Install and configure Fail2ban with Docker

Français Français

About this guide

This step-by-step guide exists to help you install and configure Fail2ban on your server to prevent hackers attack ( SSH and WordPress brute force attack ).

We discussed How fail2ban works on the previous post.

Introduction

Fail2ban is installed as part of the target environment(Ubuntu), the container remains independent. However, to interpret the filters Fail2ban must have access to the container log files.
The following example shows Fail2ban, Docker Host, and Container on an Ubuntu server with iptables. Fail2ban should monitor and protect the SSH accesses to the Ubuntu server and the HTTP accesses to the Docker container.

fail2ban docker iptables
fail2ban docker iptables

Install Fail2ban on Ubuntu

It is very easy to install Fail2ban for Ubuntu or Debian

sudo apt-get update
sudo apt-get install fail2ban

To test the installation type

service fail2ban status

Fail2ban configuration to prevent SSH brute force

After installing the SSH accesses are monitored immediately after the installation of Fail2ban. The out-of-the-box setting is sufficient.

But it’s recommended to white-list your IP and to edit the default ban time. So first create a new jail.local configuration file based from the default jail conf.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

After that let’s edit the default configuration to  white-list our IP and to change the default ban time to 7 days.

Fail2ban configuration to prevent WordPress brute force login

A new jail, filter and action are needed to monitor HTTP access to the Docker container.

Fail2ban jail

Filters and action are referenced in the jail options. The log file for the Docker container to be monitored is located on the Docker host under “/var/lib/docker/containers/<CONTAINERID>/<CONTAINERID>-json.log”
We create a new [wplogin] jails with custom filter and custom action

Fail2ban filter

The filter can contain any regular expressions to detect malicious log entries. As an example, WordPress wp-login.php attacks are filtered out behind the list.

Create a new filter file: nano /etc/fail2ban/filter.d/wplogin.conf

Fail2ban action

Unlike the out-of-the-box action, “actionban” and “actionunban” do not affect the INPUT chain, but the docker FORWARD chain “DOCKER”.

Create a new action file: nano /etc/fail2ban/action.d/docker-action.conf

After reconfiguration, Fail2ban has to be started. Afterwards the new Jail is noticed and the Docker container is protected.
service fail2ban restart 
fail2ban-client reload

Fail2ban useful commands

Cmd
Description
service fail2ban restartrestart fail2ban service (after edit configuration)
fail2ban-client reloadrestart fail2ban client
fail2ban-client statusget list activated jail
fail2ban-client status <JAIL>
example: fail2ban-client status wplogin
example: fail2ban-client status sshd
get <JAIL> status (the number of unsuccessful attempts and the list of banned IPs)
fail2ban-regex /var/lib/docker/containers/<CONTAINERID>/<CONTAINERID>-json.log /etc/fail2ban/filter.d/wplogin.conftest regex wplogin
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conftest regex sshd
fail2ban-regex “line” “failregex”test regex
fail2ban-client set <JAIL-NAME> unbanip <IP-ADDRESS>manually unban IP
fail2ban-client  set <JAIL-NAME> banip <IP-ADDRESS>manually Ban IP
tail -f /var/log/fail2ban.logview fail2ban logs
iptables -L –line-numberslist IP blocked with line numbers
iptables -D <Jail-Name> -s <IP-ADDRESS> -j DROP
Example: Jail-Name =f2b-wplogin
Jail-Name =f2b-sshd
Unban IP
fail2ban-server -bstart fail2ban server
docker inspect –format='{{.LogPath}}’ $INSTANCE_IDreturn instance log file path

Conclusion

Installation and configuration are done. Fail2ban and Docker works well (grand sourire)