Merge pull request #8 from linuxserver-labs/dev

Merge DEV branch

Author: Roxedus

Dockerfile

@@ -0,0 +1,28 @@
+FROM ghcr.io/linuxserver/baseimage-alpine:3.14
+
+# set version label
+ARG BUILD_DATE
+ARG VERSION
+LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
+LABEL maintainer="nomandera"
+
+# environment settings
+ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2
+
+RUN \
+ echo "**** install runtime packages ****" && \
+ apk add --no-cache --upgrade \
+    curl \
+    fail2ban \
+    fail2ban-doc && \
+ echo "**** remove unnecessary fail2ban filters ****" && \
+    rm \
+    	/etc/fail2ban/jail.d/alpine-ssh.conf && \
+echo "**** copy fail2ban default action and filter to /default ****" && \
+mkdir -p /defaults/fail2ban && \
+mv /etc/fail2ban/action.d /defaults/fail2ban/ && \
+mv /etc/fail2ban/filter.d /defaults/fail2ban/
+     
+
+# add local files
+COPY root/ /

readme-vars.yml

@@ -0,0 +1,130 @@
+---
+
+# project information
+project_name: fail2ban
+project_url: "https://github.com/fail2ban/fail2ban"
+project_logo: "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/fail2ban-banner.png"
+project_blurb: "[{{ project_name|capitalize }}]({{ project_url }}) Fail2Ban can do many things but at its core it scans log files and bans IP addresses with too many failed login attempts by adding firewall rules to reject new connections from those IP addresses, for a configurable amount of time."
+
+
+project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}"
+project_blurb_optional_extras_enabled: false
+
+# supported architectures
+available_architectures:
+  - { arch: "{{ arch_x86_64 }}", tag: "amd64-latest"}
+  - { arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"}
+  - { arch: "{{ arch_armhf }}", tag: "arm32v7-latest"}
+
+# development version
+development_versions: true
+development_versions_items:
+  - { tag: "latest", desc: "Stable Fail2ban Releases" }
+  - { tag: "development", desc: "Latest Fail2ban Releases" }
+
+# container parameters
+common_param_env_vars_enabled: true
+param_container_name: "{{ project_name }}"
+param_usage_include_net: false
+param_usage_include_env: true
+param_env_vars:
+  - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." }
+param_usage_include_vols: true
+param_volumes:
+  - { vol_path: "/config", vol_host_path: "<path to data>", desc: "Where Fail2ban should store its config file." }
+  - { vol_path: "/remotelog/applicationX/applicationX.log", vol_host_path: "<path to applicationX.log>", desc: "Path to a specific named log file." }
+  - { vol_path: "/remotelog/applicationY/", vol_host_path: "<path to applicationY log directory>", desc: "Path to an application log directory with multiple logs." } 
+param_usage_include_ports: false
+param_ports:
+param_device_map: false
+cap_add_param: false
+
+# optional container parameters
+opt_param_usage_include_env: false
+opt_param_env_vars:
+opt_param_usage_include_vols: false
+opt_param_usage_include_ports: false
+opt_param_device_map: false
+opt_cap_add_param: true
+optional_block_1: false
+
+# application setup block
+app_setup_block_enabled: true
+app_setup_block: |
+  This docker specific implementation of fail2ban can read an arbitrary number of log files from other containers, monitor them for abuse as a single large entity
+  and apply IP bans that will protect ALL docker containers on the host but not the host itself.
+ 
+  To do this it takes advantage of the DOCKER-USER iptables chain that exists in all modern docker installs.
+ 
+  Note: Internal Docker iptables rules are added to the DOCKER chain which is separate to the DOCKER-USER chain and should never be manipulated directly by the user.
+ 
+  Since DOCKER-USER rules are applied before any rules Docker itself creates fail2ban blocks automatically apply to all local native and custom docker bridge networks without risking breaking docker itself.
+ 
+  IMPORTANT: Both the DOCKER and DOCKER-USER chains are evaluated BEFORE the FORWARD chain. This is often overlooked by users who expected existing firewall restrictions to
+  apply to docker services which they do not resulting in the false assumption that services are protected and private when they are not.
+ 
+  If none of this make sense to you don't worry you do not need to understand firewalling to make use of this container.
+ 
+  Fail2ban configuration can seem daunting at first but most of the complexity can be ignored for most users.
+ 
+  In simple terms Fail2ban has three steps with associated configuration files:
+ 
+  filters. Think of these as a list of patterns used to match abuse in your log files.
+  jails. These are used to tell Fail2ban which log files match which filters and other basics such as how how many failed logins are allowed etc
+  actions. As the name suggests these define what actions Fail2ban takes when a jail is triggered. Typical users will never alter these.
+ 
+  Fail2ban continues this one step further with a system that can merge multiple configuration files into one. This is a fairly unusual methodology which can seem confusing at first but is a critical and powerful skill to learn.
+ 
+  This is best explained using an example:
+ 
+  If we ignore actions since almost all users will be happy with the "block IP action" we can concentrate on filters and jails.
+ 
+  Each jail is defined in a .conf file located in /config/fail2ban/jail.d/ so for example nginx-http-auth.conf with contents like:
+ 
+  [nginx-http-auth]
+
+  enabled  = false
+  filter   = nginx-http-auth
+  port     = http,https
+  logpath  = /remotelog/nginx/error.log
+ 
+  This file is relatively simple to understand but it is important you do not edit it directly. If you wish to alter this file you have two options:
+ 
+  1. Create a file called nginx-http-auth.local with just the changes you wish to make and the [] header. So for example if you wanted to enable this jail we
+  could create a file called nginx-http-auth.local beside the existing nginx-http-auth.conf with contents of
+ 
+  [nginx-http-auth]
+
+  enabled  = true
+ 
+  At load tile Fail2ban will read every .conf and .local and merge them internally resulting in this example of turning nginx-http-auth on.
+ 
+  2. Fail2ban also has a jail.conf file that contains global settings but it can also accept jail specific changes.
+  As previously you should not edit a conf file so in this case we would create jail.local and enter the same two lines we changed in the previous nginx-http-auth.local example/
+ 
+  Which method is preferable? The choice is yours and both have merits but jail.local is probably easier at first. Should you wish to change later the effort to do so it relatively minimal.
+ 
+  At this point you may be asking yourself why all this complication? Once you get used to the setup it soon becomes second nature and it allows lsio and the fail2ban project to push new
+  config files and changes such as security fixes without the risk of altering existing user changes.
+ 
+  So how do you actually turn on a jail? It is actually relatively simple.
+ 
+  Step 1: In docker volume mount the log file or folder of log files from the container to be protected into this one.
+  Step 2: Find the filter that matches the application log type. Most are included by default and more are being added all the time.
+  Step 3: Activate the jail using either the global jail.local or jail-specific.local as described above. Normally you only need to change two variables `enabled  = true` and the `logpath  = /match/your/volume/mount/from/step/1.log`
+ 
+  For neatness we would recommend logs are mount read only using the convention of `/remotelog/containername/nativefilename.log`. So for example our Airsonic container would be:
+ 
+  -v <path to containers>/airsonic/airsonic.log:/remotelog/airsonic/airsonic.log:ro
+
+  Once these three simple steps are taken restart fail2ban and protection should be in place. You can repeat this process to protect any number of containers and given how noisy the internet is in no time you will see
+  bad actors being banned.
+ 
+  Note: As a safety measure we ship this container with a default ignore list of all IANA private addresses to ensure you do not ban yourself or your LAN users by default. You can alter this using jail.local if you wish.
+ 
+
+# changelog
+
+changelogs:
+  - { date: "xx.xx.20:", desc: "Initial Release." }
+

