Release 7.7.0 - See CHANGELOG.md

CHANGELOG.md

@@ -1,3 +1,11 @@
+## 7.7.0 2022-08-04 <dave at tiredofit dot ca>
+
+   ### Added
+      - Firewall Support - Now have the capability of either loading an iptables.rules file or using environment variables to set individual IPTables rules inside the container
+      - Fail2Ban Support - Along with above, embed fail2ban within the container rather than having it maintained downstream in many images. Drop your jails and filters in /etc/fail2ban/filters.d and /etc/fail2ban/jails.d
+      - Go 1.19.0 build chain
+
+
 ## 7.6.27 2022-07-27 <dave at tiredofit dot ca>
 
    ### Added

Dockerfile

@@ -60,13 +60,16 @@ RUN case "$(cat /etc/os-release | grep VERSION_ID | cut -d = -f 2 | cut -d . -f
     apk upgrade && \
     ### Add core utils
     apk add -t .base-rundeps \
+                acl \
                 bash \
                 bc \
                 ${busybox_extras} \
                 curl \
                 ${doas_package} \
+                fail2ban \
                 fts \
                 grep \
+                iptables \
                 iputils \
                 jq \
                 less \
@@ -119,7 +122,7 @@ RUN case "$(cat /etc/os-release | grep VERSION_ID | cut -d = -f 2 | cut -d . -f
     ## Quiet down sudo
     echo "Set disable_coredump false" > /etc/sudo.conf && \
     \
-### Build Doas
+    ### Build Doas
     if [ "$build_doas" = "true" ] ; then \
     mkdir -p /usr/src/doas ; \
     curl -sSL https://github.com/Duncaen/OpenDoas/archive/${DOAS_VERSION}.tar.gz | tar xfz - --strip 1 -C /usr/src/doas ; \
@@ -155,7 +158,7 @@ RUN case "$(cat /etc/os-release | grep VERSION_ID | cut -d = -f 2 | cut -d . -f
     chown --quiet -R zabbix:root /var/log/zabbix && \
     chmod -R 770 /var/lib/zabbix/run && \
     \
-### Zabbix compilation
+    #### Zabbix compilation
     mkdir -p /usr/src/zabbix && \
     curl -sSL https://github.com/zabbix/zabbix/archive/${ZABBIX_VERSION}.tar.gz | tar xfz - --strip 1 -C /usr/src/zabbix && \
     cd /usr/src/zabbix && \
@@ -258,6 +261,20 @@ RUN case "$(cat /etc/os-release | grep VERSION_ID | cut -d = -f 2 | cut -d . -f
     #go build -v -ldflags '-s -w' -o promtail ./clients/cmd/promtail && \
     #mv promtail /usr/sbin && \
     \
+    ### Fail2ban Configuration
+    addgroup -g 65550 fail2ban && \
+    addgroup zabbix fail2ban && \
+    rm -rf /var/run/fail2ban && \
+    mkdir -p /var/run/fail2ban && \
+    chown -R root:fail2ban /var/run/fail2ban && \
+    setfacl -d -m g:fail2ban:rwx /var/run/fail2ban && \
+    find /etc/fail2ban/action.d/ -type f -not -name 'iptables*.conf' -delete && \
+    rm -rf /etc/fail2ban/filter.d && \
+    mkdir -p /etc/fail2ban/filter.d && \
+    rm -rf /etc/fail2ban/fail2ban.d && \
+    rm -rf /etc/fail2ban/jail.d/* && \
+    rm -rf /etc/fail2ban/paths* && \
+    \
     ### Clean up
     mkdir -p /etc/logrotate.d && \
     mkdir -p /etc/doas.d && \
@@ -266,6 +283,7 @@ RUN case "$(cat /etc/os-release | grep VERSION_ID | cut -d = -f 2 | cut -d . -f
             .golang-build-deps \
             .zabbix-build-deps \
             && \
+    rm -rf /etc/*.apk.new && \
     rm -rf /etc/logrotate.d/* && \
     rm -rf /etc/doas.conf /etc/doas.d/* && \
     rm -rf /root/.cache && \

README.md

@@ -19,7 +19,8 @@ Dockerfile to build an [alpine](https://www.alpinelinux.org/) linux container im
 * [zabbix-agent](https://zabbix.org) (Classic and Modern) for individual container monitoring.
 * Scheduling via cron with other helpful tools (bash, curl, less, logrotate, nano, vim) for easier management.
 * Messaging ability via MSMTP enabled to send mail from container to external SMTP server.
-* Logshipping capabilities
+* Firewall included with capabilities of monitoring logs to block remote hosts via [Fail2ban](https://github.com/fail2ban/fail2ban)
+* Logshipping capabilities to remote log analysis servers via [Fluent-Bit](https://github.com/fluent/fluent-bit)
 * Ability to update User ID and Group ID permissions dynamically.
 
