About this guide
This step-by-step guide exists to help you install and configure Fail2ban on your server to prevent hackers attack ( SSH and WordPress brute force attack ).
We discussed How fail2ban works on the previous post.
Introduction
Fail2ban is installed as part of the target environment(Ubuntu), the container remains independent. However, to interpret the filters Fail2ban must have access to the container log files.
The following example shows Fail2ban, Docker Host, and Container on an Ubuntu server with iptables. Fail2ban should monitor and protect the SSH accesses to the Ubuntu server and the HTTP accesses to the Docker container.
Install Fail2ban on Ubuntu
It is very easy to install Fail2ban for Ubuntu or Debian
sudo apt-get update sudo apt-get install fail2ban
To test the installation type
service fail2ban status
Fail2ban configuration to prevent SSH brute force
After installing the SSH accesses are monitored immediately after the installation of Fail2ban. The out-of-the-box setting is sufficient.
But it’s recommended to white-list your IP and to edit the default ban time. So first create a new jail.local configuration file based from the default jail conf.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After that let’s edit the default configuration to white-list our IP and to change the default ban time to 7 days.
Fail2ban configuration to prevent WordPress brute force login
A new jail, filter and action are needed to monitor HTTP access to the Docker container.
Fail2ban jail
Filters and action are referenced in the jail options. The log file for the Docker container to be monitored is located on the Docker host under “/var/lib/docker/containers/<CONTAINERID>/<CONTAINERID>-json.log”
We create a new [wplogin] jails with custom filter and custom action
Fail2ban filter
The filter can contain any regular expressions to detect malicious log entries. As an example, WordPress wp-login.php attacks are filtered out behind the list.
Create a new filter file: nano /etc/fail2ban/filter.d/wplogin.conf
Fail2ban action
Unlike the out-of-the-box action, “actionban” and “actionunban” do not affect the INPUT chain, but the docker FORWARD chain “DOCKER”.
Create a new action file: nano /etc/fail2ban/action.d/docker-action.conf
service fail2ban restart fail2ban-client reload
Fail2ban useful commands
|
Cmd
|
Description
|
|---|---|
| service fail2ban restart | restart fail2ban service (after edit configuration) |
| fail2ban-client reload | restart fail2ban client |
| fail2ban-client status | get list activated jail |
| fail2ban-client status <JAIL> example: fail2ban-client status wplogin example: fail2ban-client status sshd |
get <JAIL> status (the number of unsuccessful attempts and the list of banned IPs) |
| fail2ban-regex /var/lib/docker/containers/<CONTAINERID>/<CONTAINERID>-json.log /etc/fail2ban/filter.d/wplogin.conf | test regex wplogin |
| fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf | test regex sshd |
| fail2ban-regex “line” “failregex” | test regex |
| fail2ban-client set <JAIL-NAME> unbanip <IP-ADDRESS> | manually unban IP |
| fail2ban-client set <JAIL-NAME> banip <IP-ADDRESS> | manually Ban IP |
| tail -f /var/log/fail2ban.log | view fail2ban logs |
| iptables -L –line-numbers | list IP blocked with line numbers |
| iptables -D <Jail-Name> -s <IP-ADDRESS> -j DROP Example: Jail-Name =f2b-wplogin Jail-Name =f2b-sshd |
Unban IP |
| fail2ban-server -b | start fail2ban server |
| docker inspect –format='{{.LogPath}}’ $INSTANCE_ID | return instance log file path |
Conclusion
Installation and configuration are done. Fail2ban and Docker works well 