Follow up – Docker and fail2ban – How I solved it (for me) (2024)

2021-12-072021-12-07 | tkaefer

Since my post about Docker and fail2ban quite a lot of time has passed (since August 2019), but the page gets still most of the attention on my blog.

I did quite some more work on that due to several reasons.

First of all, I had severe performance issues as soon as ther were too many ips blocked. The iptables are not very good when they need to handle quite some rules.

Adding a new rule for every ip being blocked, is a pretty bad idea.

Specially when all traffic is passing the rules sometime twice.

I do just hook into three different chains:

  • INPUT
  • FORWARD
  • DOCKER-USER

Normally FORWARD would be suffiecient, but docker also faciliates the FORWARD chain. For me it is not deterministic how this actually behaves.

Therefore I’m also hooking into the DOCKER-USER chain (see https://docs.docker.com/network/iptables/ for details).

I also use ipset and iptables to reduce the number individual iptables rules. And there is a single ipset for all ips to be blocked.

[0] # cat /etc/fail2ban/action.d/iptables-mangle-allports-ipset.conf# Fail2Ban configuration file## Author: Cyril Jaquier# Modified: Yaroslav O. Halchenko <debian@onerussian.com># made active on all ports from original iptables.conf# Tobias Kaefer <tobias@tkaefer.de>##[INCLUDES]before = iptables-common.conf[Definition]# Option: actionstart# Notes.: command executed once at the start of Fail2Ban.# Values: CMD#actionstart = ipset create f2b-<name> hash:net forceadd <iptables> -t filter -I INPUT -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable <iptables> -t filter -I FORWARD -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable <iptables> -t filter -I DOCKER-USER -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable# Option: actionflush# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)# Values: CMD#actionflush = ipset flush f2b-<name># Option: actionstop# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)# Values: CMD#actionstop = <iptables> -t filter -D INPUT -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable <iptables> -t filter -D FORWARD -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable <iptables> -t filter -D DOCKER-USER -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable <actionflush> ipset destroy f2b-<name># Option: actioncheck# Notes.: command executed once before each actionban command# Values: CMD## actioncheck = <iptables> -t filter -n -L <chain> | grep -q 'f2b-<name>[ \t]'# Option: actionban# Notes.: command executed when banning an IP. Take care that the# command is executed with Fail2Ban user rights.# Tags: See jail.conf(5) man page# Values: CMD#actionban = /usr/local/bin/ipset-fail2ban.sh add f2b-<name> <ip># Option: actionunban# Notes.: command executed when unbanning an IP. Take care that the# command is executed with Fail2Ban user rights.# Tags: See jail.conf(5) man page# Values: CMD#actionunban = /usr/local/bin/ipset-fail2ban.sh del f2b-<name> <ip>[Init]

There were comments about „-j REJECT –reject-with icmp-host-unreachable“ not being available on certain systems and therefore „-j DROP“ was used. Which should be fine. They both pervent any more data being routed to the services – the meaning is different though.

I also use a generic shell script to ban or unban an IP for a given fail2ban jail (/usr/local/bin/ipset-fail2ban.sh):

[0] # cat /usr/local/bin/ipset-fail2ban.sh#!/bin/bashipsetcommand="$1"ipsetname="$2"IP="$3"if [[ "del" == ""${ipsetcommand}"" ]]; then /usr/sbin/ipset test "${ipsetname}" "${IP}" && /usr/sbin/ipset "${ipsetcommand}" "${ipsetname}" "${IP}"else /usr/sbin/ipset test "${ipsetname}" "${IP}" || /usr/sbin/ipset "${ipsetcommand}" "${ipsetname}" "${IP}"fi

It does several things:

  1. For delete
    1. Check whether the IP is in the ipset
    2. Delete if it is in the ipset
  2. For add
    1. Check whether the IP is in the ipset
    2. Add if it is not in the ipset

The jail mail.conf looks something like this:

[0] # cat /etc/fail2ban/jail.d/mailserver.conf# 3 ban in 1 hour > Ban for 1 hour[mailserver]enabled = truefilter = mailserverlogpath = /var/log/syslogmaxretry = 2findtime = 86400bantime = 86400banaction = iptables-mangle-allports-ipset[name="mailserver"]

And the filter looks like this:

[0] # cat /etc/fail2ban/filter.d/mailserver.conf# Fail2Ban configuration file[Definition]# Option: failregex# Filter "client login failed" in the Syslogfailregex = .* client login failed: .+ client:\ <HOST># Option: ignoreregex# Notes.: regex to ignore. If this regex matches, the line is ignored.# Values: TEXT#ignoreregex =

The docker compose logging hasn’t been changed since my last blog post about that topic.

