Skip to content

Latest commit

 

History

History
146 lines (107 loc) · 3.99 KB

README.md

File metadata and controls

146 lines (107 loc) · 3.99 KB

About

Fail2ban

Fail2ban scans log files and bans IPs that show the malicious signs.

We are going to be using a prebuilt docker image by crazymax to facilitate the process. There are a lot of fail2ban configurations availabe on the internet, and you can even create your own, this guide provides the following features :

  • SSH jail configuration
  • Vaultwarden jail configuration

Table of Contents

Files structure

.
|-- data/
|   |-- action.d/
|   |-- db/
|   |-- filter.d/
|   |   |-- bitwarden-admin.conf
|   |   |-- bitwarden-auth.conf
|   `-- jail.d/
|       |-- bitwarden-admin.conf
|       |-- bitwarden.conf
|       |-- sshd.conf
`-- docker-compose.yml
  • data/action.d - a directory containing custom action configuration to execute when banning an IP
  • data/db - a directory used to store fail2ban sqlite database
  • data/filter.d - a directory containing custom filter configuration used by a jail to match malicious signs
  • data/jail.d - a directory containing custom jail configuration for your services
  • docker-compose.yml - a docker-compose file, use to configure your application’s services

Please make sure that all the files and directories are present.

Information

docker-compose

Links to the following docker-compose.yml and the corresponding .env.

  • docker-compose.yml
    version: '3'
    
    services:
      fail2ban:
        image: crazymax/fail2ban:latest
        container_name: fail2ban
        restart: unless-stopped
        volumes:
          - /var/log:/var/log:ro
          - ./data:/data
        environment:
          - TZ=${TZ}
        network_mode: "host"
        cap_add:
        - NET_ADMIN
        - NET_RAW
        labels:
          # Watchtower Update
          - "com.centurylinklabs.watchtower.enable=true"
  • .env
    TZ=Europe/Paris

We are gonna use /var/log directory to parse log files.

jails

The jail.d directory is provided with three examples.

  • sshd.conf : provides ssh protection, will ban any IP trying to bruteforce your ssh credentials, a must-have if you are still on port 22.

  • vaultwarden.conf : provides your vaultwarden password manager from bruteforce.

  • vaultwarden-admin : provides your vaultwarden admin dashboard from bruteforce.

You can find the vaultwarden filters in the filter.d directory. For example, in filter.d/vaultwarden-auth you can find :

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$
ignoreregex =

This filter is using regex and will match any log that fails to connect to your vaultwarden vault. The log file that is parsed is /var/log/syslog, redirection is provided with the docker-compose available in the vaultwarden guide.

Usage

Configuration

Replace the environment variables in .env with your own, then run :

sudo docker-compose up -d

The jails and filters configured are going to be active, you can now create as many as you want to protect your services.

Update

The image is automatically updated with watchtower thanks to the following label :

  # Watchtower Update
  - "com.centurylinklabs.watchtower.enable=true"

Security

Be careful not to get ban as the iptable action is pretty aggressive, you will not be able to SSH with the banned IP.

Backup

Docker volumes are globally backed up using borg-backup.