Docker

docker-compose.yml

@@ -0,0 +1,25 @@
+version: '2'
+
+services:
+  fail2ban:
+    build: ./fail2ban
+    hostname: fail2ban
+    container_name: fail2ban
+    restart: always
+    entrypoint:
+      - /bin/bash
+      - /etc/fail2ban/entrypoint.sh
+    volumes:
+      - ./fail2ban/entrypoint.sh:/etc/fail2ban/entrypoint.sh
+    ports:
+      - 22:22/tcp
+    networks:
+      mynet:
+        ipv4_address: 172.24.0.101
+        
+networks:
+  mynet:
+    driver: bridge
+    ipam:
+      config:
+      - subnet: 172.24.0.0/24

fail2ban/Dockerfile

@@ -0,0 +1,3 @@
+FROM debian:sid-slim
+RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog && apt clean
+WORKDIR /etc/fail2ban

fail2ban/entrypoint.sh

@@ -0,0 +1,130 @@
+#!/bin/bash
+DOMAIN=hatthieves.es
+SMTP=smtp.hatthieves.es
+USER=fail2ban
+PASS=pass
+
+echo "#!/bin/bash
+
+PATH=\"\$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"
+LANG=\"C\"
+REMOTE_IP=\"\$1\"
+SENDER_MAIL=\"\$2\"
+DEST_MAIL=\"\$3\"
+LOGFILE=\"\$4\"
+DATE=\$\(date\)
+WHOIS_OUTPUT=\$\(whois \$REMOTE_IP\)
+REVERSE_IP=\$\(echo \$REMOTE_IP | awk 'BEGIN{FS=\".\";ORS=\".\"} {for \(i = NF; i > 0; i--\){print \$i}}'\)
+LOG_LINES=\$\(grep \$REMOTE_IP \$LOGFILE\)
+BANNED_IP_PATH=\"/var/tmp/fail2ban_banned_ips\"
+
+# Skip sending email when an email was already sent out for that IP the last 24hours
+if ! [ -d \$BANNED_IP_PATH ]; then mkdir \$BANNED_IP_PATH; else find \${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi
+if [ -n \"\$\(find \${BANNED_IP_PATH}/\$REMOTE_IP -mtime -1 2>/dev/null\)\" ]; then exit 0; else touch \${BANNED_IP_PATH}/\$REMOTE_IP; fi
+
+# Get the Abuse email address from Abusix
+if DNS_REPLY=\$\(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.org\); then
+  ABUSE_ADDR=\$\(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\"\)
+fi
+
+# Send email
+if [ \$ABUSE_ADDR ]; then
+#sendmail -t -i -f \$SENDER_MAIL \$ABUSE_ADDR << EOF
+swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR\" --tlsc -au $USER -ap $PASS -s $SMTP -p 465
+--h-Subject \"[Urgent]: Automatic abuse report for IP address \$REMOTE_IP from $DOMAIN, please read\" --h-From \"Fail2Ban $DOMAIN <\$SENDER_MAIL>\"
+--h-Bcc \"webmail@$DOMAIN\" --h-To \$ABUSE_ADDR --body
+\"This is an automatic email abuse report about the IP address \$REMOTE_IP generated at \$DATE, please do not reply.
+You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
+
+The following intrusion attempts were detected by our systems:
+\$LOG_LINES
+
+WHOIS report FYI:
+\$WHOIS_OUTPUT
+
+Thanks for your time and curiosity... take care with botnets...
+- ANTIBOTNET SYSTEM -
+together will do a better and free world :-\)
+from postmaster@$DOMAIN
+by www.$DOMAIN\"
+fi" > fail2ban_abuse_mail.sh
+
+echo "[Definition]
+ 
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = printf %%b \"Subject: [Fail2Ban] <name>: started
+              Date: \`date -u +\"%%a, %%d %%h %%Y %%T +0000\"\`
+              From: Fail2Ban <<sender>>
+              To: <dest>\\n
+              Hi,\\n
+              The jail <name> has been started successfully.\\n
+              Regards,\\n
+              Fail2Ban\" | /usr/sbin/sendmail -f <sender> <dest>
+ 
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = printf %%b \"Subject: [Fail2Ban] <name>: stopped
+             Date: \`date -u +\"%%a, %%d %%h %%Y %%T +0000\"\`
+             From: Fail2Ban <<sender>>
+             To: <dest>\\n
+             Hi,\\n
+             The jail <name> has been stopped.\\n
+             Regards,\\n
+             Fail2Ban\" | /usr/sbin/sendmail -f <sender> <dest>
+ 
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+ 
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+actionban = /etc/fail2ban/fail2ban_abuse_mail.sh <ip> <sender> <dest> <logpath>
+ 
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban =
+ 
+[Init]
+ 
+# Defaut name of the chain
+#
+name = default
+ 
+# Destination/Addressee of the mail
+#
+dest = webmaster@$DOMAIN
+ 
+# Sender of the mail
+#
+sender = fail2ban@$DOMAIN
+ 
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null" > action.d/sendmail-abuse.conf
+
+echo "[sshd]
+enabled = true
+bantime = 10800
+maxretry = 6
+ignoreip = $DOMAIN
+action = hostsdeny
+         sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf
+
+/etc/init.d/rsyslog start
+/etc/init.d/ssh start
+mkdir -p /var/run/fail2ban
+/usr/bin/python3 /usr/bin/fail2ban-server -xf start