            println("SEMVER: ${env.SEMVER}")
+          } else {
+            println("No SEMVER detected")
+          }
+
+        }
+      }
+    }
+    // If this is a master build use live docker endpoints
+    stage("Set ENV live build"){
+      when {
+        branch "master"
+        environment name: 'CHANGE_ID', value: ''
+      }
+      steps {
+        script{
+          env.IMAGE = env.DOCKERHUB_IMAGE
+          env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/' + env.CONTAINER_NAME
+          env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/' + env.CONTAINER_NAME
+          env.QUAYIMAGE = 'quay.io/linuxserver.io/' + env.CONTAINER_NAME
+          if (env.MULTIARCH == 'true') {
+            env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER
+          } else {
+            env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER
+          }
+          env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER
+          env.META_TAG = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER
+          env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN
+        }
+      }
+    }
+    // If this is a dev build use dev docker endpoints
+    stage("Set ENV dev build"){
+      when {
+        not {branch "master"}
+        environment name: 'CHANGE_ID', value: ''
+      }
+      steps {
+        script{
+          env.IMAGE = env.DEV_DOCKERHUB_IMAGE
+          env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/lsiodev-' + env.CONTAINER_NAME
+          env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lsiodev-' + env.CONTAINER_NAME
+          env.QUAYIMAGE = 'quay.io/linuxserver.io/lsiodev-' + env.CONTAINER_NAME
+          if (env.MULTIARCH == 'true') {
+            env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA
+          } else {
+            env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA
+          }
+          env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA
+          env.META_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA
+          env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN
+          env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DEV_DOCKERHUB_IMAGE + '/tags/'
+        }
+      }
+    }
+    // If this is a pull request build use dev docker endpoints
+    stage("Set ENV PR build"){
+      when {
+        not {environment name: 'CHANGE_ID', value: ''}
+      }
+      steps {
+        script{
+          env.IMAGE = env.PR_DOCKERHUB_IMAGE
+          env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/lspipepr-' + env.CONTAINER_NAME
+          env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lspipepr-' + env.CONTAINER_NAME
+          env.QUAYIMAGE = 'quay.io/linuxserver.io/lspipepr-' + env.CONTAINER_NAME
+          if (env.MULTIARCH == 'true') {
+            env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST
+          } else {
+            env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST
+          }
+          env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST
+          env.META_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST
+          env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN
+          env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/pull/' + env.PULL_REQUEST
+          env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.PR_DOCKERHUB_IMAGE + '/tags/'
+        }
+      }
+    }
+    // Run ShellCheck
+    stage('ShellCheck') {
+      when {
+        environment name: 'CI', value: 'true'
+      }
+      steps {
+        withCredentials([
+          string(credentialsId: 'ci-tests-s3-key-id', variable: 'S3_KEY'),
+          string(credentialsId: 'ci-tests-s3-secret-access-key', variable: 'S3_SECRET')
+        ]) {
+          script{
+            env.SHELLCHECK_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/shellcheck-result.xml'
+          }
+          sh '''curl -sL https://raw.githubusercontent.com/linuxserver/docker-shellcheck/master/checkrun.sh | /bin/bash'''
+          sh '''#! /bin/bash
+                set -e
+                docker pull ghcr.io/linuxserver/lsiodev-spaces-file-upload:latest
+                docker run --rm \
+                -e DESTINATION=\"${IMAGE}/${META_TAG}/shellcheck-result.xml\" \
+                -e FILE_NAME="shellcheck-result.xml" \
+                -e MIMETYPE="text/xml" \
+                -v ${WORKSPACE}:/mnt \
+                -e SECRET_KEY=\"${S3_SECRET}\" \
+                -e ACCESS_KEY=\"${S3_KEY}\" \
+                -t ghcr.io/linuxserver/lsiodev-spaces-file-upload:latest \
+                python /upload.py'''
+        }
+      }
+    }
+    // Use helper containers to render templated files
+    stage('Update-Templates') {
+      when {
+        branch "master"
+        environment name: 'CHANGE_ID', value: ''
+        expression {
+          env.CONTAINER_NAME != null
+        }
+      }
+      steps {
+        sh '''#! /bin/bash
+              set -e
+              TEMPDIR=$(mktemp -d)
+              docker pull ghcr.io/linuxserver/jenkins-builder:latest
+              docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH=master -v ${TEMPDIR}:/ansible/jenkins ghcr.io/linuxserver/jenkins-builder:latest 
+              # Stage 1 - Jenkinsfile update
+              if [[ "$(md5sum Jenkinsfile | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/Jenkinsfile | awk '{ print $1 }')" ]]; then
+                mkdir -p ${TEMPDIR}/repo
+                git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO}
+                cd ${TEMPDIR}/repo/${LS_REPO}
+                git checkout -f master
+                cp ${TEMPDIR}/docker-${CONTAINER_NAME}/Jenkinsfile ${TEMPDIR}/repo/${LS_REPO}/
+                git add Jenkinsfile
+                git commit -m 'Bot Updating Templated Files'
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all
+                echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER}
+                echo "Updating Jenkinsfile"
+                rm -Rf ${TEMPDIR}
+                exit 0
+              else
+                echo "Jenkinsfile is up to date."
+              fi
+              # Stage 2 - Delete old templates
+              OLD_TEMPLATES=".github/ISSUE_TEMPLATE.md"
+              for i in ${OLD_TEMPLATES}; do
+                if [[ -f "${i}" ]]; then
+                  TEMPLATES_TO_DELETE="${i} ${TEMPLATES_TO_DELETE}"
+                fi
+              done
+              if [[ -n "${TEMPLATES_TO_DELETE}" ]]; then
+                mkdir -p ${TEMPDIR}/repo
+                git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO}
+                cd ${TEMPDIR}/repo/${LS_REPO}
+                git checkout -f master
+                for i in ${TEMPLATES_TO_DELETE}; do
+                  git rm "${i}"
+                done
+                git commit -m 'Bot Updating Templated Files'
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all
+                echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER}
+                echo "Deleting old templates"
+                rm -Rf ${TEMPDIR}
+                exit 0
+              else
+                echo "No templates to delete"
+              fi
+              # Stage 3 - Update templates
+              CURRENTHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8)
+              cd ${TEMPDIR}/docker-${CONTAINER_NAME}
+              NEWHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8)
+              if [[ "${CURRENTHASH}" != "${NEWHASH}" ]] || ! grep -q '.jenkins-external' "${WORKSPACE}/.gitignore" 2>/dev/null; then
+                mkdir -p ${TEMPDIR}/repo
+                git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO}
+                cd ${TEMPDIR}/repo/${LS_REPO}
+                git checkout -f master
+                cd ${TEMPDIR}/docker-${CONTAINER_NAME}
+                mkdir -p ${TEMPDIR}/repo/${LS_REPO}/.github/workflows
+                mkdir -p ${TEMPDIR}/repo/${LS_REPO}/.github/ISSUE_TEMPLATE
+                cp --parents ${TEMPLATED_FILES} ${TEMPDIR}/repo/${LS_REPO}/ || :
+                cd ${TEMPDIR}/repo/${LS_REPO}/
+                if ! grep -q '.jenkins-external' .gitignore 2>/dev/null; then
+                  echo ".jenkins-external" >> .gitignore
+                  git add .gitignore
+                fi
+                git add ${TEMPLATED_FILES}
+                git commit -m 'Bot Updating Templated Files'
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all
+                echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER}
+              else
