fixed fail2ban. Used this PR as a basis, atmoz#189 and based on this atmoz#195 using buster-slim seems to be working well

tails both auth.log and fail2ban.log to stdout for docker and kub

Author: basejump

.gitignore

@@ -1 +1,2 @@
 keys
+examples/sftp-data

Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:stretch
+FROM debian:buster-slim
 
 # Steps done in one RUN layer:
 # - Install packages
@@ -8,17 +8,22 @@ RUN  apt-get update \
   && apt-get upgrade -y \
   && apt-get dist-upgrade -y \
   && apt-get install -y \
-    fail2ban \
+    rsyslog \
+    supervisor \
     openssh-server \
+    fail2ban \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/* \
+  && rm -rf /var/log/*.log \
   && mkdir -p /var/run/sshd \
   && rm -f /etc/ssh/ssh_host_*key*
 
 COPY files/sshd_config /etc/ssh/sshd_config
 COPY files/create-sftp-user /usr/local/bin/
 COPY files/jail.local /etc/fail2ban/
 COPY files/entrypoint /
+COPY files/sshd.conf /etc/rsyslog.d/sshd.conf
+COPY files/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 
 EXPOSE 22
 

README.md

@@ -1,23 +1,26 @@
 # SFTP
 
-**Forked from atmoz to make it easier to setup on kubernetes. also add fail2ban. merges in PRs to fix a number of issues**
+**Forked from atmoz to make it easier to setup on kubernetes. adds fail2ban from [this pr](https://github.com/atmoz/sftp/pull/189). merges in PRs to fix a number of issues**
 
-![Docker Automated build](https://img.shields.io/docker/automated/atmoz/sftp.svg) ![Docker Build Status](https://img.shields.io/docker/build/atmoz/sftp.svg) ![Docker Stars](https://img.shields.io/docker/stars/atmoz/sftp.svg) ![Docker Pulls](https://img.shields.io/docker/pulls/atmoz/sftp.svg)
+![Docker Automated build](https://img.shields.io/docker/automated/yakworks/sftp.svg) ![Docker Build Status](https://img.shields.io/docker/build/yakworks/sftp.svg) ![Docker Stars](https://img.shields.io/docker/stars/yakworks/sftp.svg) ![Docker Pulls](https://img.shields.io/docker/pulls/yakworks/sftp.svg)
 
 ![OpenSSH logo](https://raw.githubusercontent.com/atmoz/sftp/master/openssh.png "Powered by OpenSSH")
 
-# Supported tags and respective `Dockerfile` links
+## Supported tags and respective `Dockerfile` links
 
-- [`debian-stretch`, `debian`, `latest` (*Dockerfile*)](https://github.com/atmoz/sftp/blob/master/Dockerfile) [![](https://images.microbadger.com/badges/image/atmoz/sftp.svg)](http://microbadger.com/images/atmoz/sftp "Get your own image badge on microbadger.com")
-- [`debian-jessie` (*Dockerfile*)](https://github.com/atmoz/sftp/blob/debian-jessie/Dockerfile) [![](https://images.microbadger.com/badges/image/atmoz/sftp:debian-jessie.svg)](http://microbadger.com/images/atmoz/sftp:debian-jessie "Get your own image badge on microbadger.com")
-- [`alpine` (*Dockerfile*)](https://github.com/atmoz/sftp/blob/alpine/Dockerfile) [![](https://images.microbadger.com/badges/image/atmoz/sftp:alpine.svg)](http://microbadger.com/images/atmoz/sftp:alpine "Get your own image badge on microbadger.com")
+- [`debian`, `latest` (*Dockerfile*)](https://github.com/yakworks/docker-sftp/blob/master/Dockerfile) [![](https://images.microbadger.com/badges/image/yakworks/sftp.svg)](http://microbadger.com/images/yakworks/sftp "Get your own image badge on microbadger.com")
 
-# Securely share your files
+## Securely share your files
 
 Easy to use SFTP ([SSH File Transfer Protocol](https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol)) server with [OpenSSH](https://en.wikipedia.org/wiki/OpenSSH).
-This is an automated build linked with the [debian](https://hub.docker.com/_/debian/) and [alpine](https://hub.docker.com/_/alpine/) repositories.
+This is an automated build linked with the [debian](https://hub.docker.com/_/debian/) repositories.
 
