Fail2ban 1.0.1 (#130)

Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>

.dockerignore

@@ -1,7 +1,3 @@
-/.dev
-/.idea
-/*.iml
-
 /.git
 /.github
 /examples

Dockerfile

@@ -1,18 +1,14 @@
 # syntax=docker/dockerfile:1
 
-ARG FAIL2BAN_VERSION=0.11.2
+ARG FAIL2BAN_VERSION=1.0.1
 ARG ALPINE_VERSION=3.16
 
 FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS fail2ban-src
-RUN apk add --no-cache git patch
+RUN apk add --no-cache git
 WORKDIR /src/fail2ban
+RUN git init . && git remote add origin "https://github.com/fail2ban/fail2ban.git"
 ARG FAIL2BAN_VERSION
-RUN <<EOT
-git clone https://github.com/fail2ban/fail2ban.git .
-git reset --hard $FAIL2BAN_VERSION
-EOT
-COPY patches /src/patches
-RUN for i in /src/patches/*.patch; do patch -p1 < $i; done
+RUN git fetch origin "${FAIL2BAN_VERSION}" && git checkout -q FETCH_HEAD
 
 FROM alpine:${ALPINE_VERSION}
 RUN --mount=from=fail2ban-src,source=/src/fail2ban,target=/tmp/fail2ban,rw \
@@ -40,7 +36,7 @@ RUN --mount=from=fail2ban-src,source=/src/fail2ban,target=/tmp/fail2ban,rw \
   && pip3 install dnspython3 pyinotify \
   && cd /tmp/fail2ban \
   && 2to3 -w --no-diffs bin/* fail2ban \
-  && python3 setup.py install \
+  && pip3 install . \
   && apk del build-dependencies \
   && rm -rf /etc/fail2ban/jail.d
 

README.md

@@ -11,10 +11,13 @@
 
 ## About
 
-[Fail2ban](https://www.fail2ban.org) Docker image based on Alpine Linux.<br />
-If you are interested, [check out](https://hub.docker.com/r/crazymax/) my other Docker images!
+[Fail2ban](https://www.fail2ban.org) Docker image to ban hosts that cause
+multiple authentication errors.
 
-💡 Want to be notified of new releases? Check out 🔔 [Diun (Docker Image Update Notifier)](https://github.com/crazy-max/diun) project!
+> **Note**
+> 
+> Want to be notified of new releases? Check out 🔔 [Diun (Docker Image Update Notifier)](https://github.com/crazy-max/diun)
+> project!
 
 ___
 
@@ -52,10 +55,10 @@ docker buildx bake image-all
 
 ## Image
 
-| Registry                                                                                         | Image                           |
-|--------------------------------------------------------------------------------------------------|---------------------------------|
-| [Docker Hub](https://hub.docker.com/r/crazymax/fail2ban/)                                            | `crazymax/fail2ban`                 |
-| [GitHub Container Registry](https://github.com/users/crazy-max/packages/container/package/fail2ban)  | `ghcr.io/crazy-max/fail2ban`        |
+| Registry                                                                                            | Image                        |
+|-----------------------------------------------------------------------------------------------------|------------------------------|
+| [Docker Hub](https://hub.docker.com/r/crazymax/fail2ban/)                                           | `crazymax/fail2ban`          |
+| [GitHub Container Registry](https://github.com/users/crazy-max/packages/container/package/fail2ban) | `ghcr.io/crazy-max/fail2ban` |
 
 Following platforms for this image are available:
 
@@ -97,21 +100,22 @@ Image: crazymax/fail2ban:latest
 
 ### Docker Compose
 
-Docker compose is the recommended way to run this image. Copy the content of folder
-[examples/compose](examples/compose) in `/var/fail2ban/` on your host for example. Edit the compose and env files
-with your preferences and run the following commands:
+Docker compose is the recommended way to run this image. Copy the content of
+folder [examples/compose](examples/compose) in `/var/fail2ban/` on your host
+for example. Edit the Compose and env files with your preferences and run the
+following commands:
 
-```
-docker-compose up -d
-docker-compose logs -f
+```console
+$ docker-compose up -d
+$ docker-compose logs -f
 ```
 
 ### Command line
 
 You can also use the following minimal command :
 
-```
-docker run -d --name fail2ban --restart always \
+```console
+$ docker run -d --name fail2ban --restart always \
   --network host \
   --cap-add NET_ADMIN \
   --cap-add NET_RAW \
@@ -124,29 +128,33 @@ docker run -d --name fail2ban --restart always \
 
 Recreate the container whenever I push an update:
 
-```bash
-docker-compose pull
-docker-compose up -d
+```console
+$ docker-compose pull
+$ docker-compose up -d
 ```
 
 ## Notes
 
 ### `DOCKER-USER` chain
 
 In Docker 17.06 and higher through [docker/libnetwork#1675](https://github.com/docker/libnetwork/pull/1675),
-you can add rules to a new table called `DOCKER-USER`, and these rules will be loaded before any rules Docker creates
-automatically. This is useful to make `iptables` rules created by Fail2Ban persistent.
+you can add rules to a new table called `DOCKER-USER`, and these rules will be
+loaded before any rules Docker creates automatically. This is useful to make
+`iptables` rules created by Fail2Ban persistent.
 