+                echo "false" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER}
+              fi
+              mkdir -p ${TEMPDIR}/gitbook
+              git clone https://github.com/linuxserver/docker-documentation.git ${TEMPDIR}/gitbook/docker-documentation
+              if [[ ("${BRANCH_NAME}" == "master") || ("${BRANCH_NAME}" == "main") ]] && [[ (! -f ${TEMPDIR}/gitbook/docker-documentation/images/docker-${CONTAINER_NAME}.md) || ("$(md5sum ${TEMPDIR}/gitbook/docker-documentation/images/docker-${CONTAINER_NAME}.md | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/docker-${CONTAINER_NAME}.md | awk '{ print $1 }')") ]]; then
+                cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/docker-${CONTAINER_NAME}.md ${TEMPDIR}/gitbook/docker-documentation/images/
+                cd ${TEMPDIR}/gitbook/docker-documentation/
+                git add images/docker-${CONTAINER_NAME}.md
+                git commit -m 'Bot Updating Documentation'
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/docker-documentation.git --all
+              fi
+              mkdir -p ${TEMPDIR}/unraid
+              git clone https://github.com/linuxserver/docker-templates.git ${TEMPDIR}/unraid/docker-templates
+              git clone https://github.com/linuxserver/templates.git ${TEMPDIR}/unraid/templates
+              if [[ -f ${TEMPDIR}/unraid/docker-templates/linuxserver.io/img/${CONTAINER_NAME}-logo.png ]]; then
+                sed -i "s|master/linuxserver.io/img/linuxserver-ls-logo.png|master/linuxserver.io/img/${CONTAINER_NAME}-logo.png|" ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml
+              fi
+              if [[ ("${BRANCH_NAME}" == "master") || ("${BRANCH_NAME}" == "main") ]] && [[ (! -f ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml) || ("$(md5sum ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml | awk '{ print $1 }')") ]]; then
+                cd ${TEMPDIR}/unraid/templates/
+                if grep -wq "${CONTAINER_NAME}" ${TEMPDIR}/unraid/templates/unraid/ignore.list; then
+                  echo "Image is on the ignore list, marking Unraid template as deprecated"
+                  cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml ${TEMPDIR}/unraid/templates/unraid/
+                  git add -u unraid/${CONTAINER_NAME}.xml
+                  git mv unraid/${CONTAINER_NAME}.xml unraid/deprecated/${CONTAINER_NAME}.xml || :
+                  git commit -m 'Bot Moving Deprecated Unraid Template' || :
+                else
+                  cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml ${TEMPDIR}/unraid/templates/unraid/
+                  git add unraid/${CONTAINER_NAME}.xml
+                  git commit -m 'Bot Updating Unraid Template'
+                fi
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/templates.git --all
+              fi
+              rm -Rf ${TEMPDIR}'''
+        script{
+          env.FILES_UPDATED = sh(
+            script: '''cat /tmp/${COMMIT_SHA}-${BUILD_NUMBER}''',
+            returnStdout: true).trim()
+        }
+      }
+    }
+    // Exit the build if the Templated files were just updated
+    stage('Template-exit') {
+      when {
+        branch "master"
+        environment name: 'CHANGE_ID', value: ''
+        environment name: 'FILES_UPDATED', value: 'true'
+        expression {
+          env.CONTAINER_NAME != null
+        }
+      }
+      steps {
+        script{
+          env.EXIT_STATUS = 'ABORTED'
+        }
+      }
+    }
+    /* #######################
+           GitLab Mirroring
+       ####################### */
+    // Ping into Gitlab to mirror this repo and have a registry endpoint
+    stage("GitLab Mirror"){
+      when {
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps{
+        sh '''curl -H "Content-Type: application/json" -H "Private-Token: ${GITLAB_TOKEN}" -X POST https://gitlab.com/api/v4/projects \
+        -d '{"namespace_id":'${GITLAB_NAMESPACE}',\
+             "name":"'${LS_REPO}'",
+             "mirror":true,\
+             "import_url":"https://github.com/linuxserver/'${LS_REPO}'.git",\
+             "issues_access_level":"disabled",\
+             "merge_requests_access_level":"disabled",\
+             "repository_access_level":"enabled",\
+             "visibility":"public"}' '''
+      } 
+    }
+    /* #######################
+           Scarf.sh package registry
+       ####################### */
+    // Add package to Scarf.sh and set permissions
+    stage("Scarf.sh package registry"){
+      when {
+        branch "master"
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps{
+        sh '''#! /bin/bash
+              set -e
+              PACKAGE_UUID=$(curl -X GET -H "Authorization: Bearer ${SCARF_TOKEN}" https://scarf.sh/api/v1/organizations/linuxserver-ci/packages | jq -r '.[] | select(.name=="linuxserver/fail2ban") | .uuid')
+              if [ -z "${PACKAGE_UUID}" ]; then
+                echo "Adding package to Scarf.sh"
+                curl -sX POST https://scarf.sh/api/v1/organizations/linuxserver-ci/packages \
+                  -H "Authorization: Bearer ${SCARF_TOKEN}" \
+                  -H "Content-Type: application/json" \
+                  -d '{"name":"linuxserver/fail2ban",\
+                       "shortDescription":"example description",\
+                       "libraryType":"docker",\
+                       "website":"https://github.com/linuxserver/docker-fail2ban",\
+                       "backendUrl":"https://ghcr.io/linuxserver/fail2ban",\
+                       "publicUrl":"https://lscr.io/linuxserver/fail2ban"}' || :
+              else
+                echo "Package already exists on Scarf.sh"
+              fi
+           '''
+      } 
+    }
+    /* ###############
+       Build Container
+       ############### */
+    // Build Docker container for push to LS Repo
+    stage('Build-Single') {
+      when {
+        expression {
+          env.MULTIARCH == 'false' || params.PACKAGE_CHECK == 'true'
+        }
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps {
+        echo "Running on node: ${NODE_NAME}"
+        sh "docker build \
+          --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
+          --label \"org.opencontainers.image.authors=linuxserver.io\" \
+          --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-fail2ban/packages\" \
+          --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-fail2ban\" \
+          --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-fail2ban\" \
+          --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \
+          --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \
+          --label \"org.opencontainers.image.vendor=linuxserver.io\" \
+          --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
+          --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
+          --label \"org.opencontainers.image.title=Fail2ban\" \
+          --label \"org.opencontainers.image.description=[Fail2ban](http://www.fail2ban.org/) is a daemon to ban hosts that cause multiple authentication errors.  \" \
+          --no-cache --pull -t ${IMAGE}:${META_TAG} \
+          --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
+      }
+    }
+    // Build MultiArch Docker containers for push to LS Repo
+    stage('Build-Multi') {
+      when {
+        allOf {
+          environment name: 'MULTIARCH', value: 'true'
+          expression { params.PACKAGE_CHECK == 'false' }
+        }
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      parallel {
+        stage('Build X86') {
+          steps {
+            echo "Running on node: ${NODE_NAME}"
+            sh "docker build \
+              --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
+              --label \"org.opencontainers.image.authors=linuxserver.io\" \
+              --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-fail2ban/packages\" \
+              --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-fail2ban\" \
+              --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-fail2ban\" \
+              --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \
+              --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \
+              --label \"org.opencontainers.image.vendor=linuxserver.io\" \
+              --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
+              --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
+              --label \"org.opencontainers.image.title=Fail2ban\" \
+              --label \"org.opencontainers.image.description=[Fail2ban](http://www.fail2ban.org/) is a daemon to ban hosts that cause multiple authentication errors.  \" \
