Fail2ban is a popular security module that protects your web server from malicious attacks such as SSH and Brute Force attacks. In this article, we will learn how to install Fail2ban in Docker.
How to Install Fail2ban in Docker
Here are the steps to install Fail2ban in Docker. We will be installing Fail2ban in target environment, that is, Ubuntu and the container will remain independent. It will be used to monitor SSH access to Ubuntu and HTTP access to Docker container.
1. Install Fail2ban
It is very easy to install Fail2ban on Ubuntu/Debian systems. Open terminal and run the following command to install Fail2ban.
$ sudo apt-get update $ sudo apt-get install fail2ban
You can check the status of Fail2ban with the following command.
$ sudo service fail2ban status
2. Configure Fail2ban
By default, Fail2ban starts monitoring SSH access immediately after installation. However, you may need to whitelist your IP address to be able to easily access your system anytime.
For this purpose, make a copy of Fail2ban’s configuration file jail.conf as jail.local
$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Update the configuration file jail.local as shown below. Replace 127.0.0.1 with your system IP address. Also we have changed ban time to 7 days.
# "bantime" is the number of seconds that a host is banned. bantime = 604800 # ban for 7 days # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 XX.XX.XX.XX # Your IP address
3. Fail2ban Jail
In the same file, we create a wplogin jail that monitors the docker log file and takes appropriate actions. Add the following section to your config file. Replace * in */* with your docker container’s ID.
[wplogin] enabled = true port = http,https filter = wplogin logpath = /var/lib/docker/containers/*/*-json.log banaction = docker-action maxretry = 5 findtime = 120 bantime = 86400
Save and close the file.
4. Fail2ban Filter
Fail2ban filters allows you to define custom rules that Fail2ban will use to identify malicious log entries. Add the following section to your configuration file to create a filter that looks for malicious entries against URL /wp-login.php. Create a new file wplogin.conf
$ sudo vi /etc/fail2ban/filter.d/wplogin.conf
and add the following lines to it.
[Definition]
failregex = {"log":"<HOST> -.*POST.*wp-login.php.*
ignoreregex =
Save and close the file.
5. Fail2ban Action
Create a new file.
$ sudo vi /etc/fail2ban/action.d/docker-action.conf
Add the following lines to define Fail2ban actions.
[Definition]
actionstart = iptables -N f2b-wplogin
iptables -A f2b-wplogin -j RETURN
iptables -I FORWARD -p tcp -m multiport --dports 80 -j f2b-wplogin
actionstop = iptables -D FORWARD -p tcp -m multiport --dports 80 -j f2b-wplogin
iptables -F f2b-wplogin
iptables -X f2b-wplogin
actioncheck = iptables -n -L FORWARD | grep -q 'f2b-wplogin[ \t]'
actionban = iptables -I f2b-wplogin 1 -s <ip> -j DROP
actionunban = iptables -D f2b-wplogin -s <ip> -j DROP
Save and close the file.
Alternatively, you can also add the following line to Docker Filter section in Step 4, and skip using docker-action.conf file altogether.
chain = DOCKER-USER
6. Restart Fail2ban
Restart Fail2ban to apply changes.
$ sudo service fail2ban restart $ sudo fail2ban-client reload
That’s it. In this article, we have learnt how to install Fail2ban in Docker.
Also read:
Disk Utilities in Linux
How to Return Multiple Values in Python
How to Iterate Through List of Dictionaries in Python
How to Setup vnstat Network Monitoring Tool
How to Configure NFS Share in Ubuntu
Hi,
The docker-action.conf part is not needed anymore. Just adding the following to the filter section should do the trick
chain = DOCKER-USER
Here you are more details
https://github.com/fail2ban/fail2ban/issues/2292#issuecomment-522141827
Thanks for sharing your knowledge with this post
Thank you for the feedback.