Conf adjustments and initial application setup

Author: nemchik

Dockerfile

@@ -15,7 +15,8 @@ RUN \
     curl \
     fail2ban \
     fail2ban-doc \
-    jq && \
+    jq \
+    nftables && \
   echo "**** cleanup ****" && \
   rm -rf \
       /root/.cache \

README.md

@@ -42,7 +42,7 @@ Find us at:
 
 [Fail2ban](http://www.fail2ban.org/) is a daemon to ban hosts that cause multiple authentication errors.
 
-[![fail2ban](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/fail2ban.png)](http://www.fail2ban.org/)
+[![fail2ban](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/fail2ban-logo.png)](http://www.fail2ban.org/)
 
 ## Supported Architectures
 
@@ -60,7 +60,27 @@ The architectures supported by this image are:
 
 ## Application Setup
 
-App Setup Info
+### Configuration Files
+
+On first run, the container will create a number of folders and files in `/config`. The default configurations for fail2ban are all disabled by default.
+
+Please refer to the [Configuration README](https://github.com/linuxserver/docker-fail2ban/blob/master/root/defaults/fail2ban/README.md), which can be viewed in our repository, or in your config folder at `/config/fail2ban/README.md`.
+
+### Chains
+
+Chains affect how access is restricted. There are two primary ways to restrict access.
+
+#### `DOCKER-USER`
+
+The `DOCKER-USER` chain is used to restrict access to applications running in Docker containers. This will restrict access to all containers, not just the one that the jail is configured for.
+
+#### `INPUT`
+
+The `INPUT` chain is used to restrict access to applications running on the host. This will restrict access to the host network stack. The host network stack may not be inclusive of all Docker network stacks, thus the `DOCKER-USER` chain is used separately for applications running in Docker containers.
+
+#### `FORWARD` (for older versions of Docker)
+
+The `FORWARD` chain may be used on systems running older versions of Docker where the `DOCKER-USER` chain is not available.
 