-If you have an older version of Docker, you may just change the chain definition for your jail to `chain = FORWARD`.
-This way, all Fail2Ban rules come before any Docker rules but these rules will now apply to ALL forwarded traffic.
+If you have an older version of Docker, you may just change the chain
+definition for your jail to `chain = FORWARD`. This way, all Fail2Ban rules
+come before any Docker rules but these rules will now apply to ALL forwarded
+traffic.
 
 More info : https://docs.docker.com/network/iptables/
 
 ### `DOCKER-USER` and `INPUT` chains
 
-If your Fail2Ban container is attached to `DOCKER-USER` chain instead of `INPUT`, the rules will be applied
-**only to containers**. This means that any packets coming into the `INPUT` chain will bypass these rules that now
-reside under the `FORWARD` chain.
+If your Fail2Ban container is attached to `DOCKER-USER` chain instead of
+`INPUT`, the rules will be applied **only to containers**. This means that any
+packets coming into the `INPUT` chain will bypass these rules that now reside
+under the `FORWARD` chain.
 
 This is why the [sshd](examples/jails/sshd) jail contains a [`chain = INPUT`](examples/jails/sshd/jail.d/sshd.conf)
 in its definition and [traefik](examples/jails/traefik) jail contains
@@ -166,64 +174,67 @@ And others using the `INPUT` chain:
 
 ### Use iptables tooling without nftables backend
 
-As you may know, [nftables](https://wiki.nftables.org) is available as a modern replacement for the kernel's iptables
-subsystem on Linux. 
+As you may know, [nftables](https://wiki.nftables.org) is available as a modern
+replacement for the kernel's iptables subsystem on Linux. 
 
-This image still uses `iptables` to preserve backwards compatibility but
-[an issue is opened](https://github.com/crazy-max/docker-fail2ban/issues/29) about its implementation.
+This image still uses `iptables` to preserve backwards compatibility but [an issue is opened](https://github.com/crazy-max/docker-fail2ban/issues/29)
+about its implementation.
 
-If your system's `iptables` tooling uses the nftables backend, this will throw the error
-`stderr: 'iptables: No chain/target/match by that name.'`. You need to switch the `iptables` tooling to 'legacy' mode
-to avoid these problems. This is the case on at least Debian 10 (Buster), Ubuntu 19.04, Fedora 29 and newer releases
-of these distributions by default. RHEL 8 does not support switching to legacy mode, and is therefore currently
-incompatible with this image.
+If your system's `iptables` tooling uses the nftables backend, this will throw
+the error `stderr: 'iptables: No chain/target/match by that name.'`. You need
+to switch the `iptables` tooling to 'legacy' mode to avoid these problems. This
+is the case on at least Debian 10 (Buster), Ubuntu 19.04, Fedora 29 and newer
+releases of these distributions by default. RHEL 8 does not support switching
+to legacy mode, and is therefore currently incompatible with this image.
 
 On Ubuntu or Debian:
 
-```
-update-alternatives --set iptables /usr/sbin/iptables-legacy
-update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
-update-alternatives --set arptables /usr/sbin/arptables-legacy
-update-alternatives --set ebtables /usr/sbin/ebtables-legacy
+```console
+$ update-alternatives --set iptables /usr/sbin/iptables-legacy
+$ update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+$ update-alternatives --set arptables /usr/sbin/arptables-legacy
+$ update-alternatives --set ebtables /usr/sbin/ebtables-legacy
 ```
 
 On Fedora:
 
-```
-update-alternatives --set iptables /usr/sbin/iptables-legacy
+```console
+$ update-alternatives --set iptables /usr/sbin/iptables-legacy
 ```
 
 Then reboot to apply changes.
 
 ### Use fail2ban-client
 
-[Fail2ban commands](http://www.fail2ban.org/wiki/index.php/Commands) can be used through the container. Here is an
-example if you want to ban an IP manually :
+[Fail2ban commands](http://www.fail2ban.org/wiki/index.php/Commands) can be used
+through the container. Here is an example if you want to ban an IP manually:
 
-```
-docker exec -t <CONTAINER> fail2ban-client set <JAIL> banip <IP>
+```console
+$ docker exec -t <CONTAINER> fail2ban-client set <JAIL> banip <IP>
 ``` 
 
 ### Global jail configuration
 
 You can provide customizations in `/data/jail.d/*.local` files.
 
-For example to change the default bantime for all jails, send an e-mail with whois report and relevant log lines
-to the destemail:
+For example to change the default bantime for all jails, send an e-mail with
+whois report and relevant log lines to the destemail:
 
-```
+```text
 [DEFAULT]
 bantime = 1h
 destemail = root@localhost
 sender = root@$(hostname -f)
 action = %(action_mwl)s
 ```
 
-> :warning: If you want email to be sent after a ban, you have to configure SSMTP env vars
+> **Warning**
+> 
+> If you want email to be sent after a ban, you have to configure SSMTP env vars
 
 FYI, here is the order *jail* configuration would be loaded:
 
-```
+```text
 jail.conf
 jail.d/*.conf (in alphabetical order)
 jail.local
@@ -234,16 +245,20 @@ A sample configuration file is [available on the official repository](https://gi
 
 ### Custom jails, actions and filters
 
-Custom jails, actions and filters can be added respectively in `/data/jail.d`, `/data/action.d` and `/data/filter.d`.
-If you add an action/filter that already exists, it will be overriden.
+Custom jails, actions and filters can be added respectively in `/data/jail.d`,
+`/data/action.d` and `/data/filter.d`. If you add an action/filter that already
+exists, it will be overriden.
 
-> :warning: Container has to be restarted to propagate changes
+> **Warning**
+> 
+> Container has to be restarted to propagate changes
 
 ## Contributing
 
-Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. You
-can also support this project by [**becoming a sponsor on GitHub**](https://github.com/sponsors/crazy-max) or by making
-a [Paypal donation](https://www.paypal.me/crazyws) to ensure this journey continues indefinitely!
+Want to contribute? Awesome! The most basic way to show your support is to star
+the project, or to raise issues. You can also support this project by [**becoming a sponsor on GitHub**](https://github.com/sponsors/crazy-max)
+or by making a [Paypal donation](https://www.paypal.me/crazyws) to ensure this
+journey continues indefinitely!
 
 Thanks again for your support, it is much appreciated! :pray:
 

docker-bake.hcl

@@ -24,11 +24,11 @@ target "image-local" {
 target "image-all" {
   inherits = ["image"]
   platforms = [
+    "linux/386",
     "linux/amd64",
     "linux/arm/v6",
     "linux/arm/v7",
     "linux/arm64",
-    "linux/386",
     "linux/ppc64le",
     "linux/s390x"
   ]

examples/compose/docker-compose.yml

@@ -1,5 +1,3 @@
-version: "3.5"
-
 services:
   fail2ban:
     image: crazymax/fail2ban:latest

examples/jails/guacamole/README.md

@@ -1,8 +1,8 @@
 ## Guacamole
 
-Create the logback configuration in `./config/guacamole/logback.xml` :
+Create the logback configuration in `./config/guacamole/logback.xml`:
 
-```
+```xml
 <configuration>
         <!-- Appender for debugging -->
         <appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
@@ -25,23 +25,25 @@ Create the logback configuration in `./config/guacamole/logback.xml` :
 </configuration>
 ```
 
-Create this compose file for guacamole :
-
-```
-version: "2"
+Create this compose file for guacamole:
 
+```yaml
 services:
   guacamole:
     image: oznu/guacamole
     volumes:
       - ./config:/config
       - /var/log/guacamole:/usr/local/tomcat/logs
     ports:
-      - 8080:8080
+      - target: 8080
+        published: 8080
+        protocol: tcp
 ```
 
-Guacamole will write logs into `/usr/local/tomcat/logs` and bind the folder to `/var/log/guacamole` on the host.
+Guacamole will write logs into `/usr/local/tomcat/logs` and bind the folder
+to `/var/log/guacamole` on the host.
 
 ## Fail2ban container
 
-* Copy files from [filter.d](filter.d) and [jail.d](jail.d) to `./data` in their respective folders.
+* Copy files from [filter.d](filter.d) and [jail.d](jail.d) to `./data` in
+  their respective folders.

examples/jails/sshd/README.md

@@ -1,13 +1,13 @@
 ## SSHD
 
-To block IPs that have SSHD authentication failures on your host, you have to :
+To block IPs that have SSHD authentication failures on your host, you have to:
 
 * Copy files [jail.d](jail.d) to `./data`
 
-For example :
+For example:
 
-```bash
-docker run -it --name fail2ban --restart always \
+```console
+$ docker run -it --name fail2ban --restart always \
   --network host \
   --cap-add NET_ADMIN \
   --cap-add NET_RAW \
@@ -17,9 +17,9 @@ docker run -it --name fail2ban --restart always \
   crazymax/fail2ban:latest
 ```
 
-Here is the log output if an IP is banned :
+Here is the log output if an IP is banned:
 
-```
+```text
 2018-11-18 21:38:42,410 fail2ban.filterpoll     [1]: DEBUG   /var/log/auth.log has been modified
 2018-11-18 21:38:44,427 fail2ban.filterpoll     [1]: DEBUG   /var/log/auth.log has been modified
 2018-11-18 21:38:44,427 fail2ban.filter         [1]: DEBUG   Processing line with time:1542573523.0 and ip:192.168.51.100