Fail2ban scans log files and bans IPs that show the malicious signs.
We are going to be using a prebuilt docker image by crazymax to facilitate the process. There are a lot of fail2ban configurations availabe on the internet, and you can even create your own, this guide provides the following features :
- SSH jail configuration
- Vaultwarden jail configuration
.
|-- data/
| |-- action.d/
| | |-- nftables-forward.conf
| | |-- nftables-input.conf
| |-- db/
| |-- filter.d/
| | |-- bitwarden-admin.conf
| | |-- bitwarden-auth.conf
| `-- jail.d/
| |-- bitwarden-admin.conf
| |-- bitwarden-auth.conf
| |-- sshd.conf
`-- docker-compose.ymldata/action.d- a directory containing custom action configuration to execute when banning an IPdata/db- a directory used to store fail2ban sqlite databasedata/filter.d- a directory containing custom filter configuration used by a jail to match malicious signsdata/jail.d- a directory containing custom jail configuration for your servicesdocker-compose.yml- a docker-compose file, use to configure your application’s services
Please make sure that all the files and directories are present.
Links to the following docker-compose.yml and the corresponding .env.
- docker-compose.yml
version: '3' services: fail2ban: image: crazymax/fail2ban:latest container_name: fail2ban restart: unless-stopped volumes: - /var/log:/var/log:ro - ./data:/data environment: - TZ=${TZ} network_mode: host cap_add: - NET_ADMIN - NET_RAW labels: # Watchtower Update - "com.centurylinklabs.watchtower.enable=true"
- .env
TZ=Europe/Paris
We are gonna use /var/log directory to parse log files.
The jail.d directory is provided with three examples.
-
sshd.conf : provides ssh protection, will ban any IP trying to bruteforce your ssh credentials, a must-have if you are still on port 22.
-
bitwarden-auth.conf : provides your vaultwarden password manager from bruteforce.
-
bitwarden-admin.conf : provides your vaultwarden admin dashboard from bruteforce.
You can find the vaultwarden filters in the filter.d directory. For example, in filter.d/vaultwarden-auth you can find :
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$
ignoreregex =This filter is using regex and will match any log that fails to connect to your vaultwarden vault. The log file that is parsed is /var/log/syslog, redirection is provided with the docker-compose available in the vaultwarden guide.
Replace the environment variables in .env with your own, then run :
sudo docker-compose up -dThe jails and filters configured are going to be active, you can now create as many as you want to protect your services.
Fail2ban commands can be used through the container. Here is an example if you want to unban an IP manually:
sudo docker exec -t fail2ban fail2ban-client set <JAIL> unbanip <IP>
The same example with bitwarden, in the case you failed to enter the right password 3 times:
sudo docker exec -t fail2ban fail2ban-client set bitwarden-auth unbanip <IP>
For a more general example, you can use any fail2ban command as follows:
sudo docker exec -t fail2ban fail2ban-client <COMMAND>
The image is automatically updated with watchtower thanks to the following label :
# Watchtower Update
- "com.centurylinklabs.watchtower.enable=true"Be careful not to get ban as the iptable action is pretty aggressive, you will not be able to SSH with the banned IP.
Docker volumes are globally backed up using borg-backup.