-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tip to get good timezone in logs (and to make fail2ban work on host) #1849
Comments
Have you tested this setup, does it really block connections to the container? I did a quick test on the host: I think, that's part of dockers iptables prerouting "magic". I have iptables on the host, with the default INPUT policy set to DROP any not allowed connections. When using containers, I don't have to allow any ports explicitly on the host, when using |
I am using the |
Yes I have enabled the
I have IP banned every minutes. All banned IP does not appear in mail log anymore after they are banned.
Yes perhaps it is not necessary... I added it in case... |
I see you use the |
Ou nice approach. This might help me with #1761 as the logs should show the real ip received from the proxy protocol. For now i was using DROP on FORWARD as INPUT had no effect ("docker iptables magic" 😅) We are currently migrating the wiki to docs hosted in this repo (see #1826) I would ping you here again when this PR is merged and ask you for providing a small write up for this scenario. |
So, I don't know what I'm doing wrong, but my host is still not banning IPs properly. I would therefore reall love to see a working host F2B setup:) |
@aendeavor, you can read this page which explain an other solution. Here is the explanation of the DOCKER-USER chain : |
@fred727-temp Thanks! I will read it, but we've found a solution in #1821 already :) |
@fred727-temp the documentation pr is now merged (find it here: https://docker-mailserver.github.io/docker-mailserver/edge/) If you want to contribute your tip there feel free to open a PR with changes to the according file - or click the "edit" (pencil) button within the documentation |
It is a good practice to install fail2ban on every server hosted on the internet...
So it was a good idea to include it in this projet, but if it is already installed on host, it is easier to active it and configure it on host (we just have to configure the good path so that fail2ban could find logs).
The problem is that timezone in the container is
Etc/UTC
and perhaps this is not the same on your host. In this case, fail2ban will have problem and no IP will be banned.The solution is to add link to your
/etc/timezone
and/etc/localtime
in the docker-compose.ymlThis way, timezone in container is the same as on your host. (I think this could be in the default docker-compose file...)
Simple and efficient ! (Hope this help)
The text was updated successfully, but these errors were encountered: