From e274ee762fc103bc7472aa49c4b031948d361c4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20K=C3=A4fer?= Date: Thu, 3 Feb 2022 20:51:45 +0100 Subject: [PATCH 1/2] Update fail2ban faq doc --- docs/faq.rst | 29 +++++++++++++++++++++++++++++ towncrier/newsfragments/2214.doc | 0 2 files changed, 29 insertions(+) create mode 100644 towncrier/newsfragments/2214.doc diff --git a/docs/faq.rst b/docs/faq.rst index 3194ee36..c2cea7be 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -664,6 +664,8 @@ The above will block flagged IPs for a week, you can of course change it to you The above will block flagged IPs for a week, you can of course change it to you needs. 7. Add the /etc/fail2ban/action.d/docker-action.conf + +Option 1: Use plain iptables .. code-block:: bash @@ -685,6 +687,33 @@ The above will block flagged IPs for a week, you can of course change it to you Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/ +Option 2: Use ipset together with iptables +IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system. + +See ipset homepage for details on ipset, https://ipset.netfilter.org/. + +ipset and iptables provide one big advantage over just using iptables: This setup reduces the overall iptable rules. +There is just one rule for the bad authentications and the IPs are within the ipset. +Specially in larger setups with a high amount of brute force attacks this comes in handy. +Using iptables with ipset might reduce the system load in such attacks significantly. + +.. code-block:: bash + + [Definition] + + actionstart = actionstart = ipset --create f2b-bad-auth iphash + iptables -I DOCKER-USER -p tcp -m multiport --dports 1:1024 -m set --match-set f2b-bad-auth src -j DROP + + actionstop = iptables -D DOCKER-USER -p tcp -m multiport --dports 1:1024 -m set --match-set f2b-bad-auth src -j DROP + ipset --destroy f2b-bad-auth + + + actionban = ipset --test f2b-bad-auth || ipset --add f2b-bad-auth + + actionunban = ipset --test f2b-bad-auth && ipset --del f2b-bad-auth + +Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/ + 8. Configure and restart the Fail2Ban service Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration. diff --git a/towncrier/newsfragments/2214.doc b/towncrier/newsfragments/2214.doc new file mode 100644 index 00000000..e69de29b From 314145868c0f98630bcb4e681a5dfaa5ecd89656 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20K=C3=A4fer?= Date: Mon, 14 Feb 2022 10:38:26 +0100 Subject: [PATCH 2/2] Include review suggestions --- docs/faq.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/faq.rst b/docs/faq.rst index c2cea7be..ef5f0167 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -673,9 +673,9 @@ Option 1: Use plain iptables actionstart = iptables -N f2b-bad-auth iptables -A f2b-bad-auth -j RETURN - iptables -I DOCKER-USER -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth + iptables -I DOCKER-USER -j f2b-bad-auth - actionstop = iptables -D DOCKER-USER -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth + actionstop = iptables -D DOCKER-USER -j f2b-bad-auth iptables -F f2b-bad-auth iptables -X f2b-bad-auth @@ -702,19 +702,19 @@ Using iptables with ipset might reduce the system load in such attacks significa [Definition] actionstart = actionstart = ipset --create f2b-bad-auth iphash - iptables -I DOCKER-USER -p tcp -m multiport --dports 1:1024 -m set --match-set f2b-bad-auth src -j DROP + iptables -I DOCKER-USER -m set --match-set f2b-bad-auth src -j DROP - actionstop = iptables -D DOCKER-USER -p tcp -m multiport --dports 1:1024 -m set --match-set f2b-bad-auth src -j DROP + actionstop = iptables -D DOCKER-USER -m set --match-set f2b-bad-auth src -j DROP ipset --destroy f2b-bad-auth - actionban = ipset --test f2b-bad-auth || ipset --add f2b-bad-auth + actionban = ipset add -exist f2b-bad-auth - actionunban = ipset --test f2b-bad-auth && ipset --del f2b-bad-auth + actionunban = ipset del -exist f2b-bad-auth Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/ -8. Configure and restart the Fail2Ban service +1. Configure and restart the Fail2Ban service Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration.