Block IPs on all ports with fail2ban on a docker host

stjernstrom

Mathias Stjernstrom

Posted on October 29, 2020

Block IPs on all ports with fail2ban on a docker host

Playing around with fail2ban on a local docker host I found that when blocking a host, all docker containers with open ports where still accessible.

I tried several different ways of getting the IP block to really block everything.

This is some notes from the steps I took to solve the problem.

  • Update your package lists
apt update
Enter fullscreen mode Exit fullscreen mode
  • Install fail2ban
apt install fail2ban
Enter fullscreen mode Exit fullscreen mode
  • We do not edit the default jail.conf since it can be overwritten by updates. So we create a new config for fail2ban.
vim /etc/fail2ban/jail.local
Enter fullscreen mode Exit fullscreen mode

For this simple demonstration we are going to block all failed attempt over SSH. And we want to block the remote IP for 600s, for all services and ports.

[sshd]
ignoreip = 127.0.0.1
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime  = 600
findtime = 600
action = iptables-allports[actname=sshd,name=sshd,protocol=all]
         iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]

Enter fullscreen mode Exit fullscreen mode

The trick was to setup two actions. One for the normal chain/traffic and one for dockers CHAIN.

Doing this block sessions not only to the host but also all containers.

💖 💪 🙅 🚩
stjernstrom
Mathias Stjernstrom

Posted on October 29, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related