Hi n3phr0n,
Thank you for your answer. The reason because of I'm using fail2ban
is that fail2ban is already in place to monitor a number of other
services, so it makes easier for me to have a single tool taking care of
all this stuff.
With respect to my issue, I mean that are (presumably) script kiddies
trying to gain access to the server. With my regular SSH server, on the
host machine, fail2ban detects the offending IPs, bans them, and all
works as expected. However with the docker-contained SSH, although
fail2ban detects the offending IPs, seems these IPs are added to the
wrong chain. In other words, I direct fail2ban to create the chain under
DOCKER-USER, and I might have to create that chain somewhere else.
The way I see the issue is: after the connection has been received by
the host, on port 22, that connection is forwarded to the container, to
port 22. If this is correct, with my configuration (so creating the
chain f2b-sshd_docker in FORWARD->DOCKER-USER) should suffice... but is
not the case: after an IP has been added to the chain f2b-sshd_docker,
the connections from that IP can still reach the containerized SSH.
Is there any way I can "simulate" a connection from outside, so that
I can see what chains is it going through?
Thank you,
Felix
---
Felix Rubio
"Don't believe what you're told. Double check."
On 2019-03-20 10:31, n3phr0n wrote:
Hey Felix,
never used fail2ban before.
For banning only SSH connection nftables + fail2ban is like a hammer
for
a thumbtack..
Using Denyhosts [1] is much easier as it only blacklists the hosts by
adding them to /etc/hosts.deny
Back to your mail you lacked a lot of information. What do you mean by
strange connections? Could you provide a netstat output, Fail2ban
config, stuff like that... People do not anticipate stuff like this...
[1] https://github.com/denyhosts/denyhosts
On 3/20/19 7:22 AM, Felix Rubio Dalmau wrote:
Hi all,
Nobody can give me a hand?? :-/ I sent this mail ~10 days ago, and...
nobody with a hint? :-(
I have a configuration based fail2ban. I am running a container that
runs an SSH service, and I am seeing a lot of "strange" connections. I
have set docker to send the log of the container to Systemd's journal,
and I am using it as a source for fail2ban. With the following
configuration for iptables, the connections (although being banned)
still succeed. Can it be that I should have the Chain f2b-sshd_docker
somewhere else?
Thank you very much for any help you can provide (and for your time).
Regards,
Felix
# iptables -t filter --list
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
[....]
Chain DOCKER-USER (1 references)
target prot opt source destination
f2b-sshd_docker tcp -- anywhere anywhere multiport dports ssh
[....]
Chain f2b-sshd_docker (1 references)
target prot opt source destination
REJECT all -- 96.9.168.71 anywhere reject-with
icmp-port-unreachable
REJECT all -- 94.96.68.78 anywhere reject-with
icmp-port-unreachable
[....]
# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
[....]
DOCKER all -- anywhere anywhere ADDRTYPE
match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp
dpt:ssh
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere localhost tcp
dpt:13000 to:172.17.0.2:3000
DNAT tcp -- anywhere anywhere tcp
dpt:ssh to:172.17.0.2:22