 ## Usage
 
@@ -154,28 +174,28 @@ Container images are configured using parameters passed at runtime (such as thos
 | `-e TZ=America/New_York` | Specify a timezone to use EG America/New_York |
 | `-v /config` | Contains all relevant configuration files. |
 | `-v /var/log:ro` | Host logs. Mounted as Read Only. |
-| `-v /remotelogs/airsonic/airsonic.log:ro` | Path to airsonic log file. Mounted as Read Only. |
-| `-v /remotelogs/apache2:ro` | Path to apache2 log folder. Mounted as Read Only. |
-| `-v /remotelogs/audit/audit.log:ro` | Path to auditd log file. Mounted as Read Only. |
-| `-v /remotelogs/authelia/authelia.log:ro` | Path to authelia log file. Mounted as Read Only. |
-| `-v /remotelogs/emby/embyserver.txt:ro` | Path to emby log file. Mounted as Read Only. |
-| `-v /remotelogs/exim/mainlog:ro` | Path to exim log file. Mounted as Read Only. |
-| `-v /remotelogs/filebrowser/filebrowser.log:ro` | Path to filebrowser log file. Mounted as Read Only. |
-| `-v /remotelogs/gitea/gitea.log:ro` | Path to gitea log file. Mounted as Read Only. |
-| `-v /remotelogs/homeassistant/home-assistant.log:ro` | Path to homeassistant log file. Mounted as Read Only. |
-| `-v /remotelogs/lighttpd/error.log:ro` | Path to lighttpd error log file. Mounted as Read Only. |
-| `-v /remotelogs/nextcloud/nextcloud.log:ro` | Path to nextcloud log file. Mounted as Read Only. |
-| `-v /remotelogs/nginx:ro` | Path to nginx log folder. Mounted as Read Only. |
-| `-v /remotelogs/nzbget/nzbget.log:ro` | Path to nzbget log file. Mounted as Read Only. |
-| `-v /remotelogs/overseerr/overseerr.log:ro` | Path to overseerr log file. Mounted as Read Only. |
-| `-v /remotelogs/prowlarr/prowlarr.txt:ro` | Path to prowlarr log file. Mounted as Read Only. |
-| `-v /remotelogs/radarr/radarr.txt:ro` | Path to radarr log file. Mounted as Read Only. |
-| `-v /remotelogs/roundcube/errors:ro` | Path to roundcube error log file. Mounted as Read Only. |
-| `-v /remotelogs/sabnzbd/sabnzbd.log:ro` | Path to sabnzbd log file. Mounted as Read Only. |
-| `-v /remotelogs/sonarr/sonarr.txt:ro` | Path to sonarr log file. Mounted as Read Only. |
-| `-v /remotelogs/unificontroller/server.log:ro` | Path to unificontroller server log file. Mounted as Read Only. |
-| `-v /remotelogs/vaultwarden/vaultwarden.log:ro` | Path to vaultwarden log file. Mounted as Read Only. |
-| `-v /remotelogs/vsftpd/vsftpd.log:ro` | Path to vsftpd log file. Mounted as Read Only. |
+| `-v /remotelogs/airsonic/airsonic.log:ro` | Optional path to airsonic log file. Mounted as Read Only. |
+| `-v /remotelogs/apache2:ro` | Optional path to apache2 log folder. Mounted as Read Only. |