+              --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} \
+              --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
+          }
+        }
+        stage('Build ARMHF') {
+          agent {
+            label 'ARMHF'
+          }
+          steps {
+            echo "Running on node: ${NODE_NAME}"
+            echo 'Logging into Github'
+            sh '''#! /bin/bash
+                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
+               '''
+            sh "docker build \
+              --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
+              --label \"org.opencontainers.image.authors=linuxserver.io\" \
+              --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-fail2ban/packages\" \
+              --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-fail2ban\" \
+              --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-fail2ban\" \
+              --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \
+              --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \
+              --label \"org.opencontainers.image.vendor=linuxserver.io\" \
+              --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
+              --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
+              --label \"org.opencontainers.image.title=Fail2ban\" \
+              --label \"org.opencontainers.image.description=[Fail2ban](http://www.fail2ban.org/) is a daemon to ban hosts that cause multiple authentication errors.  \" \
+              --no-cache --pull -f Dockerfile.armhf -t ${IMAGE}:arm32v7-${META_TAG} \
+              --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
+            sh "docker tag ${IMAGE}:arm32v7-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}"
+            retry(5) {
+              sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}"
+            }
+            sh '''docker rmi \
+                  ${IMAGE}:arm32v7-${META_TAG} \
+                  ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} || :'''
+          }
+        }
+        stage('Build ARM64') {
+          agent {
+            label 'ARM64'
+          }
+          steps {
+            echo "Running on node: ${NODE_NAME}"
+            echo 'Logging into Github'
+            sh '''#! /bin/bash
+                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
+               '''
+            sh "docker build \
+              --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \
+              --label \"org.opencontainers.image.authors=linuxserver.io\" \
+              --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-fail2ban/packages\" \
+              --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-fail2ban\" \
+              --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-fail2ban\" \
+              --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \
+              --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \
+              --label \"org.opencontainers.image.vendor=linuxserver.io\" \
+              --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
+              --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
+              --label \"org.opencontainers.image.title=Fail2ban\" \
+              --label \"org.opencontainers.image.description=[Fail2ban](http://www.fail2ban.org/) is a daemon to ban hosts that cause multiple authentication errors.  \" \
+              --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} \
+              --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
+            sh "docker tag ${IMAGE}:arm64v8-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}"
+            retry(5) {
+              sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}"
+            }
+            sh '''docker rmi \
+                  ${IMAGE}:arm64v8-${META_TAG} \
+                  ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || :'''
+          }
+        }
+      }
+    }
+    // Take the image we just built and dump package versions for comparison
+    stage('Update-packages') {
+      when {
+        branch "master"
+        environment name: 'CHANGE_ID', value: ''
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps {
+        sh '''#! /bin/bash
+              set -e
+              TEMPDIR=$(mktemp -d)
+              if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then
+                LOCAL_CONTAINER=${IMAGE}:amd64-${META_TAG}
+              else
+                LOCAL_CONTAINER=${IMAGE}:${META_TAG}
+              fi
+              if [ "${DIST_IMAGE}" == "alpine" ]; then
+                docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\
+                  apk info -v > /tmp/package_versions.txt && \
+                  sort -o /tmp/package_versions.txt  /tmp/package_versions.txt && \
+                  chmod 777 /tmp/package_versions.txt'
+              elif [ "${DIST_IMAGE}" == "ubuntu" ]; then
+                docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\
+                  apt list -qq --installed | sed "s#/.*now ##g" | cut -d" " -f1 > /tmp/package_versions.txt && \
+                  sort -o /tmp/package_versions.txt  /tmp/package_versions.txt && \
+                  chmod 777 /tmp/package_versions.txt'
+              elif [ "${DIST_IMAGE}" == "fedora" ]; then
+                docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\
+                  rpm -qa > /tmp/package_versions.txt && \
+                  sort -o /tmp/package_versions.txt  /tmp/package_versions.txt && \
+                  chmod 777 /tmp/package_versions.txt'
+              elif [ "${DIST_IMAGE}" == "arch" ]; then
+                docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\
+                  pacman -Q > /tmp/package_versions.txt && \
+                  chmod 777 /tmp/package_versions.txt'
+              fi
+              NEW_PACKAGE_TAG=$(md5sum ${TEMPDIR}/package_versions.txt | cut -c1-8 )
+              echo "Package tag sha from current packages in buit container is ${NEW_PACKAGE_TAG} comparing to old ${PACKAGE_TAG} from github"
+              if [ "${NEW_PACKAGE_TAG}" != "${PACKAGE_TAG}" ]; then
+                git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/${LS_REPO}
+                git --git-dir ${TEMPDIR}/${LS_REPO}/.git checkout -f master
+                cp ${TEMPDIR}/package_versions.txt ${TEMPDIR}/${LS_REPO}/
+                cd ${TEMPDIR}/${LS_REPO}/
+                wait
+                git add package_versions.txt
+                git commit -m 'Bot Updating Package Versions'
+                git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all
+                echo "true" > /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER}
+                echo "Package tag updated, stopping build process"
+              else
+                echo "false" > /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER}
+                echo "Package tag is same as previous continue with build process"
+              fi
+              rm -Rf ${TEMPDIR}'''
+        script{
+          env.PACKAGE_UPDATED = sh(
+            script: '''cat /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER}''',
+            returnStdout: true).trim()
+        }
+      }
+    }
+    // Exit the build if the package file was just updated
+    stage('PACKAGE-exit') {
+      when {
+        branch "master"
+        environment name: 'CHANGE_ID', value: ''
+        environment name: 'PACKAGE_UPDATED', value: 'true'
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps {
+        sh '''#! /bin/bash
+              echo "Packages were updated. Cleaning up the image and exiting."
+              if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then
+                docker rmi ${IMAGE}:amd64-${META_TAG}
+              else
+                docker rmi ${IMAGE}:${META_TAG}
+              fi'''
+        script{
+          env.EXIT_STATUS = 'ABORTED'
+        }
+      }
+    }
+    // Exit the build if this is just a package check and there are no changes to push
+    stage('PACKAGECHECK-exit') {
+      when {
+        branch "master"
+        environment name: 'CHANGE_ID', value: ''
+        environment name: 'PACKAGE_UPDATED', value: 'false'
+        environment name: 'EXIT_STATUS', value: ''
+        expression {
+          params.PACKAGE_CHECK == 'true'
+        }
+      }
+      steps {
+        sh '''#! /bin/bash
+              echo "There are no package updates. Cleaning up the image and exiting."
