install fail2ban in docker

How to Install Fail2ban in Docker

Fail2ban is a popular security module that protects your web server from malicious attacks such as SSH and Brute Force attacks. In this article, we will learn how to install Fail2ban in Docker.


How to Install Fail2ban in Docker

Here are the steps to install Fail2ban in Docker. We will be installing Fail2ban in target environment, that is, Ubuntu and the container will remain independent. It will be used to monitor SSH access to Ubuntu and HTTP access to Docker container.


1. Install Fail2ban

It is very easy to install Fail2ban on Ubuntu/Debian systems. Open terminal and run the following command to install Fail2ban.

$ sudo apt-get update
$ sudo apt-get install fail2ban

You can check the status of Fail2ban with the following command.

$ sudo service fail2ban status


2. Configure Fail2ban

By default, Fail2ban starts monitoring SSH access immediately after installation. However, you may need to whitelist your IP address to be able to easily access your system anytime.

For this purpose, make a copy of Fail2ban’s configuration file jail.conf as jail.local

$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Update the configuration file jail.local as shown below. Replace 127.0.0.1 with your system IP address. Also we have changed ban time to 7 days.

# "bantime" is the number of seconds that a host is banned.
bantime  = 604800 # ban for 7 days

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 XX.XX.XX.XX # Your IP address


3. Fail2ban Jail

In the same file, we create a wplogin jail that monitors the docker log file and takes appropriate actions. Add the following section to your config file. Replace * in */* with your docker container’s ID.

[wplogin]
 
enabled = true
port = http,https
filter = wplogin
logpath = /var/lib/docker/containers/*/*-json.log
banaction = docker-action
maxretry = 5
findtime = 120
bantime = 86400

Save and close the file.


4. Fail2ban Filter

Fail2ban filters allows you to define custom rules that Fail2ban will use to identify malicious log entries. Add the following section to your configuration file to create a filter that looks for malicious entries against URL /wp-login.php. Create a new file wplogin.conf

$ sudo vi /etc/fail2ban/filter.d/wplogin.conf

and add the following lines to it.

[Definition]
failregex = {"log":"<HOST> -.*POST.*wp-login.php.*
ignoreregex =

Save and close the file.


5. Fail2ban Action

Create a new file.

$ sudo vi /etc/fail2ban/action.d/docker-action.conf

Add the following lines to define Fail2ban actions.

[Definition]
 
actionstart = iptables -N f2b-wplogin
              iptables -A f2b-wplogin -j RETURN
              iptables -I FORWARD -p tcp -m multiport --dports 80 -j f2b-wplogin
 
actionstop = iptables -D FORWARD -p tcp -m multiport --dports 80 -j f2b-wplogin
             iptables -F f2b-wplogin
             iptables -X f2b-wplogin
 
actioncheck = iptables -n -L FORWARD | grep -q 'f2b-wplogin[ \t]'
 
actionban = iptables -I f2b-wplogin 1 -s <ip> -j DROP
 
actionunban = iptables -D f2b-wplogin -s <ip> -j DROP

Save and close the file.


6. Restart Fail2ban

Restart Fail2ban to apply changes.

$ sudo service fail2ban restart 
$ sudo fail2ban-client reload

That’s it. In this article, we have learnt how to install Fail2ban in Docker.

Also read:

Disk Utilities in Linux
How to Return Multiple Values in Python
How to Iterate Through List of Dictionaries in Python
How to Setup vnstat Network Monitoring Tool
How to Configure NFS Share in Ubuntu

Leave a Reply

Your email address will not be published. Required fields are marked *