 ## Maintainer
@@ -117,8 +118,11 @@ The following directories are used for configuration and can be mapped for persi
 | `/etc/fluent-bit/conf.d/`           | Fluent-Bit custom configuration directory |
 | `/etc/fluent-bit/parsers.d/`        | Fluent-Bit custom parsers directory       |
 | `/etc/zabbix/zabbix_agentd.conf.d/` | Zabbix Agent configuration directory      |
+| `/etc/fail2ban/filter.d`            | Custom Fail2ban Filter configuration      |
+| `/etc/fail2ban/jail.d`              | Custom Fail2ban Jail configuration        |
 | `/var/log`                          | Container, Cron, Zabbix, other log files  |
 | `/assets/cron`                      | Drop custom crontabs here                 |
+| `/assets/iptables`                  | Drop custom IPTables rules here           |
 
 ### Environment Variables
 
@@ -327,6 +331,60 @@ Drop files in `/etc/fluent-bit/conf.d` to setup your inputs and outputs. The env
 | `FLUENTBIT_STORAGE_PATH`              | Absolute file system path to store filesystem data buffers                                       | `/tmp/fluentbit/storage` |
 | `FLUENTBIT_STORAGE_SYNC`              | Synchronization mode to store data in filesystem `normal` or `full`                              | `normal`                 |
 
+#### Firewall Options
+
+Included when proper capabilities are set on image is the capability to set up detailed block / allow rules via a firewall on container start. Presently only `iptables` is supported.
+You must use run your containers with the following capabilities added: `NET_ADMIN`, `NET_RAW`
+
+| Parameter                    | Description                                                 | Default             |
+| ---------------------------- | ----------------------------------------------------------- | ------------------- |
+| `CONTAINER_ENABLE_FIREWALL`  | Enable Firewall Functionality                               | `FALSE`             |
+| `CONTAINER_FIREWALL_BACKEND` | What Firewall backend to use `iptables`                     | `iptables`          |
+| `FIREWALL_RULE_00`           | Firewall rule to execute                                    |                     |
+| `FIREWALL_RULE_01`           | Next firewall rule to execute                               |                     |
+
+One can use the `FIREWALL_RULE_XX` environment variables to pass rules to the firewall. In this example I am going to block someone from being able to access a port except if from a specific IP address:
+
+````bash
+FIREWALL_RULE_00=-I INPUT -p tcp -m tcp -s 101.69.69.101 --dport 389 -j ACCEPT
+FIREWALL_RULE_01=-I INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 389 -j DROP
+````
+
+##### IPTables Options
+
+Instead of relying on environment variables one can put a `iptables-restore` compatible ruleset below and it will be imported on container start.
+
+| `IPTABLES_RULES_PATH`        | Path for IPTables Rules                                     | `/assets/iptables/` |
+| `IPTABLES_RULES_FILE`        | IPTables Rules File to restore if exists on container start | `iptables.rules`    |
+
+
+##### Fail2Ban Options
+
+The container also has the capability should `CONTAINER_ENABLE_FIREWALL=TRUE` be enabled to launch Fail2ban, a process which watches logs for patterns and then blocks the remote host from connecting for a period of time.
+Drop your custom jail configs as *.conf files in `/etc/fail2ban/jail.d/` and filters in `/etc/fail2ban/filter.d` for them to be parsed at startup.  Note the startup delay environment variable to avoid the process failing if no log files exist from a fresh install.
+
+| Parameter                   | Description                                                                        | Default                                        |
+| --------------------------- | ---------------------------------------------------------------------------------- | ---------------------------------------------- |
+| `CONTAINER_ENABLE_FAIL2BAN` | Enable Firewall Functionality                                                      | `FALSE`                                        |
+| `FAIL2BAN_BACKEND`          | Backend                                                                            | `AUTO`                                         |
+| `FAIL2BAN_CONFIG_PATH`      | Fail2ban Configuration Path                                                        | `/etc/fail2ban/`                               |
+| `FAIL2BAN_DB_FILE`          | Persistent Database File                                                           | `fail2ban.sqlite3`                             |
+| `FAIL2BAN_DB_PATH`          | Persistent Database Path                                                           | `/data/fail2ban/`                              |
+| `FAIL2BAN_DB_PURGE_AGE`     | Purge entries after how many seconds                                               | `86400`                                        |
+| `FAIL2BAN_DB_TYPE`          | DB Type `NONE`, `MEMORY`, `FILE`                                                   | `MEMORY`                                       |
+| `FAIL2BAN_IGNORE_IP`        | Ignore these IPs or Ranges space seperated                                         | `127.0.0.1/8 ::1 172.16.0.0/12 192.168.0.0/24` |
+| `FAIL2BAN_IGNORE_SELF`      | Ignroe Self `TRUE` `FALSE`                                                         | `TRUE`                                         |
+| `FAIL2BAN_LOG_PATH`         | Fail2ban Log Path                                                                  | `/var/log/fail2ban/`                           |
+| `FAIL2BAN_LOG_FILE`         | Fail2ban Log File                                                                  | `fail2ban.log`                                 |
+| `FAIL2BAN_LOG_LEVEL`        | Log Level `CRITICAL` `ERROR` `WARNING` `NOTICE` `INFO` `DEBUG`                     | `INFO`                                         |
+| `FAIL2BAN_LOG_TYPE`         | Log to `FILE` or `CONSOLE`                                                         | `FILE`                                         |
+| `FAIL2BAN_MAX_RETRY`        | Max times to find pattern in log over `FAIL2BAN_TIME_FIND`                         | `5`                                            |
+| `FAIL2BAN_STARTUP_DELAY`    | Startup Delay to give a chance for monitored logs to exist or have data in seconds | `15`                                           |
+| `FAIL2BAN_TIME_BAN`         | Length of time to ban in default                                                   | `10m`                                          |
+| `FAIL2BAN_TIME_FIND`        | Window to base pattern matches against                                             | `10m`                                          |
+| `FAIL2BAN_USE_DNS`          | USE DNS for lookups `yes` `warn` `no` `raw`                                        | `warn`                                         |
+
+
 #### Permissions
 