+              if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then
+                docker rmi ${IMAGE}:amd64-${META_TAG}
+              else
+                docker rmi ${IMAGE}:${META_TAG}
+              fi'''
+        script{
+          env.EXIT_STATUS = 'ABORTED'
+        }
+      }
+    }
+    /* #######
+       Testing
+       ####### */
+    // Run Container tests
+    stage('Test') {
+      when {
+        environment name: 'CI', value: 'true'
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps {
+        withCredentials([
+          string(credentialsId: 'ci-tests-s3-key-id', variable: 'S3_KEY'),
+          string(credentialsId: 'ci-tests-s3-secret-access-key	', variable: 'S3_SECRET')
+        ]) {
+          script{
+            env.CI_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/index.html'
+          }
+          sh '''#! /bin/bash
+                set -e
+                docker pull ghcr.io/linuxserver/ci:latest
+                if [ "${MULTIARCH}" == "true" ]; then
+                  docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}
+                  docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}
+                  docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG}
+                  docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG}
+                fi
+                docker run --rm \
+                --shm-size=1gb \
+                -v /var/run/docker.sock:/var/run/docker.sock \
+                -e IMAGE=\"${IMAGE}\" \
+                -e DELAY_START=\"${CI_DELAY}\" \
+                -e TAGS=\"${CI_TAGS}\" \
+                -e META_TAG=\"${META_TAG}\" \
+                -e PORT=\"${CI_PORT}\" \
+                -e SSL=\"${CI_SSL}\" \
+                -e BASE=\"${DIST_IMAGE}\" \
+                -e SECRET_KEY=\"${S3_SECRET}\" \
+                -e ACCESS_KEY=\"${S3_KEY}\" \
+                -e DOCKER_ENV=\"${CI_DOCKERENV}\" \
+                -e WEB_SCREENSHOT=\"${CI_WEB}\" \
+                -e WEB_AUTH=\"${CI_AUTH}\" \
+                -e WEB_PATH=\"${CI_WEBPATH}\" \
+                -e DO_REGION="ams3" \
+                -e DO_BUCKET="lsio-ci" \
+                -t ghcr.io/linuxserver/ci:latest \
+                python /ci/ci.py'''
+        }
+      }
+    }
+    /* ##################
+         Release Logic
+       ################## */
+    // If this is an amd64 only image only push a single image
+    stage('Docker-Push-Single') {
+      when {
+        environment name: 'MULTIARCH', value: 'false'
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps {
+        withCredentials([
+          [
+            $class: 'UsernamePasswordMultiBinding',
+            credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207',
+            usernameVariable: 'DOCKERUSER',
+            passwordVariable: 'DOCKERPASS'
+          ],
+          [
+            $class: 'UsernamePasswordMultiBinding',
+            credentialsId: 'Quay.io-Robot',
+            usernameVariable: 'QUAYUSER',
+            passwordVariable: 'QUAYPASS'
+          ]
+        ]) {
+          retry(5) {
+            sh '''#! /bin/bash
+                  set -e
+                  echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin
+                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
+                  echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
+                  echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin
+                  for PUSHIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do
+                    docker tag ${IMAGE}:${META_TAG} ${PUSHIMAGE}:${META_TAG}
+                    docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:latest
+                    docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${EXT_RELEASE_TAG}
+                    if [ -n "${SEMVER}" ]; then
+                      docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${SEMVER}
+                    fi
+                    docker push ${PUSHIMAGE}:latest
+                    docker push ${PUSHIMAGE}:${META_TAG}
+                    docker push ${PUSHIMAGE}:${EXT_RELEASE_TAG}
+                    if [ -n "${SEMVER}" ]; then
+                     docker push ${PUSHIMAGE}:${SEMVER}
+                    fi
+                  done
+               '''
+          }
+          sh '''#! /bin/bash
+                for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do
+                  docker rmi \
+                  ${DELETEIMAGE}:${META_TAG} \
+                  ${DELETEIMAGE}:${EXT_RELEASE_TAG} \
+                  ${DELETEIMAGE}:latest || :
+                  if [ -n "${SEMVER}" ]; then
+                    docker rmi ${DELETEIMAGE}:${SEMVER} || :
+                  fi
+                done
+             '''
+        }
+      }
+    }
+    // If this is a multi arch release push all images and define the manifest
+    stage('Docker-Push-Multi') {
+      when {
+        environment name: 'MULTIARCH', value: 'true'
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps {
+        withCredentials([
+          [
+            $class: 'UsernamePasswordMultiBinding',
+            credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207',
+            usernameVariable: 'DOCKERUSER',
+            passwordVariable: 'DOCKERPASS'
+          ],
+          [
+            $class: 'UsernamePasswordMultiBinding',
+            credentialsId: 'Quay.io-Robot',
+            usernameVariable: 'QUAYUSER',
+            passwordVariable: 'QUAYPASS'
+          ]
+        ]) {
+          retry(5) {
+            sh '''#! /bin/bash
+                  set -e
+                  echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin
+                  echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin
+                  echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin
+                  echo $QUAYPASS | docker login quay.io -u $QUAYUSER --password-stdin
+                  if [ "${CI}" == "false" ]; then
+                    docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}
+                    docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}
+                    docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG}
+                    docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG}
+                  fi
+                  for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}" "${QUAYIMAGE}"; do
+                    docker tag ${IMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG}
+                    docker tag ${IMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG}
+                    docker tag ${IMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG}
+                    docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-latest
+                    docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-latest
+                    docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-latest
+                    docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG}
+                    docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG}
+                    docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
+                    if [ -n "${SEMVER}" ]; then
+                      docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER}
+                      docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${SEMVER}
+                      docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER}
+                    fi
+                    docker push ${MANIFESTIMAGE}:amd64-${META_TAG}
+                    docker push ${MANIFESTIMAGE}:arm32v7-${META_TAG}
+                    docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG}
+                    docker push ${MANIFESTIMAGE}:amd64-latest
+                    docker push ${MANIFESTIMAGE}:arm32v7-latest
+                    docker push ${MANIFESTIMAGE}:arm64v8-latest
+                    docker push ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG}
+                    docker push ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG}
+                    docker push ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
+                    if [ -n "${SEMVER}" ]; then
+                      docker push ${MANIFESTIMAGE}:amd64-${SEMVER}
+                      docker push ${MANIFESTIMAGE}:arm32v7-${SEMVER}
+                      docker push ${MANIFESTIMAGE}:arm64v8-${SEMVER}
+                    fi
+                    docker manifest push --purge ${MANIFESTIMAGE}:latest || :
+                    docker manifest create ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm32v7-latest ${MANIFESTIMAGE}:arm64v8-latest
+                    docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm32v7-latest --os linux --arch arm
+                    docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm64v8-latest --os linux --arch arm64 --variant v8
+                    docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} || :
+                    docker manifest create ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG}
+                    docker manifest annotate ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} --os linux --arch arm
+                    docker manifest annotate ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG} --os linux --arch arm64 --variant v8
+                    docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} || :
+                    docker manifest create ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG}