-# Usage
+
+## Example Quickstart
+
+to run the example in this project `./examples/docker-run.sh`
+
+## Usage
 
 - Define users in (1) command arguments, (2) `SFTP_USERS` environment variable
   or (3) in file mounted as `/etc/sftp/users.conf` (syntax:
@@ -35,51 +38,35 @@ This is an automated build linked with the [debian](https://hub.docker.com/_/deb
     want them to upload files.
   - For consistent server fingerprint, mount your own host keys (i.e. `/etc/ssh/ssh_host_*`)
 
-# Examples
-
-to run the example in this project `./examples/docker-run.sh`
-
-## Simplest docker run example
+### Simplest docker run example
 
 ```
-docker run -p 22:22 -d atmoz/sftp foo:pass:::upload
+docker run -p 22:22 -d yakworks/sftp foo:pass:::upload
 ```
 
 User "foo" with password "pass" can login with sftp and upload files to a folder called "upload". No mounted directories or custom UID/GID. Later you can inspect the files and use `--volumes-from` to mount them somewhere else (or see next example).
 
-## Sharing a directory from your computer
+### Sharing a directory from your computer
 
 Let's mount a directory and set UID:
 
 ```
 docker run \
-    -v /host/upload:/home/foo/upload \
-    -p 2222:22 -d atmoz/sftp \
+    -v /host/upload:/data \
+    -p 2222:22 -d yakworks/sftp \
     foo:pass:1001
 ```
 
-### Using Docker Compose:
-
-```
-sftp:
-    image: atmoz/sftp
-    volumes:
-        - /host/upload:/home/foo/upload
-    ports:
-        - "2222:22"
-    command: foo:pass:1001
-```
-
 ### Logging in
 
 The OpenSSH server runs by default on port 22, and in this example, we are forwarding the container's port 22 to the host's port 2222. To log in with the OpenSSH client, run: `sftp -P 2222 foo@<host-ip>`
 
-## Store users in config
+### Store users in config
 
 ```
 docker run \
     -v /host/users.conf:/etc/sftp/users.conf:ro \
-    -v mySftpVolume:/home \
+    -v mySftpVolume:/data \
     -p 2222:22 -d atmoz/sftp
 ```
 
@@ -91,7 +78,7 @@ bar:abc:1002:100
 baz:xyz:1003:100
 ```
 
-## Encrypted password
+### Encrypted password
 
 Add `:e` behind password to mark it as encrypted. Use single quotes if using terminal.
 
@@ -105,7 +92,7 @@ docker run \
 Tip: you can use [atmoz/makepasswd](https://hub.docker.com/r/atmoz/makepasswd/) to generate encrypted passwords:  
 `echo -n "your-password" | docker run -i --rm atmoz/makepasswd --crypt-md5 --clearfrom=-`
 
-## Logging in with SSH keys
+### Logging in with SSH keys
 
 Mount public keys in the user's `.ssh/keys/` directory. All keys are automatically appended to `.ssh/authorized_keys` (you can't mount this file directly, because OpenSSH requires limited file permissions). In this example, we do not provide any password, so the user `foo` can only login with his SSH key.
 
@@ -118,7 +105,7 @@ docker run \
     foo::1001
 ```
 
-## Providing your own SSH host key (recommended)
+### Providing your own SSH host key (recommended)
 
 This container will generate new SSH host keys at first run. To avoid that your users get a MITM warning when you recreate your container (and the host keys changes), you can mount your own host keys.
 
@@ -138,12 +125,12 @@ ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null
 ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null
 ```
 
-## Execute custom scripts or applications
+### Execute custom scripts or applications
 
 Put your programs in `/etc/sftp.d/` and it will automatically run when the container starts.
 See next section for an example.
 
-## Bindmount dirs from another location
+### Bindmount dirs from another location
 
 If you are using `--volumes-from` or just want to make a custom directory available in user's home directory, you can add a script to `/etc/sftp.d/` that bindmounts after container starts.
 
@@ -169,16 +156,3 @@ bindmount /data/docs /home/peter/docs --read-only
 ```
 
