/docker-fail2ban-synology

Adaptation of @crazy-max docker fail2ban for Synology

MIT LicenseMIT

Docker Fail2ban for Synology NAS

A docker-compose ready package to run Fail2ban on Synology NAS. This setup is made to manage the Synology's DSM contraints and protect another container : Bitwarden_RS. However, adding your own actions, filters and jails allows use for other purposes.

The goal is to keep the Synology NAS system untouched to be upgrade-proof. This the reason why we did not try to modify the system and improve the embedded banIP. The best deal has to be able to adapt the embedded iptables.

Despite this has been made to run on Synology NAS, this should run on other systems with / without minor adaptations.

Documentation

Solved issues on Synology

The main issues on Synology are the following:

  • The embedded ban IP system cannot work on running Docker containers by design
  • REJECT blocktype is not supported and must be switched to DROP
  • Modifying DSM system is not upgrade-proof

Pre-requisite

  • A Docker compatible Synology NAS
  • An up and running Docker package
  • A SSH client

Conventions

As convention, we will use as example the following

  • Folder used : /volumeX/docker/ to be personnalized to your DSM setup

Installation

  1. Download this repo
  2. Unzip and review docker-compose_fail2ban.yml settings
  3. Copy this repo content to /volumeX/docker/

This is almost done. The file action.d/iptables.local switch the REJECT blocktype by DROP

Setup

To finish the setup, you need to add your filters and jails. The provided ones relies on a bitwarden_rs instance and looks for the bitwarden.log file. If not available, you'll have an error at startup.

Ready for a first run : docker-compose -f docker-compose_fail2ban.yml up

If everything goes well, the prompt will let you know the container is started and wait until a ctrl + C is triggered to stop it. Have a look in log file and test your filters and rules. A usefull command to unban IP after testing :

sudo docker exec -t fail2ban fail2ban-client set bitwarden unbanip XX.XX.XX.XX

Shutdown the servers issuing a ctrl + C in the terminal

Startup and Maintenance

Startup

Once setup is finished, you're ready to launch your "production" server. Review all the settings and environment variables in the .yml file. Test it using the same docker-compose -f docker-compose_fail2ban.yml up as previously. If everything goes well, stop them and run as detached with the following command.

`docker-compose -f docker-compose_fail2ban.yml up -d`

Maintenance

Upgrade on a regular basis the servers as they continue to evolve on a daily/weekly basis. Run from a terminal the following commands, as root, from time to time.

cd /volumeX/docker/
docker-compose -f docker-compose_fail2ban.yml down
docker-compose -f docker-compose_fail2ban.yml pull
docker-compose -f docker-compose_fail2ban.yml up -d

In order to keep a clean system, from time to time, use this tutoriel.

Use with Bitwarden_RS

This setup has been made for Bitwarden_RS proxied runing as Docker container on Synology NAS

Collaboration

Feel free to propose any optimization through pull requests