Skip to content

Fail2Ban

Fail2Ban is installed automatically and bans IP addresses for 3 hours after 3 failed attempts in 10 minutes by default.

Configuration files

If you want to change this, you can easily edit our github example file: config-examples/fail2ban-jail.cf.

You can do the same with the values from fail2ban.conf, e.g dbpurgeage. In that case you need to edit: config-examples/fail2ban-fail2ban.cf.

The configuration files need to be located at the root of the /tmp/docker-mailserver/ volume bind (usually ./docker-data/dms/config/:/tmp/docker-mailserver/).

This following configuration files from /tmp/docker-mailserver/ will be copied during container startup.

  • fail2ban-jail.cf -> /etc/fail2ban/jail.d/user-jail.local
  • fail2ban-fail2ban.cf -> /etc/fail2ban/fail2ban.local

Docker-compose config

Example configuration volume bind:

    volumes:
      - ./docker-data/dms/config/:/tmp/docker-mailserver/

Attention

docker-mailserver must be launched with the NET_ADMIN capability in order to be able to install the nftables rules that actually ban IP addresses.

Thus either include --cap-add=NET_ADMIN in the docker run command, or the equivalent in docker-compose.yml:

cap_add:
  - NET_ADMIN

Running fail2ban in a rootless container

RootlessKit is the fakeroot implementation for supporting rootless mode in Docker and Podman. By default RootlessKit uses the builtin port forwarding driver, which does not propagate source IP addresses.

It is necessary for fail2ban to have access to the real source IP addresses in order to correctly identify clients. This is achieved by changing the port forwarding driver to slirp4netns, which is slower than builtin but does preserve the real source IPs.

Docker with slirp4netns port driver

For rootless mode in Docker, create ~/.config/systemd/user/docker.service.d/override.conf with the following content:

[Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"

And then restart the daemon:

$ systemctl --user daemon-reload
$ systemctl --user restart docker

Note

This changes the port driver for all rootless containers managed by Docker.

Per container configuration is not supported, if you need that consider Podman instead.

Podman with slirp4netns port driver

Rootless Podman requires adding the value slirp4netns:port_handler=slirp4netns to the --network CLI option, or network_mode setting in your docker-compose.yml.

You must also add the ENV NETWORK_INTERFACE=tap0, because Podman uses a hard-coded interface name for slirp4netns.

Example

services:
  mailserver:
    network_mode: "slirp4netns:port_handler=slirp4netns"
    environment:
      - ENABLE_FAIL2BAN=1
      - NETWORK_INTERFACE=tap0
      ...

Note

slirp4netns is not compatible with user-defined networks.

Manage bans

You can also manage and list the banned IPs with the setup.sh script.

List bans

./setup.sh fail2ban

Un-ban

Here 192.168.1.15 is our banned IP.

./setup.sh fail2ban unban 192.168.1.15