- Build locally
- Environment variables
git clone https://github.com/crazy-max/docker-fail2ban.git cd docker-fail2ban # Build image and output to docker (default) docker buildx bake # Build multi-platform image docker buildx bake image-all
|GitHub Container Registry||
Following platforms for this image are available:
$ docker run --rm mplatform/mquery crazymax/fail2ban:latest Image: crazymax/fail2ban:latest * Manifest List: Yes * Supported platforms: - linux/amd64 - linux/arm/v6 - linux/arm/v7 - linux/arm64 - linux/386 - linux/ppc64le - linux/s390x
TZ: The timezone assigned to the container (default
F2B_LOG_TARGET: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT (default
F2B_LOG_LEVEL: Log level output (default
F2B_DB_PURGE_AGE: Age at which bans should be purged from the database (default
SSMTP_HOST: SMTP server host
SSMTP_PORT: SMTP server port (default
SSMTP_HOSTNAME: Full hostname (default
SSMTP_USER: SMTP username
SSMTP_PASSWORD: SMTP password
SSMTP_TLS: Use TLS to talk to the SMTP server (default
SSMTP_STARTTLS: Specifies whether ssmtp does a EHLO/STARTTLS before starting SSL negotiation (default
SSMTP_PASSWORD_FILEcan be used to fill in the value from a file, especially for Docker's secrets feature.
/data: Contains customs jails, actions and filters and Fail2ban persistent database
Docker compose is the recommended way to run this image. Copy the content of folder
/var/fail2ban/ on your host for example. Edit the compose and env files
with your preferences and run the following commands:
docker-compose up -d docker-compose logs -f
You can also use the following minimal command :
docker run -d --name fail2ban --restart always \ --network host \ --cap-add NET_ADMIN \ --cap-add NET_RAW \ -v $(pwd)/data:/data \ -v /var/log:/var/log:ro \ crazymax/fail2ban:latest
Recreate the container whenever I push an update:
docker-compose pull docker-compose up -d
In Docker 17.06 and higher through docker/libnetwork#1675,
you can add rules to a new table called
DOCKER-USER, and these rules will be loaded before any rules Docker creates
automatically. This is useful to make
iptables rules created by Fail2Ban persistent.
If you have an older version of Docker, you may just change the chain definition for your jail to
chain = FORWARD.
This way, all Fail2Ban rules come before any Docker rules but these rules will now apply to ALL forwarded traffic.
More info : https://docs.docker.com/network/iptables/
If your Fail2Ban container is attached to
DOCKER-USER chain instead of
INPUT, the rules will be applied
only to containers. This means that any packets coming into the
INPUT chain will bypass these rules that now
reside under the
Here are some examples using the
And others using the
Use iptables tooling without nftables backend
As you may know, nftables is available as a modern replacement for the kernel's iptables subsystem on Linux.
This image still uses
iptables to preserve backwards compatibility but
an issue is opened about its implementation.
If your system's
iptables tooling uses the nftables backend, this will throw the error
stderr: 'iptables: No chain/target/match by that name.'. You need to switch the
iptables tooling to 'legacy' mode
to avoid these problems. This is the case on at least Debian 10 (Buster), Ubuntu 19.04, Fedora 29 and newer releases
of these distributions by default. RHEL 8 does not support switching to legacy mode, and is therefore currently
incompatible with this image.
On Ubuntu or Debian:
update-alternatives --set iptables /usr/sbin/iptables-legacy update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy update-alternatives --set arptables /usr/sbin/arptables-legacy update-alternatives --set ebtables /usr/sbin/ebtables-legacy
update-alternatives --set iptables /usr/sbin/iptables-legacy
Then reboot to apply changes.
Fail2ban commands can be used through the container. Here is an example if you want to ban an IP manually :
docker exec -t <CONTAINER> fail2ban-client set <JAIL> banip <IP>
Global jail configuration
You can provide customizations in
For example to change the default bantime for all jails, send an e-mail with whois report and relevant log lines to the destemail:
[DEFAULT] bantime = 1h destemail = root@localhost sender = root@$(hostname -f) action = %(action_mwl)s
⚠️If you want email to be sent after a ban, you have to configure SSMTP env vars
FYI, here is the order jail configuration would be loaded:
jail.conf jail.d/*.conf (in alphabetical order) jail.local jail.d/*.local (in alphabetical order)
A sample configuration file is available on the official repository.
Custom jails, actions and filters
Custom jails, actions and filters can be added respectively in
If you add an action/filter that already exists, it will be overriden.
⚠️Container has to be restarted to propagate changes
Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. You can also support this project by becoming a sponsor on GitHub or by making a Paypal donation to ensure this journey continues indefinitely!
Thanks again for your support, it is much appreciated!
LICENSE for more details.