A docker-compose ready package to run Fail2ban on Synology NAS. This setup is made to manage the Synology's DSM contraints and protect another container : Bitwarden_RS. However, adding your own actions, filters and jails allows use for other purposes.
The goal is to keep the Synology NAS system untouched to be upgrade-proof. This the reason why we did not try to modify the system and improve the embedded banIP. The best deal has to be able to adapt the embedded iptables.
Despite this has been made to run on Synology NAS, this should run on other systems with / without minor adaptations.
The main issues on Synology are the following:
- The embedded ban IP system cannot work on running Docker containers by design
REJECTblocktype is not supported and must be switched toDROP- Modifying DSM system is not upgrade-proof
- A Docker compatible Synology NAS
- An up and running Docker package
- A SSH client
As convention, we will use as example the following
- Folder used :
/volumeX/docker/to be personnalized to your DSM setup
- Download this repo
- Unzip and review
docker-compose_fail2ban.ymlsettings - Copy this repo content to
/volumeX/docker/
This is almost done. The file action.d/iptables-common.local switch the REJECT blocktype by DROP
To finish the setup, you need to add your filters and jails. The provided ones relies on a bitwarden_rs instance and looks for the bitwarden.log file. If not available, you'll have an error at startup.
Ready for a first run : docker-compose -f docker-compose_fail2ban.yml up
If everything goes well, the prompt will let you know the container is started and wait until a ctrl + C is triggered to stop it. Have a look in log file and test your filters and rules. A usefull command to unban IP after testing :
sudo docker exec -t fail2ban fail2ban-client set bitwarden unbanip XX.XX.XX.XX
Shutdown the servers issuing a ctrl + C in the terminal
Once setup is finished, you're ready to launch your "production" server. Review all the settings and environment variables in the .yml file. Test it using the same docker-compose -f docker-compose_fail2ban.yml up as previously. If everything goes well, stop them and run as detached with the following command.
`docker-compose -f docker-compose_fail2ban.yml up -d`
Upgrade on a regular basis the servers as they continue to evolve on a daily/weekly basis. Run from a terminal the following commands, as root, from time to time.
cd /volumeX/docker/
docker-compose -f docker-compose_fail2ban.yml down
docker-compose -f docker-compose_fail2ban.yml pull
docker-compose -f docker-compose_fail2ban.yml up -dIn order to keep a clean system, from time to time, use this tutoriel.
This setup has been made for Bitwarden_RS proxied runing as Docker container on Synology NAS
Feel free to propose any optimization through pull requests