root/defaults/fail2ban/action.d/iptables-common.local

@@ -0,0 +1,7 @@
+[Init]
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the Fail2Ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = DOCKER-USER

root/defaults/fail2ban/fail2ban.local

@@ -0,0 +1,4 @@
+[Definition]
+
+logtarget = /config/log/fail2ban/fail2ban.log
+dbfile = /config/fail2ban/fail2ban.sqlite3

root/defaults/fail2ban/filter.d/airsonic-http-auth.conf

@@ -0,0 +1,14 @@
+# fail2ban filter configuration for airsonic
+
+
+[Definition]
+
+
+failregex = ^.*: Login failed from \[<HOST>\]$
+ignoreregex =
+
+datepattern = {^LN-BEG}
+
+# DEV NOTES:
+#
+# Author: anoma

root/defaults/fail2ban/filter.d/emby-http-auth.conf

@@ -0,0 +1,25 @@
+# Fail2Ban filter for emby
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = emby-server
+
+failregex = Info HttpServer: HTTP Response 401 to <HOST>.*authenticatebyname
+            Info HttpServer: HTTP Response 500 to <HOST>.*mediabrowser/Users/None
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Matching on http 401 with a trailing url including 'authenticatebyname' to catch incorrect passwords
+# Matching on http 500 with a trailing url including 'mediabrowser/Users/None' to catch incorrect usernames
+#
+# Author: everydayevil@everydayevil.com

root/defaults/fail2ban/filter.d/nginx-http-418.conf

@@ -0,0 +1,9 @@
+# fail2ban filter configuration for nginx
+# Track RFC2324
+# 418 I'm a teapot
+# Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout.
+
+[Definition]
+
+failregex = ^<HOST>.*"(GET|POST).*" (418) .*$
+ignoreregex =

root/defaults/fail2ban/filter.d/nginx-http-badbots.conf

@@ -0,0 +1,21 @@
+# Fail2Ban configuration file
+#
+# Regexp to catch known spambots and software alike. Please verify
+# that it is your intent to block IPs which were driven by
+# above mentioned bots.
+
+
+[Definition]
+
+badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
+badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
+
+failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
+
+ignoreregex =
+
+# DEV Notes:
+# List of bad bots fetched from http://www.user-agents.org
+# Generated on Thu Nov  7 14:23:35 PST 2013 by files/gen_badbots.
+#
+# Author: Yaroslav Halchenko

root/defaults/fail2ban/filter.d/nginx-http-deny.conf

@@ -0,0 +1,15 @@
+# fail2ban filter configuration for nginx
+
+
+[Definition]
+
+
+failregex = ^ \[error\] \d+#\d+: \*\d+ (access forbidden by rule), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP\/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
+
+ignoreregex =
+
+datepattern = {^LN-BEG}
+
+# DEV NOTES:
+#
+# Author: Will L (driz@linuxserver.io)

root/defaults/fail2ban/jail.d/airsonic-http-auth.conf

@@ -0,0 +1,6 @@
+[airsonic-http-auth]
+
+enabled  = false
+filter   = airsonic-http-auth
+port     = http,https
+logpath  = /remotelog/airsonic/airsonic.log