New Package Request: fail2ban for SSH protection against malicious servers on the internet #1334
Comments
github-project-automation
bot
moved this to 📝 Needs Triage
in Flatcar tactical, release planning, and roadmap
bignay2000
changed the title
|
https://hub.docker.com/r/linuxserver/fail2ban might be an option to run in a container |
|
Hi @bignay2000 . https://hub.docker.com/r/linuxserver/fail2ban seems like a good option to run fail2ban in a Linux container, since Flatcar is an immutable Linux distribution for running containers. There has been a lot of progress on the system extension front. Perhaps you could try bundling fail2ban into a systemd-sysext image and then use fail2ban that way. |
|
Hello @bignay2000, thanks for reaching out! As Krish mentioned, we're trying to keep Flatcar lean. I know of a few users who managed to get an alpine docker container of fail2ban working on Flatcar. Needs host networking (obviously) as well as bind-mounts of /var/log and probably other directories into the container for logfile parsing. This might be a more straightforward (and faster) solution than trying to add fail2ban to the base OS. |
|
Oh, and just as with #1333 if you manage to find a good way to run fail2ban in a container, feel free to add a how-to to our documentation: https://github.com/flatcar/flatcar-website |
|
Note that Flatcar already sets up pam_faillock |
dongsupark
moved this from 📝 Needs Triage
to 🪵Backlog
in Flatcar tactical, release planning, and roadmap
Package name and purpose
Fail2Ban actively looks for authentication errors across various logs and add ip addresses to deny list for IPTables firewall. By having the firewall deny the IP, this prevents any further processing from the malicious server.
Impact of adding this package to the Flatcar OS image
The package improves on the following core values:
Currently their is no real alternative to prevent DDOS attacks against SSH or other ports for public facing smaller servers (1 vCPU, 512 MB RAM Digital Ocean droplet).
Ability to firewall incoming traffic at the host. Decreases the possibility of memory and cpu usage caused by a malicious ddos attack.
The package will increase the image size by: [estimated] MBytes.
How might this package increase the attack surface:
Built from Python
Benefits of adding this package
Gain the ability to protect a publicly facing Flatcar server from bot attacks.
Additional information
IPTables by themselves is not sufficient to protect against modern bots. Too hard to figure out rules that would block these attacks while ensuring real users can still connect to the server - whether the rate limit causes them to be blocked OR if the DDOS is triggering a lot of CPU, Memory, Disk from SSH processing an invalid user.
Grabbing a random hour from yesterday shows 63 Invalid user attempts in an hour.
So these are happening slowly, so my currrent IPTables is not catching them. So I think Fail2Ban is really the only option...
The text was updated successfully, but these errors were encountered: