Fail2ban docs & example#2144
Fail2ban docs & example#2144williamdes wants to merge 2 commits intodocker-mailserver:masterfrom williamdes:fail2ban
Conversation
| - `fail2ban-jail.cf` -> `/etc/fail2ban/jail.d/user-jail.local` | ||
| - `fail2ban-fail2ban.cf` -> `/etc/fail2ban/fail2ban.local` | ||
|
|
||
| You might want to make a volume bind for the `fail2ban` db to persist at `/var/lib/fail2ban/fail2ban.sqlite3` between container re-creations. |
There was a problem hiding this comment.
This might be confusing, as it's DMS default, to make it this way.
There was a problem hiding this comment.
I am not sure to understand the action I should take, do you mean that somehow it already persists in a volume ?
There was a problem hiding this comment.
I was wrong.
Our default config makes mailstate persistant:
- ./data/mailstate:/var/mail-state
However, if you set ONE_DIR to 1 (which I did), all states (fail2ban etc) are consolidate into this single directory (and preserved during restarts) --> mail-state. This looks like this:
# ll /var/mail-state
drwxrwxr-x 2 root root 4.0K Feb 1 2021 etc-postsrsd
drwxr-x--- 8 amavis amavis 4.0K Aug 22 22:54 lib-amavis
drwxr-xr-x 2 clamav dovecot 4.0K May 29 01:01 lib-clamav
drwxr-xr-x 2 root root 4.0K Aug 22 22:54 lib-dovecot
drwxr-xr-x 2 root root 4.0K May 14 23:21 lib-fail2ban
drwxr-xr-x 2 postfix postfix 4.0K Mar 4 2020 lib-postfix
drwx------ 2 postgrey opendkim 4.0K Feb 1 2021 lib-postgrey
drwxr-xr-x 2 root root 4.0K Aug 24 2020 lib-shared
drwxr-xr-x 5 debian-spamd postgrey 4.0K Mar 5 2020 lib-spamassassin
drwxr-xr-x 20 postfix root 4.0K Mar 4 2020 spool-postfix
Maybe we should promote ONE_DIR=1 as default.
There was a problem hiding this comment.
Good to know, I also use ONE_DIR
Will have to investigate
|
|
||
| # Email settings | ||
|
|
||
| #destemail = [email protected] | ||
| #sender = [email protected] | ||
| #sendername = fail2ban | ||
| #mta = sendmail | ||
|
|
||
| # to ban & send an e-mail with whois report to the destemail. | ||
| #action = %(action_mw)s | ||
|
|
||
| # same as action_mw but also send relevant log lines | ||
| #action = %(action_mwl)s |
There was a problem hiding this comment.
I did on purpose only include those configuration options in the example config, that we customize for DMS: https://github.com/docker-mailserver/docker-mailserver/blob/master/target/fail2ban/jail.local
In my experience, you don't want an email notification on every ban 😄 Also most public whois servers are rate limited and you likely will be temporary blocked pretty fast.
If you still want to include it, then I suggest (to keep it streamlined) , to add the original comments (from the default configuration) as well:
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost
# Sender email address used solely for some actions
sender = root@<fq-hostname>
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail
There was a problem hiding this comment.
In my experience, you don't want an email notification on every ban smile Also most public whois servers are rate limited and you likely will be temporary blocked pretty fast.
Thanks for letting me know, I will maybe disable whois in production then
I just wanted to document the possibility, maybe should I add this block to the docs page ?
There was a problem hiding this comment.
fyi: all available configuration options (not only mail stuff) can be easily looked up with
docker exec mailserver cat /etc/fail2ban/jail.conf
docker exec mailserver cat /etc/fail2ban/fail2ban.conf
Then you'll only need to copy/paste the neccesary parts to your custom fail2ban config and adjust them.
There was a problem hiding this comment.
Good to know, I would not even have guessed that
Will update the docs page
|
TODO: remake this pr contents and document |
casperklein
added
area/documentation
kind/improvement
|
@williamdes can you somehow take a bit of time to wrap up this PR? This way, we can have the docs changes for F2B in the |
|
Just FYI: |
Thanks, I bit overloaded currently |
|
Documentation preview for this PR is ready! 🎉 Built with commit: 9aada36 |
polarathene
added
the
meta/help wanted
There was a problem hiding this comment.
Summary of thread/review thus far:
config/fail2ban-jail.cfshould not be altered and instead added as an example in docs for those interested in this functionality (send notification email whenever a ban occurs).docs/content/config/security/fail2ban.mdcan mention the sqlite DB for persistence, but no actual action is required for this when following existing docs / examples for persisting DMS state.- Author additionally expressed interest in documenting
sa-learn, while moving the config example to docs as per review feedback.
No action has been taken for some time, nor much interest in this being merged.
@williamdes do you still want to contribute this feature? Otherwise I don't think anyone is going to pick it up. I can leave it open if you think you'll find time for it, if not that's ok and we can close it.
|
I agree, closing this as I will not find time for it soon |
polarathene
added
the
meta/closed due to age or inactivity
4 participants
Description
Added email sending example and added db volume mount phrase.
Type of change
Checklist:
docs/)