An SSHGuard container suitable for systemd-based environment such as CoreOS.
It is supposed to run in a privileged container with the host's systemd journal directory being mounted, and pipes the journal directly into sshguard.
There are a couple of environment variables you can pass to the container:
IPTABLES_SETUP,IPTABLES_SETUP_IPV4andIPTABLES_SETUP_IPV6: Set to "no" if you don't want the container to setup the required iptables rules in general, for IPv4 or IPv6, respectively (all default to "yes").IPTABLES_TEARDOWN: Set to "no" if you want to keep the sshguard iptables after shutting down the container (defaults to "yes").IPTABLES_HOOKS: A comma separated list of iptables filter chains in the jump to the sshguard table will be appended (default) or inserted. Add an optional:nto each chain name to insert at the nth position. (defaults to "INPUT:1").JOURNALD_START_AT: Starting point in the journal, can be any absolute or relative timestampstrtotimeis able to parse (defaults to "2 hours ago").SSHGUARD_FORGET_CRACKER: Specify after how many seconds sshguard will forget an attack (defaults to 1200).SSHGUARD_UNBLOCK_AFTER: Specify the baseline number of seconds an attacker will be blocked (defaults to 420).
Edit these variables into the unit file which fits best for your setup:
fleetctl start sshguard-rkt.service
cp sshguard-rkt.service /etc/systemd/system/sshguard.service
systemctl daemon-reload
systemctl start sshguard.service
systemctl enable sshguard.service
cp sshguard-docker.service /etc/systemd/system/sshguard.service
systemctl daemon-reload
systemctl start sshguard.service
systemctl enable sshguard.service
A proper docker-compose.yml is also provided.
- Get rid of the bloated ubuntu base image. Compiling journalctl/systemd on alpine is a challenge.
- Upcoming sshguard version supports
ipsetbackend to avoid cluttering the iptables.
Copyright (c) 2016 Jan Kunzmann [email protected], see LICENSE.md.
Heavily inspired by Nick Owens' coreos-sshguard