 **NOTE:** Using `mount` requires that your container runs with the `CAP_SYS_ADMIN` capability turned on. [See this answer for more information](https://github.com/atmoz/sftp/issues/60#issuecomment-332909232).
-
-# What's the difference between Debian and Alpine?
-
-The biggest differences are in size and OpenSSH version. [Alpine](https://hub.docker.com/_/alpine/) is 10 times smaller than [Debian](https://hub.docker.com/_/debian/). OpenSSH version can also differ, as it's two different teams maintaining the packages. Debian is generally considered more stable and only bugfixes and security fixes are added after each Debian release (about 2 years). Alpine has a faster release cycle (about 6 months) and therefore newer versions of OpenSSH. As I'm writing this, Debian has version 7.4 while Alpine has version 7.5. Recommended reading: [Comparing Debian vs Alpine for container & Docker apps](https://www.turnkeylinux.org/blog/alpine-vs-debian)
-
-# What version of OpenSSH do I get?
-
-It depends on which linux distro and version you choose (see available images at the top). You can see what version you get by checking the distro's packages online. I have provided direct links below for easy access.
-
-- [List of `openssh` packages on Alpine releases](https://pkgs.alpinelinux.org/packages?name=openssh&branch=&repo=main&arch=x86_64)
-- [List of `openssh-server` packages on Debian releases](https://packages.debian.org/search?keywords=openssh-server&searchon=names&exact=1&suite=all&section=main)
-
-**Note:** The time when this image was last built can delay the availability of an OpenSSH release. Since this is an automated build linked with [debian](https://hub.docker.com/_/debian/) and [alpine](https://hub.docker.com/_/alpine/) repos, the build will depend on how often they push changes (out of my control).  Typically this can take 1-5 days, but it can also take longer. You can of course make this more predictable by cloning this repo and run your own build manually.

examples/dock-run.sh

@@ -5,9 +5,12 @@
 # docker build -t yakworks/sftp .
 docker stop sftp || true && docker rm sftp || true
 
-docker run --name sftp --cap-add=SYS_ADMIN \
+docker run --name sftp --cap-add=SYS_ADMIN --cap-add=NET_ADMIN \
   -p 30022:22 \
   -e DATA_MOUNT_NAME=ninebox \
   -v $(pwd)/examples/users.conf:/etc/sftp/users.conf \
   -v $(pwd)/examples/sftp-data:/data \
-  -d yakworks/sftp
+  -d yakworks/sftp
+
+#to brute force test to see if fail2ban is working
+#hydra -l ftp -x 3:3:a -t 4 -s 30022 ssh://127.0.0.1/

files/entrypoint

@@ -91,10 +91,13 @@ touch /var/log/auth.log
 service fail2ban start
 
 if $startSshd; then
-    log "Executing sshd"
-    exec /usr/sbin/sshd -D -e
-    tail -f /var/log/auth.log
+    #log "Executing sshd"
+    #exec /usr/sbin/sshd -D -e
+    #tail -f /var/log/auth.log
+    log "Executing supervisord with sshd"
+    mkdir -p /var/log/supervisor
+    /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
 else
-    log "Executing $*"
+    log "Executing custom startup $*"
     exec "$@"
 fi

files/jail.local

@@ -1,3 +1,5 @@
 [DEFAULT]
 # fail2ban bantime is the total number of seconds that a host is banned
-bantime = 3600
+bantime = 600
+#I think we want this to be 1 less than the sshd_config so its picked up and banned
+maxretry = 6

files/sshd.conf

@@ -0,0 +1,5 @@
+# Create an additional socket for some of the sshd chrooted users.
+$AddUnixListenSocket /home/sftp.log.socket
+# Log internal-sftp in a separate file
+:programname, isequal, "internal-sftp" -/var/log/sftp.log
+:programname, isequal, "internal-sftp" ~

files/sshd_config

@@ -1,5 +1,7 @@
 # Secure defaults
 # See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
+MaxAuthTries 6
+
 Protocol 2
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
@@ -14,13 +16,14 @@ X11Forwarding no
 AllowTcpForwarding no
 
 # Force sftp and chroot jail
-Subsystem sftp internal-sftp
-ForceCommand internal-sftp -u 0002 # umask for user|group rwx|rwx permisions 
+Subsystem sftp internal-sftp -f AUTH -l VERBOSE
+# umask for user|group rwx|rwx permisions 
+ForceCommand internal-sftp -u 0002 -f AUTH -l VERBOSE
 
 ChrootDirectory /home/%u
 
 # Match Group users
 #  ChrootDirectory %h
 
 # Enable this for more logs
-#LogLevel VERBOSE
+LogLevel VERBOSE

files/supervisord.conf

@@ -0,0 +1,27 @@
+[supervisord]
+nodaemon=true
+user=root
+
+[program:rsyslog]
+command=/usr/sbin/rsyslogd -n
+redirect_stderr=true
+stdout_logfile=/var/log/rsyslogd.log
+stdout_logfile_maxbytes=0
+autorestart=true
+priority=1
+
+[program:sshd]
+command=/usr/sbin/sshd -D
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+autorestart=true
+priority=10
+
+[program:logger]
+command=tail -f /var/log/auth.log /var/log/fail2ban.log
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+autorestart=true
+priority=100