Mathias Stjernstrom
Posted on October 29, 2020
Playing around with fail2ban on a local docker host I found that when blocking a host, all docker containers with open ports where still accessible.
I tried several different ways of getting the IP block to really block everything.
This is some notes from the steps I took to solve the problem.
- Update your package lists
apt update
- Install fail2ban
apt install fail2ban
- We do not edit the default jail.conf since it can be overwritten by updates. So we create a new config for fail2ban.
vim /etc/fail2ban/jail.local
For this simple demonstration we are going to block all failed attempt over SSH. And we want to block the remote IP for 600s, for all services and ports.
[sshd]
ignoreip = 127.0.0.1
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600
findtime = 600
action = iptables-allports[actname=sshd,name=sshd,protocol=all]
iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]
The trick was to setup two actions. One for the normal chain/traffic and one for dockers CHAIN.
Doing this block sessions not only to the host but also all containers.
💖 💪 🙅 🚩
Mathias Stjernstrom
Posted on October 29, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.