+                    docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} --os linux --arch arm
+                    docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} --os linux --arch arm64 --variant v8
+                    if [ -n "${SEMVER}" ]; then
+                      docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} || :
+                      docker manifest create ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER}
+                      docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} --os linux --arch arm
+                      docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} --os linux --arch arm64 --variant v8
+                    fi
+                    docker manifest push --purge ${MANIFESTIMAGE}:latest
+                    docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} 
+                    docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} 
+                    if [ -n "${SEMVER}" ]; then
+                      docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} 
+                    fi
+                  done
+               '''
+          }
+          sh '''#! /bin/bash
+                for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${QUAYIMAGE}" "${IMAGE}"; do
+                  docker rmi \
+                  ${DELETEIMAGE}:amd64-${META_TAG} \
+                  ${DELETEIMAGE}:amd64-latest \
+                  ${DELETEIMAGE}:amd64-${EXT_RELEASE_TAG} \
+                  ${DELETEIMAGE}:arm32v7-${META_TAG} \
+                  ${DELETEIMAGE}:arm32v7-latest \
+                  ${DELETEIMAGE}:arm32v7-${EXT_RELEASE_TAG} \
+                  ${DELETEIMAGE}:arm64v8-${META_TAG} \
+                  ${DELETEIMAGE}:arm64v8-latest \
+                  ${DELETEIMAGE}:arm64v8-${EXT_RELEASE_TAG} || :
+                  if [ -n "${SEMVER}" ]; then
+                    docker rmi \
+                    ${DELETEIMAGE}:amd64-${SEMVER} \
+                    ${DELETEIMAGE}:arm32v7-${SEMVER} \
+                    ${DELETEIMAGE}:arm64v8-${SEMVER} || :
+                  fi
+                done
+                docker rmi \
+                ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} \
+                ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || :
+             '''
+        }
+      }
+    }
+    // If this is a public release tag it in the LS Github
+    stage('Github-Tag-Push-Release') {
+      when {
+        branch "master"
+        expression {
+          env.LS_RELEASE != env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER
+        }
+        environment name: 'CHANGE_ID', value: ''
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps {
+        echo "Pushing New tag for current commit ${META_TAG}"
+        sh '''curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/git/tags \
+        -d '{"tag":"'${META_TAG}'",\
+             "object": "'${COMMIT_SHA}'",\
+             "message": "Tagging Release '${EXT_RELEASE_CLEAN}'-ls'${LS_TAG_NUMBER}' to master",\
+             "type": "commit",\
+             "tagger": {"name": "LinuxServer Jenkins","email": "jenkins@linuxserver.io","date": "'${GITHUB_DATE}'"}}' '''
+        echo "Pushing New release for Tag"
+        sh '''#! /bin/bash
+              echo "Updating external repo packages to ${EXT_RELEASE_CLEAN}" > releasebody.json
+              echo '{"tag_name":"'${META_TAG}'",\
+                     "target_commitish": "master",\
+                     "name": "'${META_TAG}'",\
+                     "body": "**LinuxServer Changes:**\\n\\n'${LS_RELEASE_NOTES}'\\n\\n**Repo Changes:**\\n\\n' > start
+              printf '","draft": false,"prerelease": false}' >> releasebody.json
+              paste -d'\\0' start releasebody.json > releasebody.json.done
+              curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/releases -d @releasebody.json.done'''
+      }
+    }
+    // Use helper container to sync the current README on master to the dockerhub endpoint
+    stage('Sync-README') {
+      when {
+        environment name: 'CHANGE_ID', value: ''
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps {
+        withCredentials([
+          [
+            $class: 'UsernamePasswordMultiBinding',
+            credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207',
+            usernameVariable: 'DOCKERUSER',
+            passwordVariable: 'DOCKERPASS'
+          ]
+        ]) {
+          sh '''#! /bin/bash
+                set -e
+                TEMPDIR=$(mktemp -d)
+                docker pull ghcr.io/linuxserver/jenkins-builder:latest
+                docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH="${BRANCH_NAME}" -v ${TEMPDIR}:/ansible/jenkins ghcr.io/linuxserver/jenkins-builder:latest
+                docker pull ghcr.io/linuxserver/readme-sync
+                docker run --rm=true \
+                  -e DOCKERHUB_USERNAME=$DOCKERUSER \
+                  -e DOCKERHUB_PASSWORD=$DOCKERPASS \
+                  -e GIT_REPOSITORY=${LS_USER}/${LS_REPO} \
+                  -e DOCKER_REPOSITORY=${IMAGE} \
+                  -e GIT_BRANCH=master \
+                  -v ${TEMPDIR}/docker-${CONTAINER_NAME}:/mnt \
+                  ghcr.io/linuxserver/readme-sync bash -c 'node sync'
+                rm -Rf ${TEMPDIR} '''
+        }
+      }
+    }
+    // If this is a Pull request send the CI link as a comment on it
+    stage('Pull Request Comment') {
+      when {
+        not {environment name: 'CHANGE_ID', value: ''}
+        environment name: 'CI', value: 'true'
+        environment name: 'EXIT_STATUS', value: ''
+      }
+      steps {
+        sh '''curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/issues/${PULL_REQUEST}/comments \
+        -d '{"body": "I am a bot, here are the test results for this PR: \\n'${CI_URL}' \\n'${SHELLCHECK_URL}'"}' '''
+      }
+    }
+  }
+  /* ######################
+     Send status to Discord
+     ###################### */
+  post {
+    always {
+      script{
+        if (env.EXIT_STATUS == "ABORTED"){
+          sh 'echo "build aborted"'
+        }
+        else if (currentBuild.currentResult == "SUCCESS"){
+          sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://wiki.jenkins-ci.org/download/attachments/2916393/headshot.png","embeds": [{"color": 1681177,\
+                 "description": "**Build:**  '${BUILD_NUMBER}'\\n**CI Results:**  '${CI_URL}'\\n**ShellCheck Results:**  '${SHELLCHECK_URL}'\\n**Status:**  Success\\n**Job:** '${RUN_DISPLAY_URL}'\\n**Change:** '${CODE_URL}'\\n**External Release:**: '${RELEASE_LINK}'\\n**DockerHub:** '${DOCKERHUB_LINK}'\\n"}],\
+                 "username": "Jenkins"}' ${BUILDS_DISCORD} '''
+        }
+        else {
+          sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://wiki.jenkins-ci.org/download/attachments/2916393/headshot.png","embeds": [{"color": 16711680,\
+                 "description": "**Build:**  '${BUILD_NUMBER}'\\n**CI Results:**  '${CI_URL}'\\n**ShellCheck Results:**  '${SHELLCHECK_URL}'\\n**Status:**  failure\\n**Job:** '${RUN_DISPLAY_URL}'\\n**Change:** '${CODE_URL}'\\n**External Release:**: '${RELEASE_LINK}'\\n**DockerHub:** '${DOCKERHUB_LINK}'\\n"}],\
+                 "username": "Jenkins"}' ${BUILDS_DISCORD} '''
+        }
+      }
+    }
+    cleanup {
+      cleanWs()
+    }
+  }
+}
diff --git a/README.md b/README.md
index ca4eddb..c09d340 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,283 @@
-docker-fail2ban
+<!-- DO NOT EDIT THIS FILE MANUALLY  -->
+<!-- Please read the https://github.com/linuxserver/docker-fail2ban/blob/master/.github/CONTRIBUTING.md -->
+
+[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)](https://linuxserver.io)
+
+[![Blog](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Blog)](https://blog.linuxserver.io "all the things you can do with our containers including How-To guides, opinions and much more!")
+[![Discord](https://img.shields.io/discord/354974912613449730.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Discord&logo=discord)](https://discord.gg/YWrKVTn "realtime support / chat with the community and the team.")
+[![Discourse](https://img.shields.io/discourse/https/discourse.linuxserver.io/topics.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=discourse)](https://discourse.linuxserver.io "post on our community forum.")
+[![Fleet](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Fleet)](https://fleet.linuxserver.io "an online web interface which displays all of our maintained images.")
+[![GitHub](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub&logo=github)](https://github.com/linuxserver "view the source for all of our repositories.")
+[![Open Collective](https://img.shields.io/opencollective/all/linuxserver.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Supporters&logo=open%20collective)](https://opencollective.com/linuxserver "please consider helping us by either donating or contributing to our budget")
+
+The [LinuxServer.io](https://linuxserver.io) team brings you another container release featuring:
+
+* regular and timely application updates
+* easy user mappings (PGID, PUID)
+* custom base image with s6 overlay
+* weekly base OS updates with common layers across the entire LinuxServer.io ecosystem to minimise space usage, down time and bandwidth
+* regular security updates
+
+Find us at:
+
+* [Blog](https://blog.linuxserver.io) - all the things you can do with our containers including How-To guides, opinions and much more!
+* [Discord](https://discord.gg/YWrKVTn) - realtime support / chat with the community and the team.
+* [Discourse](https://discourse.linuxserver.io) - post on our community forum.
+* [Fleet](https://fleet.linuxserver.io) - an online web interface which displays all of our maintained images.
+* [GitHub](https://github.com/linuxserver) - view the source for all of our repositories.
+* [Open Collective](https://opencollective.com/linuxserver) - please consider helping us by either donating or contributing to our budget
+
+# [linuxserver/fail2ban](https://github.com/linuxserver/docker-fail2ban)
+
+[![Scarf.io pulls](https://scarf.sh/installs-badge/linuxserver-ci/linuxserver%2Ffail2ban?color=94398d&label-color=555555&logo-color=ffffff&style=for-the-badge&package-type=docker)](https://scarf.sh/gateway/linuxserver-ci/docker/linuxserver%2Ffail2ban)
+[![GitHub Stars](https://img.shields.io/github/stars/linuxserver/docker-fail2ban.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-fail2ban)
+[![GitHub Release](https://img.shields.io/github/release/linuxserver/docker-fail2ban.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-fail2ban/releases)
+[![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub%20Package&logo=github)](https://github.com/linuxserver/docker-fail2ban/packages)
+[![GitLab Container Registry](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitLab%20Registry&logo=gitlab)](https://gitlab.com/linuxserver.io/docker-fail2ban/container_registry)
+[![Quay.io](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Quay.io)](https://quay.io/repository/linuxserver.io/fail2ban)
+[![Docker Pulls](https://img.shields.io/docker/pulls/linuxserver/fail2ban.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=pulls&logo=docker)](https://hub.docker.com/r/linuxserver/fail2ban)
+[![Docker Stars](https://img.shields.io/docker/stars/linuxserver/fail2ban.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=stars&logo=docker)](https://hub.docker.com/r/linuxserver/fail2ban)
+[![Jenkins Build](https://img.shields.io/jenkins/build?labelColor=555555&logoColor=ffffff&style=for-the-badge&jobUrl=https%3A%2F%2Fci.linuxserver.io%2Fjob%2FDocker-Pipeline-Builders%2Fjob%2Fdocker-fail2ban%2Fjob%2Fmaster%2F&logo=jenkins)](https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-fail2ban/job/master/)
+[![LSIO CI](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=CI&query=CI&url=https%3A%2F%2Fci-tests.linuxserver.io%2Flinuxserver%2Ffail2ban%2Flatest%2Fci-status.yml)](https://ci-tests.linuxserver.io/linuxserver/fail2ban/latest/index.html)
+
+[Fail2ban](http://www.fail2ban.org/) is a daemon to ban hosts that cause multiple authentication errors.
+
+[![fail2ban](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/fail2ban.png)](http://www.fail2ban.org/)
+
+## Supported Architectures
+
+We utilise the docker manifest for multi-platform awareness. More information is available from docker [here](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md#manifest-list) and our announcement [here](https://blog.linuxserver.io/2019/02/21/the-lsio-pipeline-project/).
+
+Simply pulling `lscr.io/linuxserver/fail2ban:latest` should retrieve the correct image for your arch, but you can also pull specific arch images via tags.
+
+The architectures supported by this image are:
+
+| Architecture | Available | Tag |
+| :----: | :----: | ---- |
+| x86-64 | ✅ | amd64-\<version tag\> |
+| arm64 | ✅ | arm64v8-\<version tag\> |
+| armhf| ✅ | arm32v7-\<version tag\> |
+
+## Application Setup
+
+App Setup Info
+
+## Usage
+
+Here are some example snippets to help you get started creating a container.
+
+### docker-compose (recommended, [click here for more info](https://docs.linuxserver.io/general/docker-compose))
+
+```yaml
+---
+version: "2.1"
+services:
+  fail2ban:
+    image: lscr.io/linuxserver/fail2ban:latest
+    container_name: fail2ban
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=America/New_York
+    volumes:
+      - /path/to/appdata/config:/config
+      - /var/log:/var/log:ro
+      - /path/to/airsonic/airsonic.log:/remotelogs/airsonic/airsonic.log:ro #optional
+      - /path/to/apache2/log:/remotelogs/apache2:ro #optional
+      - /path/to/audit/audit.log:/remotelogs/audit/audit.log:ro #optional
+      - /path/to/authelia/authelia.log:/remotelogs/authelia/authelia.log:ro #optional
+      - /path/to/emby/embyserver.txt:/remotelogs/emby/embyserver.txt:ro #optional
+      - /path/to/exim/mainlog:/remotelogs/exim/mainlog:ro #optional
+      - /path/to/filebrowser/filebrowser.log:/remotelogs/filebrowser/filebrowser.log:ro #optional
+      - /path/to/gitea/gitea.log:/remotelogs/gitea/gitea.log:ro #optional
+      - /path/to/homeassistant/home-assistant.log:/remotelogs/homeassistant/home-assistant.log:ro #optional
+      - /path/to/lighttpd/error.log:/remotelogs/lighttpd/error.log:ro #optional
+      - /path/to/nginx/log:/remotelogs/nginx:ro #optional
+      - /path/to/nzbget.log:/remotelogs/nzbget:ro #optional
+      - /path/to/overseerr/overseerr.log:/remotelogs/overseerr/overseerr.log:ro #optional
+      - /path/to/prowlarr/prowlarr.txt:/remotelogs/prowlarr/prowlarr.txt:ro #optional
+      - /path/to/radarr/radarr.txt:/remotelogs/radarr/radarr.txt:ro #optional
+      - /path/to/roundcube/errors:/remotelogs/roundcube/errors:ro #optional
+      - /path/to/sonarr/sonarr.txt:/remotelogs/sonarr/sonarr.txt:ro #optional
+      - /path/to/unificontroller/server.log:/remotelogs/unificontroller/server.log:ro #optional
+      - /path/to/vaultwarden/vaultwarden.log:/remotelogs/vaultwarden/vaultwarden.log:ro #optional
+      - /path/to/vsftpd.log:/remotelogs/vsftpd.log:ro #optional
+    restart: unless-stopped
+```
+
+### docker cli ([click here for more info](https://docs.docker.com/engine/reference/commandline/cli/))
+
+```bash
+docker run -d \
+  --name=fail2ban \
+  -e PUID=1000 \
+  -e PGID=1000 \
+  -e TZ=America/New_York \
+  -v /path/to/appdata/config:/config \
+  -v /var/log:/var/log:ro \
+  -v /path/to/airsonic/airsonic.log:/remotelogs/airsonic/airsonic.log:ro `#optional` \
+  -v /path/to/apache2/log:/remotelogs/apache2:ro `#optional` \
+  -v /path/to/audit/audit.log:/remotelogs/audit/audit.log:ro `#optional` \
+  -v /path/to/authelia/authelia.log:/remotelogs/authelia/authelia.log:ro `#optional` \
+  -v /path/to/emby/embyserver.txt:/remotelogs/emby/embyserver.txt:ro `#optional` \
+  -v /path/to/exim/mainlog:/remotelogs/exim/mainlog:ro `#optional` \
+  -v /path/to/filebrowser/filebrowser.log:/remotelogs/filebrowser/filebrowser.log:ro `#optional` \
+  -v /path/to/gitea/gitea.log:/remotelogs/gitea/gitea.log:ro `#optional` \
+  -v /path/to/homeassistant/home-assistant.log:/remotelogs/homeassistant/home-assistant.log:ro `#optional` \
+  -v /path/to/lighttpd/error.log:/remotelogs/lighttpd/error.log:ro `#optional` \
+  -v /path/to/nginx/log:/remotelogs/nginx:ro `#optional` \
+  -v /path/to/nzbget.log:/remotelogs/nzbget:ro `#optional` \
+  -v /path/to/overseerr/overseerr.log:/remotelogs/overseerr/overseerr.log:ro `#optional` \
+  -v /path/to/prowlarr/prowlarr.txt:/remotelogs/prowlarr/prowlarr.txt:ro `#optional` \
+  -v /path/to/radarr/radarr.txt:/remotelogs/radarr/radarr.txt:ro `#optional` \
+  -v /path/to/roundcube/errors:/remotelogs/roundcube/errors:ro `#optional` \
+  -v /path/to/sonarr/sonarr.txt:/remotelogs/sonarr/sonarr.txt:ro `#optional` \
+  -v /path/to/unificontroller/server.log:/remotelogs/unificontroller/server.log:ro `#optional` \
+  -v /path/to/vaultwarden/vaultwarden.log:/remotelogs/vaultwarden/vaultwarden.log:ro `#optional` \
+  -v /path/to/vsftpd.log:/remotelogs/vsftpd.log:ro `#optional` \
+  --restart unless-stopped \
+  lscr.io/linuxserver/fail2ban:latest
+```
+
+## Parameters
+
+Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `<external>:<internal>` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container.
+
+| Parameter | Function |
+| :----: | --- |
+| `-e PUID=1000` | for UserID - see below for explanation |
+| `-e PGID=1000` | for GroupID - see below for explanation |
+| `-e TZ=America/New_York` | Specify a timezone to use EG America/New_York |
+| `-v /config` | Contains all relevant configuration files. |
+| `-v /var/log:ro` | Host logs. Mounted as Read Only. |
+| `-v /remotelogs/airsonic/airsonic.log:ro` | Path to airsonic log file. Mounted as Read Only. |
+| `-v /remotelogs/apache2:ro` | Path to apache2 log folder. Mounted as Read Only. |
+| `-v /remotelogs/audit/audit.log:ro` | Path to auditd log file. Mounted as Read Only. |
+| `-v /remotelogs/authelia/authelia.log:ro` | Path to authelia log file. Mounted as Read Only. |
+| `-v /remotelogs/emby/embyserver.txt:ro` | Path to emby log file. Mounted as Read Only. |
+| `-v /remotelogs/exim/mainlog:ro` | Path to exim log file. Mounted as Read Only. |
+| `-v /remotelogs/filebrowser/filebrowser.log:ro` | Path to filebrowser log file. Mounted as Read Only. |
+| `-v /remotelogs/gitea/gitea.log:ro` | Path to gitea log file. Mounted as Read Only. |
+| `-v /remotelogs/homeassistant/home-assistant.log:ro` | Path to homeassistant log file. Mounted as Read Only. |
+| `-v /remotelogs/lighttpd/error.log:ro` | Path to lighttpd error log file. Mounted as Read Only. |
+| `-v /remotelogs/nginx:ro` | Path to nginx log folder. Mounted as Read Only. |
+| `-v /remotelogs/nzbget:ro` | Path to nzbget log folder. Mounted as Read Only. |
+| `-v /remotelogs/overseerr/overseerr.log:ro` | Path to overseerr log file. Mounted as Read Only. |
+| `-v /remotelogs/prowlarr/prowlarr.txt:ro` | Path to prowlarr log file. Mounted as Read Only. |
+| `-v /remotelogs/radarr/radarr.txt:ro` | Path to radarr log file. Mounted as Read Only. |
+| `-v /remotelogs/roundcube/errors:ro` | Path to roundcube error log file. Mounted as Read Only. |
+| `-v /remotelogs/sonarr/sonarr.txt:ro` | Path to sonarr log file. Mounted as Read Only. |
+| `-v /remotelogs/unificontroller/server.log:ro` | Path to unificontroller server log file. Mounted as Read Only. |
+| `-v /remotelogs/vaultwarden/vaultwarden.log:ro` | Path to vaultwarden log file. Mounted as Read Only. |
+| `-v /remotelogs/vsftpd.log:ro` | Path to vsftpd log file. Mounted as Read Only. |
+
+## Environment variables from files (Docker secrets)
+
+You can set any environment variable from a file by using a special prepend `FILE__`.
+
+As an example:
+
+```bash
+-e FILE__PASSWORD=/run/secrets/mysecretpassword
+```
+
+Will set the environment variable `PASSWORD` based on the contents of the `/run/secrets/mysecretpassword` file.
+
+## Umask for running applications
+
+For all of our images we provide the ability to override the default umask settings for services started within the containers using the optional `-e UMASK=022` setting.
+Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up [here](https://en.wikipedia.org/wiki/Umask) before asking for support.
+
+## User / Group Identifiers
+
+When using volumes (`-v` flags) permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.
+
+Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.
+
+In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below:
+
+```bash
+  $ id username
+    uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup)
+```
+
+## Docker Mods
+
+[![Docker Mods](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=fail2ban&query=%24.mods%5B%27fail2ban%27%5D.mod_count&url=https%3A%2F%2Fraw.githubusercontent.com%2Flinuxserver%2Fdocker-mods%2Fmaster%2Fmod-list.yml)](https://mods.linuxserver.io/?mod=fail2ban "view available mods for this container.") [![Docker Universal Mods](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=universal&query=%24.mods%5B%27universal%27%5D.mod_count&url=https%3A%2F%2Fraw.githubusercontent.com%2Flinuxserver%2Fdocker-mods%2Fmaster%2Fmod-list.yml)](https://mods.linuxserver.io/?mod=universal "view available universal mods.")
+
+We publish various [Docker Mods](https://github.com/linuxserver/docker-mods) to enable additional functionality within the containers. The list of Mods available for this image (if any) as well as universal mods that can be applied to any one of our images can be accessed via the dynamic badges above.
+
+## Support Info
+
+* Shell access whilst the container is running: `docker exec -it fail2ban /bin/bash`
+* To monitor the logs of the container in realtime: `docker logs -f fail2ban`
+* container version number
+  * `docker inspect -f '{{ index .Config.Labels "build_version" }}' fail2ban`
+* image version number
+  * `docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/fail2ban:latest`
+
+## Updating Info
+
+Most of our images are static, versioned, and require an image update and container recreation to update the app inside. With some exceptions (ie. nextcloud, plex), we do not recommend or support updating apps inside the container. Please consult the [Application Setup](#application-setup) section above to see if it is recommended for the image.
