TZ: The timezone assigned to the container (default
F2B_LOG_TARGET: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT (default
F2B_LOG_LEVEL: Log level output (default
F2B_DB_PURGE_AGE: Age at which bans should be purged from the database (default
F2B_MAX_RETRY: Number of failures before a host get banned (default
F2B_DEST_EMAIL: Destination email address used solely for the interpolations in configuration files (default
F2B_SENDER: Sender email address used solely for some actions (default
F2B_ACTION: Default action on ban (default
F2B_IPTABLES_CHAIN: Specifies the iptables chain to which the Fail2Ban rules should be added (default
SSMTP_HOST: SMTP server host
SSMTP_PORT: SMTP server port (default
SSMTP_HOSTNAME: Full hostname (default
SSMTP_USER: SMTP username
SSMTP_PASSWORD: SMTP password
SSMTP_TLS: SSL/TLS (default
⚠️If you want email to be sent after a ban, you have to configure SSMTP env vars and set F2B_ACTION to
/data: Contains customs jails, actions and filters and Fail2ban persistent database
Use this image
Docker compose is the recommended way to run this image. Copy the content of folder examples/compose in
/var/fail2ban/ on your host for example. Edit the compose and env files with your preferences and run the following commands :
docker-compose up -d docker-compose logs -f
You can also use the following minimal command :
docker run -d --name fail2ban --restart always \ --network host \ --cap-add NET_ADMIN \ --cap-add NET_RAW \ -v $(pwd)/data:/data \ -v /var/log:/var/log:ro \ crazymax/fail2ban:latest
In Docker 17.06 and higher through docker/libnetwork#1675, you can add rules to a new table called
DOCKER-USER, and these rules will be loaded before any rules Docker creates automatically. This is useful to make
iptables rules created by Fail2Ban persistent.
If you have an older version of Docker, you may just change
FORWARD. This way, all Fail2Ban rules come before any Docker rules but these rules will now apply to ALL forwarded traffic.
More info : https://docs.docker.com/network/iptables/
If your Fail2Ban container is attached to
DOCKER-USER chain instead of
INPUT, the rules will be applied only to containers. This means that any packets coming into the
INPUT chain will bypass these rules that now reside under the
Fail2ban commands can be used through the container. Here is an example if you want to ban an IP manually :
docker exec -t <CONTAINER> fail2ban-client set <JAIL> banip <IP>
Custom actions and filters
Custom actions and filters can be added in
/data/filter.d. If you add an action/filter that already exists, it will be overriden.
⚠️Container has to be restarted to propagate changes
Jail examples can be found in examples/jails to work with this image.
How can I help ?
All kinds of contributions are welcome
The most basic way to show your support is to star
But we're not gonna lie to each other, I'd rather you buy me a beer or two
LICENSE for more details.