docker-fail2ban icon indicating copy to clipboard operation
docker-fail2ban copied to clipboard
verified publisher icon crazy-max

Add Debian-based image for systemd backend

Open ttionya opened this issue 1 year ago • 5 comments

Description

Hello,

Debian 12 uses journal instead of rsyslog. fail2ban supports enabling journal support by setting backend=systemd. However, this project uses Alpine, which does not support the systemd backend.

Could you please add a Debian-based image? Thank you.

ttionya avatar Oct 28 '24 09:10 ttionya

+1 for this, currently there is no support for systemd backend and systemd-journald which is needed for sshd on Debian 12 and up to get fail2ban working with ssh to get the failed attempts.

JMarcosHP avatar Nov 01 '24 06:11 JMarcosHP

Duplicate of https://github.com/crazy-max/docker-fail2ban/issues/97

Byh0ki avatar Nov 04 '24 00:11 Byh0ki

+1

This function is also what we need, and we hope it can be added.

ilanni2460 avatar Dec 20 '24 00:12 ilanni2460

My workaround for this was to switch to the forked docker image on gitlab, this is my compose.yml file:

services:
  fail2ban:
#    image: crazymax/fail2ban:latest
    build:
      context: https://gitlab.com/byh0ki-org/containers/fail2ban.git
      dockerfile: Dockerfile
    container_name: fail2ban
    cap_add:
      - NET_ADMIN
      - NET_RAW
    network_mode: host
    #labels:
    #  - com.centurylinklabs.watchtower.enable=false  #exclude from watchtower auto-update
    environment:
      - PUID=${APPUSER_PUID}  #UID of a user on your system
      - PGID=${APPUSER_PGID}  #GID of the user group on your system
      - TZ=${TIME_ZONE_VALUE}  #your linux timezone
      - F2B_LOG_TARGET=STDOUT
      - F2B_LOG_LEVEL=INFO
      - F2B_DB_PURGE_AGE=30d
    volumes:
      - ./data:/data
      - /var/log/auth.log:/ssh/auth.log:ro
    restart: always

Also I enabled syslog to get the ssh logs on the /var/log/auth.log file again in debian:

/etc/rsyslog.d/ssh.conf

auth,authpriv.*                 /var/log/auth.log

/etc/ssh/sshd_config

SyslogFacility AUTH
LogLevel INFO

Then I mounted /var/log/auth.log in ssh/auth.log on the fail2ban container (see compose file).

This is my ssh jail:

[sshd]
enabled = true
port = 630
logpath = /ssh/auth.log
filter = sshd[mode=aggressive]
chain = INPUT
action = iptables[type=allports, port=630, protocol=tcp, chain=INPUT]
         cloudflare-apiv4
         %(action_abuseipdb)s[abuseipdb_apikey="c0b0f9058268820ef333dd8e0538992a10895e6b679cb8e202f7ee89d26e92128a65ddd457714fa8", abuseipdb_category="4,18,22", bantime="%(bantime)s"]
         telegram
actionban = /data/action.d/abuseipdb-fail2ban-report.sh \
    "<abuseipdb_apikey>" "<matches>" "<ip>" "<abuseipdb_category>" "<bantime>"
maxretry = 3
bantime = -1
findtime = 86400

JMarcosHP avatar Dec 20 '24 01:12 JMarcosHP

For my own convenience, I forked this project and modified it, see ttionya/fail2ban. It is based on Debian to support for backend=systemd, and it comes with inotifywait built-in to monitor log file changes and automatically reload the jail.

ttionya avatar Feb 19 '25 05:02 ttionya