Re: Netfilter + fail2ban + SSH in docker.... I am doing something wrong

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey Felix,

never used fail2ban before.
For banning only SSH connection nftables + fail2ban is like a hammer for
a thumbtack..

Using Denyhosts [1] is much easier as it only blacklists the hosts by
adding them to /etc/hosts.deny

Back to your mail you lacked a lot of information. What do you mean by
strange connections? Could you provide a netstat output, Fail2ban
config, stuff like that... People do not anticipate stuff like this...

[1] https://github.com/denyhosts/denyhosts

On 3/20/19 7:22 AM, Felix Rubio Dalmau wrote:
> Hi all,
> 
> 	Nobody can give me a hand?? :-/ I sent this mail ~10 days ago, and... nobody with a hint? :-(
> 
> 	I have a configuration based fail2ban. I am running a container that runs an SSH service, and I am seeing a lot of "strange" connections. I have set docker to send the log of the container to Systemd's journal, and I am using it as a source for fail2ban.  With the following configuration for iptables, the connections (although being banned) still succeed. Can it be that I should have the Chain f2b-sshd_docker somewhere else?
> 
> Thank you very much for any help you can provide (and for your time).
> 
> Regards,
> Felix
> 
> # iptables -t filter --list
> Chain FORWARD (policy DROP)
> target     prot opt   source               destination
> DOCKER-USER  all  --  anywhere             anywhere
> [....]
> 
> Chain DOCKER-USER (1 references)
> target     prot opt source            destination
> f2b-sshd_docker  tcp  --  anywhere    anywhere   multiport dports ssh
> [....]
> 
> Chain f2b-sshd_docker (1 references)
> target     prot opt source       destination
> REJECT     all  --  96.9.168.71  anywhere   reject-with icmp-port-unreachable
> REJECT     all  --  94.96.68.78  anywhere   reject-with icmp-port-unreachable
> [....]
> 
> # iptables -t nat --list 
> Chain PREROUTING (policy ACCEPT) 
> target     prot opt source               destination          
> [....]
> DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL 
> 
> Chain POSTROUTING (policy ACCEPT) 
> target     prot opt source               destination          
> MASQUERADE  all  --  172.17.0.0/16        anywhere         
> MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:ssh 
> 
> Chain DOCKER (2 references) 
> target     prot opt source               destination          
> RETURN     all  --  anywhere             anywhere             
> DNAT       tcp  --  anywhere             localhost            tcp dpt:13000 to:172.17.0.2:3000 
> DNAT       tcp  --  anywhere             anywhere             tcp dpt:ssh to:172.17.0.2:22 
> 
> 
> 
>

Attachment: 0x520DF07814B030DF.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux