镜像范本
镜像选择站 fail2ban - LinuxServer.io
范本命令
docker run -d
--name=fail2ban
--net=host
--cap-add=NET_ADMIN
--cap-add=NET_RAW
-e PUID=1000
-e PGID=1000
-e TZ=Etc/UTC
-e VERBOSITY=-vv #optional
-v /path/to/fail2ban/config:/config
-v /var/log:/var/log:ro
-v /path/to/airsonic/log:/remotelogs/airsonic:ro #optional
-v /path/to/apache2/log:/remotelogs/apache2:ro #optional
-v /path/to/authelia/log:/remotelogs/authelia:ro #optional
-v /path/to/emby/log:/remotelogs/emby:ro #optional
-v /path/to/filebrowser/log:/remotelogs/filebrowser:ro #optional
-v /path/to/homeassistant/log:/remotelogs/homeassistant:ro #optional
-v /path/to/lighttpd/log:/remotelogs/lighttpd:ro #optional
-v /path/to/nextcloud/log:/remotelogs/nextcloud:ro #optional
-v /path/to/nginx/log:/remotelogs/nginx:ro #optional
-v /path/to/nzbget/log:/remotelogs/nzbget:ro #optional
-v /path/to/overseerr/log:/remotelogs/overseerr:ro #optional
-v /path/to/prowlarr/log:/remotelogs/prowlarr:ro #optional
-v /path/to/radarr/log:/remotelogs/radarr:ro #optional
-v /path/to/sabnzbd/log:/remotelogs/sabnzbd:ro #optional
-v /path/to/sonarr/log:/remotelogs/sonarr:ro #optional
-v /path/to/unificontroller/log:/remotelogs/unificontroller:ro #optional
-v /path/to/vaultwarden/log:/remotelogs/vaultwarden:ro #optional
--restart unless-stopped
lscr.io/linuxserver/fail2ban:latest
开始部署
本文只介绍最小化部署,有更多自定义命令需求,参照上文及说明文档自行添加
创建宿主机文件夹
mkdir -p /etc/fail2ban /var/log
容器安装 (要整体复制粘贴)
docker run -d \
--name=fail2ban \
--net=host \
--cap-add=NET_ADMIN \
--cap-add=NET_RAW \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Etc/UTC \
-v /etc/fail2ban:/config \
-v /var/log:/var/log:ro \
--restart unless-stopped \
lscr.io/linuxserver/fail2ban:latest
switch:case1 ——使用默认监狱(jail.local)规则
cp /etc/fail2ban/fail2ban/jail.conf /etc/fail2ban/fail2ban/jail.local
switch:case2——自定义监狱(jail.local)规则
sudo nano /etc/fail2ban/fail2ban/jail.local
粘贴jail块
[DEFAULT]
# 禁用DNS解析
usedns = warn
# 日志文件编码
logencoding = auto
# 封禁时间设置为 24 小时
bantime = 24h
# 在10分钟内尝试超过5次失败将触发封禁
findtime = 10m
maxretry = 5
# 默认使用iptables-multiport作为封禁动作
banaction = iptables-multiport
banaction_allports = iptables-allports
# 默认封禁所有端口
port = 0:65535
# 电子邮件发送设置
mta = sendmail
destemail = root@localhost
sender = root@<fq-hostname>
# 选择默认操作
action = %(action_)s
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
ctrl+s,ctrl+x
启动容器
docker restart fail2ban
docker exec -it fail2ban fail2ban-client status
应该能看到形如
Status
|- Number of jail: 1
`- Jail list: sshd
这表示生效了几个jail块,并且生效了哪几个
其他命令
查询sshd,也就是SSH的监狱情况
docker exec -it fail2ban fail2ban-client status sshd
会显示形如
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 37
|- Total banned: 37
`- Banned IP list: 1.164.110.237
要查询其他自主部署防御块的监狱情况,修改最后的块名字和jail.local内想查询的块名字一致即可查询
检查工作状态
docker logs fail2ban
会显示工作日志
解封指定IP地址
docker exec -it fail2ban fail2ban-client unban IP_ADDRESS
替换最后一个