+| `-v /remotelogs/audit/audit.log:ro` | Optional path to auditd log file. Mounted as Read Only. |
+| `-v /remotelogs/authelia/authelia.log:ro` | Optional path to authelia log file. Mounted as Read Only. |
+| `-v /remotelogs/emby/embyserver.txt:ro` | Optional path to emby log file. Mounted as Read Only. |
+| `-v /remotelogs/exim/mainlog:ro` | Optional path to exim log file. Mounted as Read Only. |
+| `-v /remotelogs/filebrowser/filebrowser.log:ro` | Optional path to filebrowser log file. Mounted as Read Only. |
+| `-v /remotelogs/gitea/gitea.log:ro` | Optional path to gitea log file. Mounted as Read Only. |
+| `-v /remotelogs/homeassistant/home-assistant.log:ro` | Optional path to homeassistant log file. Mounted as Read Only. |
+| `-v /remotelogs/lighttpd/error.log:ro` | Optional path to lighttpd error log file. Mounted as Read Only. |
+| `-v /remotelogs/nextcloud/nextcloud.log:ro` | Optional path to nextcloud log file. Mounted as Read Only. |
+| `-v /remotelogs/nginx:ro` | Optional path to nginx log folder. Mounted as Read Only. |
+| `-v /remotelogs/nzbget/nzbget.log:ro` | Optional path to nzbget log file. Mounted as Read Only. |
+| `-v /remotelogs/overseerr/overseerr.log:ro` | Optional path to overseerr log file. Mounted as Read Only. |
+| `-v /remotelogs/prowlarr/prowlarr.txt:ro` | Optional path to prowlarr log file. Mounted as Read Only. |
+| `-v /remotelogs/radarr/radarr.txt:ro` | Optional path to radarr log file. Mounted as Read Only. |
+| `-v /remotelogs/roundcube/errors:ro` | Optional path to roundcube error log file. Mounted as Read Only. |
+| `-v /remotelogs/sabnzbd/sabnzbd.log:ro` | Optional path to sabnzbd log file. Mounted as Read Only. |
+| `-v /remotelogs/sonarr/sonarr.txt:ro` | Optional path to sonarr log file. Mounted as Read Only. |
+| `-v /remotelogs/unificontroller/server.log:ro` | Optional path to unificontroller server log file. Mounted as Read Only. |
+| `-v /remotelogs/vaultwarden/vaultwarden.log:ro` | Optional path to vaultwarden log file. Mounted as Read Only. |
+| `-v /remotelogs/vsftpd/vsftpd.log:ro` | Optional path to vsftpd log file. Mounted as Read Only. |
 
 ## Environment variables from files (Docker secrets)
 

readme-vars.yml

@@ -3,7 +3,7 @@
 # project information
 project_name: fail2ban
 project_url: "http://www.fail2ban.org/"
-project_logo: "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/fail2ban.png"
+project_logo: "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/fail2ban-logo.png"
 project_blurb: |
   [{{ project_name|capitalize }}]({{ project_url }}) is a daemon to ban hosts that cause multiple authentication errors.
 