 If you wish to change the internal id for users and groups you can set environment variables to do so.
@@ -380,6 +438,7 @@ The following ports are exposed.
 
 | Port    | Description  |
 | ------- | ------------ |
+| `2020`  | Fluent Bit   |
 | `10050` | Zabbix Agent |
 
 ## Developing / Overriding

install/assets/defaults/00-container

@@ -5,6 +5,8 @@ CONTAINER_CUSTOM_PATH=${CONTAINER_CUSTOM_PATH:-"/assets/custom/"}
 CONTAINER_CUSTOM_SCRIPTS_PATH=${CONTAINER_CUSTOM_SCRIPTS_PATH:-"/assets/custom-scripts/"}
 CONTAINER_ENABLE_CUSTOM_BASH_PROMPT=${CONTAINER_ENABLE_CUSTOM_BASH_PROMPT:-"TRUE"}
 CONTAINER_ENABLE_DOCKER_SECRETS=${CONTAINER_ENABLE_DOCKER_SECRETS:-"TRUE"}
+CONTAINER_ENABLE_FAIL2BAN=${CONTAINER_ENABLE_FAIL2BAN:-"FALSE"}
+CONTAINER_ENABLE_FIREWALL=${CONTAINER_ENABLE_FIREWALL:-"FALSE"}
 CONTAINER_ENABLE_LOGROTATE=${CONTAINER_ENABLE_LOGROTATE:-"TRUE"}
 CONTAINER_ENABLE_LOGSHIPPING=${CONTAINER_ENABLE_LOGSHIPPING:-"FALSE"}
 CONTAINER_ENABLE_LOG_PREFIX=${CONTAINER_ENABLE_LOG_PREFIX:-"TRUE"}
@@ -14,6 +16,7 @@ CONTAINER_ENABLE_PERMISSIONS=${CONTAINER_ENABLE_PERMISSIONS:-"TRUE"}
 CONTAINER_ENABLE_PROCESS_COUNTER=${CONTAINER_ENABLE_PROCESS_COUNTER:-"TRUE"}
 CONTAINER_ENABLE_PROCESS_HELPER=${CONTAINER_ENABLE_PROCESS_HELPER:-"TRUE"}
 CONTAINER_ENABLE_SCHEDULING=${CONTAINER_ENABLE_SCHEDULING:-"TRUE"}
+CONTAINER_FIREWALL_BACKEND=${CONTAINER_FIREWALL_BACKEND:-"iptables"}
 CONTAINER_LOGSHIPPING_BACKEND=${CONTAINER_LOGSHIPPING_BACKEND:-"fluent-bit"}
 CONTAINER_LOG_LEVEL=${CONTAINER_LOG_LEVEL:-"NOTICE"}
 CONTAINER_LOG_PREFIX_DATE_FMT=${CONTAINER_LOG_PREFIX_DATE_FMT:-"%Y-%m-%d"}