+
+Below are the instructions for updating containers:
+
+### Via Docker Compose
+
+* Update all images: `docker-compose pull`
+  * or update a single image: `docker-compose pull fail2ban`
+* Let compose update all containers as necessary: `docker-compose up -d`
+  * or update a single container: `docker-compose up -d fail2ban`
+* You can also remove the old dangling images: `docker image prune`
+
+### Via Docker Run
+
+* Update the image: `docker pull lscr.io/linuxserver/fail2ban:latest`
+* Stop the running container: `docker stop fail2ban`
+* Delete the container: `docker rm fail2ban`
+* Recreate a new container with the same docker run parameters as instructed above (if mapped correctly to a host folder, your `/config` folder and settings will be preserved)
+* You can also remove the old dangling images: `docker image prune`
+
+### Via Watchtower auto-updater (only use if you don't remember the original parameters)
+
+* Pull the latest image at its tag and replace it with the same env variables in one run:
+
+  ```bash
+  docker run --rm \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  containrrr/watchtower \
+  --run-once fail2ban
+  ```
+
+* You can also remove the old dangling images: `docker image prune`
+
+**Note:** We do not endorse the use of Watchtower as a solution to automated updates of existing Docker containers. In fact we generally discourage automated updates. However, this is a useful tool for one-time manual updates of containers where you have forgotten the original parameters. In the long term, we highly recommend using [Docker Compose](https://docs.linuxserver.io/general/docker-compose).
+
+### Image Update Notifications - Diun (Docker Image Update Notifier)
+
+* We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported.
+
+## Building locally
+
+If you want to make local modifications to these images for development purposes or just to customize the logic:
+
+```bash
+git clone https://github.com/linuxserver/docker-fail2ban.git
+cd docker-fail2ban
+docker build \
+  --no-cache \
+  --pull \
+  -t lscr.io/linuxserver/fail2ban:latest .
+```
+
+The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static`
+
+```bash
+docker run --rm --privileged multiarch/qemu-user-static:register --reset
+```
+
+Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`.
+
+## Versions
+
+* **01.08.22:** - Initial Release.
diff --git a/jenkins-vars.yml b/jenkins-vars.yml
new file mode 100644
index 0000000..caa0196
--- /dev/null
+++ b/jenkins-vars.yml
@@ -0,0 +1,29 @@
+---
+
+# jenkins variables
+project_name: docker-fail2ban
+external_type: alpine_repo
+release_type: stable
+release_tag: latest
+ls_branch: master
+repo_vars:
+  - BUILD_VERSION_ARG = 'FAIL2BAN_VERSION'
+  - LS_USER = 'linuxserver'
+  - LS_REPO = 'docker-fail2ban'
+  - CONTAINER_NAME = 'fail2ban'
+  - DOCKERHUB_IMAGE = 'linuxserver/fail2ban'
+  - DEV_DOCKERHUB_IMAGE = 'lsiodev/fail2ban'
+  - PR_DOCKERHUB_IMAGE = 'lspipepr/fail2ban'
+  - DIST_IMAGE = 'alpine'
+  - DIST_TAG = '3.16'
+  - DIST_REPO = 'http://nl.alpinelinux.org/alpine/v3.16/main/'
+  - DIST_REPO_PACKAGES = 'fail2ban'
+  - MULTIARCH='true'
+  - CI='true'
+  - CI_WEB='false'
+  - CI_PORT=''
+  - CI_SSL='false'
+  - CI_DELAY='120'
+  - CI_DOCKERENV='TZ=US/Pacific'
+  - CI_AUTH='user:password'
+  - CI_WEBPATH=''
diff --git a/readme-vars.yml b/readme-vars.yml
new file mode 100644
index 0000000..0f699f8
--- /dev/null
+++ b/readme-vars.yml
@@ -0,0 +1,66 @@
+---
+
+# project information
+project_name: fail2ban
+project_url: "http://www.fail2ban.org/"
+project_logo: "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/fail2ban.png"
+project_blurb: |
+  [{{ project_name|capitalize }}]({{ project_url }}) is a daemon to ban hosts that cause multiple authentication errors.
+
+project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}"
+
+# supported architectures
+available_architectures:
+  - { arch: "{{ arch_x86_64 }}", tag: "amd64-latest"}
+  - { arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"}
+  - { arch: "{{ arch_armhf }}", tag: "arm32v7-latest"}
+
+# container parameters
+common_param_env_vars_enabled: true
+param_container_name: "{{ project_name }}"
+param_net: "host"
+param_net_desc: "Shares host networking with container."
+param_usage_include_env: true
+param_env_vars:
+  - { env_var: "TZ", env_value: "America/New_York", desc: "Specify a timezone to use EG America/New_York"}
+param_usage_include_vols: true
+param_volumes:
+  - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Contains all relevant configuration files." }
+  - { vol_path: "/var/log:ro", vol_host_path: "/var/log", desc: "Host logs. Mounted as Read Only." }
+cap_add_param: false
+cap_add_param_vars:
+  - { cap_add_var: "NET_ADMIN" }
+  - { cap_add_var: "NET_RAW" }
+
+# optional parameters
+opt_param_usage_include_vols: true
+opt_param_volumes:
+  - { vol_path: "/remotelogs/airsonic/airsonic.log:ro", vol_host_path: "/path/to/airsonic/airsonic.log", desc: "Path to airsonic log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/apache2:ro", vol_host_path: "/path/to/apache2/log", desc: "Path to apache2 log folder. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/audit/audit.log:ro", vol_host_path: "/path/to/audit/audit.log", desc: "Path to auditd log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/authelia/authelia.log:ro", vol_host_path: "/path/to/authelia/authelia.log", desc: "Path to authelia log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/emby/embyserver.txt:ro", vol_host_path: "/path/to/emby/embyserver.txt", desc: "Path to emby log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/exim/mainlog:ro", vol_host_path: "/path/to/exim/mainlog", desc: "Path to exim log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/filebrowser/filebrowser.log:ro", vol_host_path: "/path/to/filebrowser/filebrowser.log", desc: "Path to filebrowser log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/gitea/gitea.log:ro", vol_host_path: "/path/to/gitea/gitea.log", desc: "Path to gitea log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/homeassistant/home-assistant.log:ro", vol_host_path: "/path/to/homeassistant/home-assistant.log", desc: "Path to homeassistant log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/lighttpd/error.log:ro", vol_host_path: "/path/to/lighttpd/error.log", desc: "Path to lighttpd error log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/nginx:ro", vol_host_path: "/path/to/nginx/log", desc: "Path to nginx log folder. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/nzbget:ro", vol_host_path: "/path/to/nzbget.log", desc: "Path to nzbget log folder. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/overseerr/overseerr.log:ro", vol_host_path: "/path/to/overseerr/overseerr.log", desc: "Path to overseerr log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/prowlarr/prowlarr.txt:ro", vol_host_path: "/path/to/prowlarr/prowlarr.txt", desc: "Path to prowlarr log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/radarr/radarr.txt:ro", vol_host_path: "/path/to/radarr/radarr.txt", desc: "Path to radarr log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/roundcube/errors:ro", vol_host_path: "/path/to/roundcube/errors", desc: "Path to roundcube error log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/sonarr/sonarr.txt:ro", vol_host_path: "/path/to/sonarr/sonarr.txt", desc: "Path to sonarr log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/unificontroller/server.log:ro", vol_host_path: "/path/to/unificontroller/server.log", desc: "Path to unificontroller server log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/vaultwarden/vaultwarden.log:ro", vol_host_path: "/path/to/vaultwarden/vaultwarden.log", desc: "Path to vaultwarden log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/vsftpd.log:ro", vol_host_path: "/path/to/vsftpd.log", desc: "Path to vsftpd log file. Mounted as Read Only." }
+
+# application setup block
+app_setup_block_enabled: true
+app_setup_block: |
+  App Setup Info
+
+# changelog
+changelogs:
+  - { date: "01.08.22:", desc: "Initial Release." }