I am also using blocklist ipsets to eliminate already known malicious IPs with a cron job running this script here:

[0] # cat /usr/local/bin/blockSubnets.sh#!/bin/bashfail2banjail="mailserver"IPS=""WHITELIST="0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32"SOURCE_URLS="http://lists.blocklist.de/lists/strongips.txt https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset"# There a several other lists to be considered, like:# https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dshield_7d.netset \# https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/greensnow.ipset \# https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset"# \# https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/darklist_de.netset \# https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_abusers_1d.netset"for SOURCE_URL in ${SOURCE_URLS}; do CURRENT_IPS=$(curl -s ${SOURCE_URL} | grep -v '^#') IPS="${IPS} ${CURRENT_IPS}"doneIPS="$(echo ${IPS} | sort -u)"for IP in ${IPS}; do # echo "${IP}"; if [[ "${WHITELIST}" == *"${IP}"* ]]; then echo "not blocking ${IP}" else /usr/sbin/ipset --test "f2b-${fail2banjail}" "${IP}" || /usr/bin/fail2ban-client set "${fail2banjail}" banip "${IP}" &> /dev/null fidone## You might also want to add the IP from your cable/DSL/fiber connection at home to not block yourself out, like:/usr/bin/fail2ban-client set mailu addignoreip $(/usr/bin/dig +short A <<<mydyndnsipv4name.dyndnsprovider.tld>>>)/usr/bin/fail2ban-client set mailu addignoreip $(/usr/bin/dig +short AAAA <<<mydyndnsipv6name.dyndnsprovider.tld>>>)

Please replace „mydyndnsipv4name.dyndnsprovider.tld“ and „mydyndnsipv6name.dyndnsprovider.tld“ with an appropriate dns record for your cable/DSL/fiber connection.

Follow up – Docker and fail2ban – How I solved it (for me) (2024)

References

Top Articles
Angel Numbers: What They Are and How to Interpret Them - Angel Number Savant
The Significance of Angel Wings in Spiritual Symbolism
Srtc Tifton Ga
jazmen00 x & jazmen00 mega| Discover
Caesars Rewards Loyalty Program Review [Previously Total Rewards]
J & D E-Gitarre 905 HSS Bat Mark Goth Black bei uns günstig einkaufen
Western Union Mexico Rate
Unitedhealthcare Hwp
Cad Calls Meriden Ct
Jennette Mccurdy And Joe Tmz Photos
Calamity Hallowed Ore
Craigslist - Pets for Sale or Adoption in Zeeland, MI
What's Wrong with the Chevrolet Tahoe?
Graveguard Set Bloodborne
Tamilblasters 2023
No Credit Check Apartments In West Palm Beach Fl
The Blind Showtimes Near Showcase Cinemas Springdale
Ave Bradley, Global SVP of design and creative director at Kimpton Hotels & Restaurants | Hospitality Interiors
Yesteryear Autos Slang
Voyeuragency
Industry Talk: Im Gespräch mit den Machern von Magicseaweed
Hoe kom ik bij mijn medische gegevens van de huisarts? - HKN Huisartsen
Apus.edu Login
Equipamentos Hospitalares Diversos (Lote 98)
Urban Dictionary: hungolomghononoloughongous
Best Uf Sororities
Florida History: Jacksonville's role in the silent film industry
Rondom Ajax: ME grijpt in tijdens protest Ajax-fans bij hoofdbureau politie
Craigslist Pinellas County Rentals
Energy Healing Conference Utah
What Is Vioc On Credit Card Statement
If you bought Canned or Pouched Tuna between June 1, 2011 and July 1, 2015, you may qualify to get cash from class action settlements totaling $152.2 million
Minnick Funeral Home West Point Nebraska
Hampton University Ministers Conference Registration
Best Sports Bars In Schaumburg Il
Https E22 Ultipro Com Login Aspx
Paradise Point Animal Hospital With Veterinarians On-The-Go
Blush Bootcamp Olathe
Lincoln Financial Field, section 110, row 4, home of Philadelphia Eagles, Temple Owls, page 1
Kids and Adult Dinosaur Costume
آدرس جدید بند موویز
Dynavax Technologies Corp (DVAX)
World Social Protection Report 2024-26: Universal social protection for climate action and a just transition
Winta Zesu Net Worth
Tommy Bahama Restaurant Bar & Store The Woodlands Menu
Craigslist St Helens
Cvs Coit And Alpha
Maplestar Kemono
Kaamel Hasaun Wikipedia
Iron Drop Cafe
How to Do a Photoshoot in BitLife - Playbite
Jigidi Jigsaw Puzzles Free
Latest Posts
Article information

Author: Melvina Ondricka

Last Updated:

Views: 6295

Rating: 4.8 / 5 (68 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Melvina Ondricka

Birthday: 2000-12-23

Address: Suite 382 139 Shaniqua Locks, Paulaborough, UT 90498

Phone: +636383657021

Job: Dynamic Government Specialist

Hobby: Kite flying, Watching movies, Knitting, Model building, Reading, Wood carving, Paintball

Introduction: My name is Melvina Ondricka, I am a helpful, fancy, friendly, innocent, outstanding, courageous, thoughtful person who loves writing and wants to share my knowledge and understanding with you.