@@ -35,33 +35,53 @@ cap_add_param_vars:
 # optional parameters
 opt_param_usage_include_vols: true
 opt_param_volumes:
-  - { vol_path: "/remotelogs/airsonic/airsonic.log:ro", vol_host_path: "/path/to/airsonic/airsonic.log", desc: "Path to airsonic log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/apache2:ro", vol_host_path: "/path/to/apache2/log", desc: "Path to apache2 log folder. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/audit/audit.log:ro", vol_host_path: "/path/to/audit/audit.log", desc: "Path to auditd log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/authelia/authelia.log:ro", vol_host_path: "/path/to/authelia/authelia.log", desc: "Path to authelia log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/emby/embyserver.txt:ro", vol_host_path: "/path/to/emby/embyserver.txt", desc: "Path to emby log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/exim/mainlog:ro", vol_host_path: "/path/to/exim/mainlog", desc: "Path to exim log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/filebrowser/filebrowser.log:ro", vol_host_path: "/path/to/filebrowser/filebrowser.log", desc: "Path to filebrowser log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/gitea/gitea.log:ro", vol_host_path: "/path/to/gitea/gitea.log", desc: "Path to gitea log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/homeassistant/home-assistant.log:ro", vol_host_path: "/path/to/homeassistant/home-assistant.log", desc: "Path to homeassistant log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/lighttpd/error.log:ro", vol_host_path: "/path/to/lighttpd/error.log", desc: "Path to lighttpd error log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/nextcloud/nextcloud.log:ro", vol_host_path: "/path/to/nextcloud/nextcloud.log", desc: "Path to nextcloud log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/nginx:ro", vol_host_path: "/path/to/nginx/log", desc: "Path to nginx log folder. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/nzbget/nzbget.log:ro", vol_host_path: "/path/to/nzbget/nzbget.log", desc: "Path to nzbget log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/overseerr/overseerr.log:ro", vol_host_path: "/path/to/overseerr/overseerr.log", desc: "Path to overseerr log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/prowlarr/prowlarr.txt:ro", vol_host_path: "/path/to/prowlarr/prowlarr.txt", desc: "Path to prowlarr log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/radarr/radarr.txt:ro", vol_host_path: "/path/to/radarr/radarr.txt", desc: "Path to radarr log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/roundcube/errors:ro", vol_host_path: "/path/to/roundcube/errors", desc: "Path to roundcube error log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/sabnzbd/sabnzbd.log:ro", vol_host_path: "/path/to/sabnzbd/sabnzbd.log", desc: "Path to sabnzbd log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/sonarr/sonarr.txt:ro", vol_host_path: "/path/to/sonarr/sonarr.txt", desc: "Path to sonarr log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/unificontroller/server.log:ro", vol_host_path: "/path/to/unificontroller/server.log", desc: "Path to unificontroller server log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/vaultwarden/vaultwarden.log:ro", vol_host_path: "/path/to/vaultwarden/vaultwarden.log", desc: "Path to vaultwarden log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/vsftpd/vsftpd.log:ro", vol_host_path: "/path/to/vsftpd/vsftpd.log", desc: "Path to vsftpd log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/airsonic/airsonic.log:ro", vol_host_path: "/path/to/airsonic/airsonic.log", desc: "Optional path to airsonic log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/apache2:ro", vol_host_path: "/path/to/apache2/log", desc: "Optional path to apache2 log folder. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/audit/audit.log:ro", vol_host_path: "/path/to/audit/audit.log", desc: "Optional path to auditd log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/authelia/authelia.log:ro", vol_host_path: "/path/to/authelia/authelia.log", desc: "Optional path to authelia log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/emby/embyserver.txt:ro", vol_host_path: "/path/to/emby/embyserver.txt", desc: "Optional path to emby log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/exim/mainlog:ro", vol_host_path: "/path/to/exim/mainlog", desc: "Optional path to exim log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/filebrowser/filebrowser.log:ro", vol_host_path: "/path/to/filebrowser/filebrowser.log", desc: "Optional path to filebrowser log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/gitea/gitea.log:ro", vol_host_path: "/path/to/gitea/gitea.log", desc: "Optional path to gitea log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/homeassistant/home-assistant.log:ro", vol_host_path: "/path/to/homeassistant/home-assistant.log", desc: "Optional path to homeassistant log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/lighttpd/error.log:ro", vol_host_path: "/path/to/lighttpd/error.log", desc: "Optional path to lighttpd error log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/nextcloud/nextcloud.log:ro", vol_host_path: "/path/to/nextcloud/nextcloud.log", desc: "Optional path to nextcloud log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/nginx:ro", vol_host_path: "/path/to/nginx/log", desc: "Optional path to nginx log folder. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/nzbget/nzbget.log:ro", vol_host_path: "/path/to/nzbget/nzbget.log", desc: "Optional path to nzbget log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/overseerr/overseerr.log:ro", vol_host_path: "/path/to/overseerr/overseerr.log", desc: "Optional path to overseerr log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/prowlarr/prowlarr.txt:ro", vol_host_path: "/path/to/prowlarr/prowlarr.txt", desc: "Optional path to prowlarr log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/radarr/radarr.txt:ro", vol_host_path: "/path/to/radarr/radarr.txt", desc: "Optional path to radarr log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/roundcube/errors:ro", vol_host_path: "/path/to/roundcube/errors", desc: "Optional path to roundcube error log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/sabnzbd/sabnzbd.log:ro", vol_host_path: "/path/to/sabnzbd/sabnzbd.log", desc: "Optional path to sabnzbd log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/sonarr/sonarr.txt:ro", vol_host_path: "/path/to/sonarr/sonarr.txt", desc: "Optional path to sonarr log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/unificontroller/server.log:ro", vol_host_path: "/path/to/unificontroller/server.log", desc: "Optional path to unificontroller server log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/vaultwarden/vaultwarden.log:ro", vol_host_path: "/path/to/vaultwarden/vaultwarden.log", desc: "Optional path to vaultwarden log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/vsftpd/vsftpd.log:ro", vol_host_path: "/path/to/vsftpd/vsftpd.log", desc: "Optional path to vsftpd log file. Mounted as Read Only." }
 
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
-  App Setup Info
+  ### Configuration Files
+
+  On first run, the container will create a number of folders and files in `/config`. The default configurations for fail2ban are all disabled by default.
+
+  Please refer to the [Configuration README](https://github.com/linuxserver/docker-fail2ban/blob/master/root/defaults/fail2ban/README.md), which can be viewed in our repository, or in your config folder at `/config/fail2ban/README.md`.
+
+  ### Chains
+
+  Chains affect how access is restricted. There are two primary ways to restrict access.
+
+  #### `DOCKER-USER`
+
+  The `DOCKER-USER` chain is used to restrict access to applications running in Docker containers. This will restrict access to all containers, not just the one that the jail is configured for.
+
+  #### `INPUT`
+
+  The `INPUT` chain is used to restrict access to applications running on the host. This will restrict access to the host network stack. The host network stack may not be inclusive of all Docker network stacks, thus the `DOCKER-USER` chain is used separately for applications running in Docker containers.
+
+  #### `FORWARD` (for older versions of Docker)
+
+  The `FORWARD` chain may be used on systems running older versions of Docker where the `DOCKER-USER` chain is not available.
 
 # changelog
 changelogs:

root/defaults/fail2ban/README.md

@@ -14,6 +14,27 @@ This example uses `apprise-api` for notifications, `cloudflare` for additional w
 
 ```ini
 [DEFAULT]
+
+# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
+# default ban time
+bantime.increment = true
+
+# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
+bantime.maxtime = 5w
+
+# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier
+bantime.factor = 24
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 1h
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime  = 24h
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
 # Prevents banning LAN subnets
 ignoreip = 127.0.0.1/8 ::1
            10.0.0.0/8

root/defaults/fail2ban/jail.d/airsonic-auth.conf

@@ -6,5 +6,4 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = 4040
-filter   = airsonic-auth
 logpath  = %(remote_logs)s/airsonic/airsonic.log

root/defaults/fail2ban/jail.d/authelia-auth.conf

@@ -6,5 +6,4 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https,9091
-filter   = authelia-auth
 logpath  = %(remote_logs)s/authelia/authelia.log

root/defaults/fail2ban/jail.d/emby-auth.conf

@@ -6,5 +6,4 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = 8096,8920
-filter   = emby-auth
 logpath  = %(remote_logs)s/emby/embyserver.txt

root/defaults/fail2ban/jail.d/filebrowser-auth.conf

@@ -11,5 +11,4 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https
-filter   = filebrowser-auth
 logpath  = %(remote_logs)s/filebrowser/filebrowser.log

root/defaults/fail2ban/jail.d/gitea-auth.conf

@@ -23,6 +23,5 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https,822
-filter   = gitea-auth
 logpath  = %(remote_logs)s/gitea/gitea.log
 maxretry = 3

root/defaults/fail2ban/jail.d/homeassistant-auth.conf

@@ -13,6 +13,5 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = 8123
-filter   = homeassistant-auth
 logpath  = %(remote_logs)s/homeassistant/home-assistant.log
 maxretry = 2

root/defaults/fail2ban/jail.d/nextcloud-auth.conf

@@ -12,5 +12,4 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https
-filter   = nextcloud-auth
 logpath  = %(remote_logs)s/nextcloud/nextcloud.log

root/defaults/fail2ban/jail.d/nginx-418.conf

@@ -5,6 +5,5 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https
-filter   = nginx-418
 logpath  = %(nginx_access_log)s
 maxretry = 10

root/defaults/fail2ban/jail.d/nginx-deny.conf

@@ -6,5 +6,4 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https
-filter   = nginx-deny
 logpath  = %(nginx_error_log)s

root/defaults/fail2ban/jail.d/nginx-unauthorized.conf

@@ -6,5 +6,4 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https
-filter   = nginx-unauthorized
 logpath  = %(nginx_unauthorized_log)s

root/defaults/fail2ban/jail.d/nzbget-auth.conf

@@ -6,5 +6,4 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = 6789
-filter   = nzbget-auth
 logpath  = %(remote_logs)s/nzbget/nzbget.log

root/defaults/fail2ban/jail.d/overseerr-auth.conf

@@ -9,5 +9,4 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = 5055
-filter   = overseerr-auth
 logpath  = %(remote_logs)s/overseerr/overseerr.log

root/defaults/fail2ban/jail.d/sabnzbd-auth.conf

@@ -6,5 +6,4 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = 8080
-filter   = sabnzbd-auth
 logpath  = %(remote_logs)s/sabnzbd/sabnzbd*.log

root/defaults/fail2ban/jail.d/sshd.conf

@@ -0,0 +1,9 @@
+# Fail2Ban jail configuration for sshd
+# Works OOTB with defaults
+
+# chain set to INPUT to apply bans at the host level
+
+[sshd]
+
+enabled  = false
+chain    = INPUT

root/defaults/fail2ban/jail.d/unifi-controller-auth.conf

@@ -6,5 +6,4 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = 8080,8443
-filter   = unifi-controller-auth
 logpath  = %(remote_logs)s/unificontroller/server.log

root/defaults/fail2ban/jail.d/unraid-sshd.conf

@@ -1,6 +1,8 @@
 # Fail2Ban jail configuration for unRAID sshd
 # Works OOTB with defaults
 
+# chain set to INPUT to apply bans at the host level
+
 [unraid-sshd]
 
 enabled  = false

root/defaults/fail2ban/jail.d/unraid-webgui.conf

@@ -1,10 +1,11 @@
 # Fail2Ban jail configuration for unRAID web GUI
 # Works OOTB with defaults
 
+# chain set to INPUT to apply bans at the host level
+
 [unraid-webgui]
 
 enabled  = false
 chain    = INPUT
 port     = http,https
-filter   = unraid-webgui
 logpath  = /var/log/syslog

root/defaults/fail2ban/jail.d/vaultwarden-auth.conf

@@ -11,6 +11,4 @@
 enabled  = false
 chain    = DOCKER-USER
 port     = http,https
-filter   = vaultwarden-auth
 logpath  = %(remote_logs)s/vaultwarden/vaultwarden.log
-maxretry = 3