Add fix for Docker deployments with Fail2Ban v1.1.1.dev1
parent
b188e0e6c2
commit
d21158b424
|
@ -155,14 +155,21 @@ findtime = 14400
|
||||||
|
|
||||||
###### Note for Docker Users
|
###### Note for Docker Users
|
||||||
|
|
||||||
Docker uses the FORWARD chain instead of the default INPUT chain. If the machine receiving requests is mapping them straight to a Docker container, then chain will need to be set appropriately regardless of what is in the container (reverse proxy, Vaultwarden, etc). The default `action` is set to `action_` (which uses `banaction`, which we alias to `banaction_allports`). `action_` already takes the chain into account. Thus, simply set the `chain`. See [this similar issue](https://forum.openwrt.org/t/resolved-fail2ban-and-iptables-ip-bans-not-blocked/90057).
|
Docker uses the `FORWARD` chain instead of the default INPUT chain. If the machine receiving requests is mapping them straight to a Docker container, then chain will need to be set appropriately regardless of what is in the container (reverse proxy, Vaultwarden, etc). The default `action` is set to `action_` (which uses `banaction`, which we alias to `banaction_allports`). `action_` already takes the chain into account. Thus, simply set the `chain`. See [this similar issue](https://forum.openwrt.org/t/resolved-fail2ban-and-iptables-ip-bans-not-blocked/90057).
|
||||||
|
|
||||||
```ini
|
```ini
|
||||||
chain = FORWARD
|
chain = FORWARD
|
||||||
```
|
```
|
||||||
|
|
||||||
**Tip**: If you are using systemd to manage vaultwarden, you can use systemd-journal for fail2ban:
|
###### Note for Docker Users with Fail2Ban v1.1.1.dev1 (and possibly newer)
|
||||||
|
|
||||||
|
With Fail2Ban v1.1.1.dev1 the default `banactions` for Debian changed from iptables to nftables (see [here](https://github.com/fail2ban/fail2ban/commit/d0d07285234871bad3dc0c359d0ec03365b6dddc)). Docker (at least version 25.0.3) on the other hand still uses iptables. Hence, the requests to the Docker containers are not blocked with `banaction = %(banaction_allports)s`. In this scenario, use
|
||||||
|
```ini
|
||||||
|
banaction = iptables
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**Tip**: If you are using systemd to manage vaultwarden, you can use systemd-journal for fail2ban:
|
||||||
|
```ini
|
||||||
backend = systemd
|
backend = systemd
|
||||||
filter = vaultwarden[journalmatch='_SYSTEMD_UNIT=your_vaultwarden.service']
|
filter = vaultwarden[journalmatch='_SYSTEMD_UNIT=your_vaultwarden.service']
|
||||||
```
|
```
|
||||||
|
|
Loading…
Reference in New Issue