install/assets/defaults/07-firewall

@@ -0,0 +1,21 @@
+#!/command/with-contenv bash
+
+IPTABLES_RULES_PATH=${IPTABLES_RULES_PATH:-"/assets/iptables/"}
+IPTABLES_RULES_FILE=${IPTABLES_RULES_FILE:-"iptables.rules"}
+FAIL2BAN_BACKEND=${FAIL2BAN_BACKEND:-"AUTO"}
+FAIL2BAN_CONFIG_PATH=${FAIL2BAN_CONFIG_PATH:-"/etc/fail2ban/"}
+FAIL2BAN_DB_FILE=${FAIL2BAN_DB_FILE:-"fail2ban.sqlite3"}
+FAIL2BAN_DB_PATH=${FAIL2BAN_DB_PATH:-"/data/fail2ban/"}
+FAIL2BAN_DB_PURGE_AGE=${FAIL2BAN_DB_PURGE_AGE:-"86400"}
+FAIL2BAN_DB_TYPE=${FAIL2BAN_DB_TYPE:-"MEMORY"}
+FAIL2BAN_IGNORE_IP=${FAIL2BAN_IGNORE_IP:-"127.0.0.1/8 ::1 172.16.0.0/12 192.168.0.0/24"}
+FAIL2BAN_IGNORE_SELF=${FAIL2BAN_IGNORE_SELF:-"TRUE"}
+FAIL2BAN_LOG_PATH=${FAIL2BAN_LOG_PATH:-"/var/log/fail2ban/"}
+FAIL2BAN_LOG_FILE=${FAIL2BAN_LOG_FILE:-"fail2ban.log"}
+FAIL2BAN_LOG_LEVEL=${FAIL2BAN_LOG_LEVEL:-"INFO"}
+FAIL2BAN_LOG_TYPE=${FAIL2BAN_LOG_TYPE:-"FILE"}
+FAIL2BAN_MAX_RETRY=${FAIL2BAN_MAX_RETRY:-"5"}
+FAIL2BAN_STARTUP_DELAY=${FAIL2BAN_STARTUP_DELAY:-"15"}
+FAIL2BAN_TIME_BAN=${FAIL2BAN_TIME_BAN:-"10m"}
+FAIL2BAN_TIME_FIND=${FAIL2BAN_TIME_FIND:-"10m"}
+FAIL2BAN_USE_DNS=${FAIL2BAN_USE_DNS:-"warn"}

install/assets/functions/00-container

@@ -994,7 +994,7 @@ showoff() {
     echo "H4sIAAAAAAAAA61RQRLEIAi78wpvXAq971t68CE8vgni2s7urWUGEyRBHVt7JTYzc+Ga4WD+T+Q/pm9jmQNbIZpNN9OOpGSqnA6I4jJlp1RZZ2OZUbrK3B9nxWw5VB9NiOFNCt5ta8s0kSD3suiBxOQDRh0WxSWQcbuYj9Mp4KuksKAoOVm3qlvRfq1Vl4Nj5fkvZnCsnEeFItgXAgAA" | base64 -d | gunzip
     echo "${is}"
     echo "${ir}"
-    echo "H4sIAAAAAAAAA1NQgAOfzOxUhdxKhfL8omx7hbDM4swShYySkoJiK3398vJyvZLMotSU/LTMEr3kRP3igvy84vwiLgD/c17OQAAAAA==" | base64 -d | gunzip
+    echo "H4sIAAAAAAAAA1NQgIPggvy84vwihdxUhTQglZJalpqTX5CbmleikJiXolBakJ2aWmClkFFSUlBspa9fXl6uV5JZlJqSn5ZZopecqF8M0c8FALKFIsRTAAAA" | base64 -d | gunzip
     echo ""
 }
 

install/etc/cont-init.d/04-scheduling

@@ -17,7 +17,7 @@ fi
 # this is where we want to scan for every crontab env var and write it to its own file and leave a note where it came from or if it was part of system variables
 ## in the services available section is where we will parse the actual folder and then prepare the crontab right away. might need to update the bash alias to reload cron easy
 if var_false "${CONTAINER_ENABLE_SCHEDULING}" ; then
-    print_notice "Disabling Scheduling"
+    print_debug "Disabling Scheduling"
     service_stop "$(basename "$0")"
 else
     case "${CONTAINER_SCHEDULING_BACKEND,,}" in