Why not just do permitlogin without-password, then they can connect all they want and it will be a waste of time for them. On Wed, 20 Mar 2019 07:57:42 -0400, Felix Rubio wrote: > > Hi n3phr0n, > > Thank you for your answer. The reason because of I'm using > fail2ban is that fail2ban is already in place to monitor a number > of other services, so it makes easier for me to have a single > tool taking care of all this stuff. > > With respect to my issue, I mean that are (presumably) script > kiddies trying to gain access to the server. With my regular SSH > server, on the host machine, fail2ban detects the offending IPs, > bans them, and all works as expected. However with the > docker-contained SSH, although fail2ban detects the offending > IPs, seems these IPs are added to the wrong chain. In other > words, I direct fail2ban to create the chain under DOCKER-USER, > and I might have to create that chain somewhere else. > > The way I see the issue is: after the connection has been > received by the host, on port 22, that connection is forwarded to > the container, to port 22. If this is correct, with my > configuration (so creating the chain f2b-sshd_docker in > FORWARD->DOCKER-USER) should suffice... but is not the case: > after an IP has been added to the chain f2b-sshd_docker, the > connections from that IP can still reach the containerized SSH. > > Is there any way I can "simulate" a connection from outside, > so that I can see what chains is it going through? > > Thank you, > Felix > > --- > Felix Rubio > "Don't believe what you're told. Double check." > > On 2019-03-20 10:31, n3phr0n wrote: > > Hey Felix, > > > > never used fail2ban before. > > For banning only SSH connection nftables + fail2ban is like a > > hammer for > > a thumbtack.. > > > > Using Denyhosts [1] is much easier as it only blacklists the hosts by > > adding them to /etc/hosts.deny > > > > Back to your mail you lacked a lot of information. What do you mean by > > strange connections? Could you provide a netstat output, Fail2ban > > config, stuff like that... People do not anticipate stuff like this... > > > > [1] https://github.com/denyhosts/denyhosts > > > > On 3/20/19 7:22 AM, Felix Rubio Dalmau wrote: > >> Hi all, > >> > >> Nobody can give me a hand?? :-/ I sent this mail ~10 days > >> ago, and... nobody with a hint? :-( > >> > >> I have a configuration based fail2ban. I am running a > >> container that runs an SSH service, and I am seeing a lot of > >> "strange" connections. I have set docker to send the log of > >> the container to Systemd's journal, and I am using it as a > >> source for fail2ban. With the following configuration for > >> iptables, the connections (although being banned) still > >> succeed. Can it be that I should have the Chain > >> f2b-sshd_docker somewhere else? > >> > >> Thank you very much for any help you can provide (and for your time). > >> > >> Regards, > >> Felix > >> > >> # iptables -t filter --list > >> Chain FORWARD (policy DROP) > >> target prot opt source destination > >> DOCKER-USER all -- anywhere anywhere > >> [....] > >> > >> Chain DOCKER-USER (1 references) > >> target prot opt source destination > >> f2b-sshd_docker tcp -- anywhere anywhere multiport dports ssh > >> [....] > >> > >> Chain f2b-sshd_docker (1 references) > >> target prot opt source destination > >> REJECT all -- 96.9.168.71 anywhere reject-with > >> icmp-port-unreachable > >> REJECT all -- 94.96.68.78 anywhere reject-with > >> icmp-port-unreachable > >> [....] > >> > >> # iptables -t nat --list > >> Chain PREROUTING (policy ACCEPT) > >> target prot opt source destination > >> [....] > >> DOCKER all -- anywhere anywhere > >> ADDRTYPE match dst-type LOCAL > >> > >> Chain POSTROUTING (policy ACCEPT) > >> target prot opt source destination > >> MASQUERADE all -- 172.17.0.0/16 anywhere > >> MASQUERADE tcp -- 172.17.0.2 172.17.0.2 > >> tcp dpt:ssh > >> > >> Chain DOCKER (2 references) > >> target prot opt source destination > >> RETURN all -- anywhere anywhere > >> DNAT tcp -- anywhere localhost > >> tcp dpt:13000 to:172.17.0.2:3000 > >> DNAT tcp -- anywhere anywhere > >> tcp dpt:ssh to:172.17.0.2:22 > >> > >> > >> > >> -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una covici@xxxxxxxxxxxxxx
