You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The whole fail2ban implementation should be reviewed and optimized.
Are you going to implement it?
No (at least, not in short-term). This is more for tracking/discussing the topic.
What are you going to contribute?
Lifetime 😄
Things to discuss / clarify / To-do
Is https://github.com/docker-mailserver/docker-mailserver/blob/master/target/fail2ban/jail.conf still needed, what was the original intent not to use the default shipped configuration?fail2ban cleanup #1895
What services are covered by fail2ban? dovecot, postfix, postfix-sasl
Should an attacker be blocked completely? Currently, the IP address is only blocked for a specific service. IMHO if someone tries to brute force POP3, the IP address should also be blocked for IMAP etc, or even better completely.
Default ban behavior of fail2ban is to REJECT packets. Maybe DROP is better?
Check if update-alternatives --set iptables /usr/sbin/iptables-legacy # switch iptables and ip6tables to legacy for Fail2Ban from Dockerfile is (still) needed
There are probably other things to consider. Just let me know and I'll keep this list up-to-date.
Possible solutions
Block all ports instead of service port only
sed -i '/^banaction = iptables-multiport$/ s|iptables-multiport|iptables-allports|' /etc/fail2ban/jail.conf
DROP connections instead of REJECT
sed -i 's/^blocktype = REJECT.*/blocktype = DROP/' /etc/fail2ban/action.d/iptables-common.conf
Proposed configuration options
Variable
Values
Default
Description
FAIL2BAN_BLOCK_TYPE
REJECT, DROP
DROP
iptables block behaviour; REJECT sends ICMP unreachable; DROP sends no reply
FAIL2BAN_BLOCK_ALL
true, false
true
If true, block an attacker on all ports, not only the attacked one.
Review/Improve Request
Context
At the moment, the fail2ban service seems not to operate optimal.
Is your Feature Request related to a Problem?
At least:
#1661
#1810
Describe the Solution you'd like
The whole fail2ban implementation should be reviewed and optimized.
Are you going to implement it?
No (at least, not in short-term). This is more for tracking/discussing the topic.
What are you going to contribute?
Lifetime 😄
Things to discuss / clarify / To-do
Isfail2ban cleanup #1895https://github.com/docker-mailserver/docker-mailserver/blob/master/target/fail2ban/jail.confstill needed, what was the original intent not to use the default shipped configuration?What services are covered by fail2ban?dovecot, postfix, postfix-saslShould an attacker be blocked completely? Currently, the IP address is only blocked for a specific service. IMHO if someone tries to brute force POP3, the IP address should also be blocked for IMAP etc, or even better completely.Default ban behavior of fail2ban is to REJECT packets. Maybe DROP is better?Check ifupdate-alternatives --set iptables /usr/sbin/iptables-legacy # switch iptables and ip6tables to legacy for Fail2Banfrom Dockerfile is (still) neededThere are probably other things to consider. Just let me know and I'll keep this list up-to-date.
Possible solutions
Block all ports instead of service port only
sed -i '/^banaction = iptables-multiport$/ s|iptables-multiport|iptables-allports|' /etc/fail2ban/jail.confDROP connections instead of REJECT
sed -i 's/^blocktype = REJECT.*/blocktype = DROP/' /etc/fail2ban/action.d/iptables-common.confProposed configuration options
REJECTsends ICMP unreachable;DROPsends no reply