Add fix for Docker deployments with Fail2Ban v1.1.1.dev1

Maximilian Wank 2024-07-25 15:46:30 +02:00
parent b188e0e6c2
commit d21158b424
1 changed files with 9 additions and 2 deletions

@ -155,14 +155,21 @@ findtime = 14400
###### Note for Docker Users ###### Note for Docker Users
Docker uses the FORWARD chain instead of the default INPUT chain. If the machine receiving requests is mapping them straight to a Docker container, then chain will need to be set appropriately regardless of what is in the container (reverse proxy, Vaultwarden, etc). The default `action` is set to `action_` (which uses `banaction`, which we alias to `banaction_allports`). `action_` already takes the chain into account. Thus, simply set the `chain`. See [this similar issue](https://forum.openwrt.org/t/resolved-fail2ban-and-iptables-ip-bans-not-blocked/90057). Docker uses the `FORWARD` chain instead of the default INPUT chain. If the machine receiving requests is mapping them straight to a Docker container, then chain will need to be set appropriately regardless of what is in the container (reverse proxy, Vaultwarden, etc). The default `action` is set to `action_` (which uses `banaction`, which we alias to `banaction_allports`). `action_` already takes the chain into account. Thus, simply set the `chain`. See [this similar issue](https://forum.openwrt.org/t/resolved-fail2ban-and-iptables-ip-bans-not-blocked/90057).
```ini ```ini
chain = FORWARD chain = FORWARD
``` ```
**Tip**: If you are using systemd to manage vaultwarden, you can use systemd-journal for fail2ban: ###### Note for Docker Users with Fail2Ban v1.1.1.dev1 (and possibly newer)
With Fail2Ban v1.1.1.dev1 the default `banactions` for Debian changed from iptables to nftables (see [here](https://github.com/fail2ban/fail2ban/commit/d0d07285234871bad3dc0c359d0ec03365b6dddc)). Docker (at least version 25.0.3) on the other hand still uses iptables. Hence, the requests to the Docker containers are not blocked with `banaction = %(banaction_allports)s`. In this scenario, use
```ini
banaction = iptables
``` ```
**Tip**: If you are using systemd to manage vaultwarden, you can use systemd-journal for fail2ban:
```ini
backend = systemd backend = systemd
filter = vaultwarden[journalmatch='_SYSTEMD_UNIT=your_vaultwarden.service'] filter = vaultwarden[journalmatch='_SYSTEMD_UNIT=your_vaultwarden.service']
``` ```