Docker fail2ban chain 配置无效问题
source link: https://i.lckiss.com/?p=8401
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Docker fail2ban chain 配置无效问题
年初的时候配置 fail2ban 的时候没验证结果,以为只要 ban 了 ip 就可以,又默默承受了一年的爆破,用 ssh 访问举例:
如果 fail2ban 分析的日志来自宿主,即与 Docker 无关,不经 Docker 转发,请使用 INPUT 链。
[sshd] enabled = true chain = INPUT
如果 fail2ban 分析的日志来自容器,即访问会经过 Docker 转发至容器,请使用 DOCKER-USER 链。
[x-ssh-access] enabled = true chain = DOCKER-USER
无效的原因很简单,就是 Input 和 Forward 的关系:
XXXXXXXXXXXXXXXXXX
XXX Network XXX
XXXXXXXXXXXXXXXXXX
+
|
v
+-------------+ +------------------+
|table: filter| <---+ | table: nat |
|chain: INPUT | | | chain: PREROUTING|
+-----+-------+ | +--------+---------+
| | |
v | v
[local process] | **************** +--------------+
| +---------+ Routing decision +------> |table: filter |
v **************** |chain: FORWARD|
**************** +------+-------+
Routing decision |
**************** |
| |
v **************** |
+-------------+ +------> Routing decision <---------------+
|table: nat | | ****************
|chain: OUTPUT| | +
+-----+-------+ | |
| | v
v | +-------------------+
+--------------+ | | table: nat |
|table: filter | +----+ | chain: POSTROUTING|
|chain: OUTPUT | +--------+----------+
+--------------+ |
v
XXXXXXXXXXXXXXXXXX
XXX Network XXX
XXXXXXXXXXXXXXXXXX
重新配置 fail2ban 后,使用 iptables -L 显示结构应当是:
Chain INPUT (policy ACCEPT) target prot opt source destination f2b-sshd tcp -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere // ... Chain DOCKER-USER (1 references) target prot opt source destination f2b-http-error tcp -- anywhere anywhere f2b-x-ssh-access tcp -- anywhere anywhere RETURN all -- anywhere anywhere
https://github.com/crazy-max/docker-fail2ban#docker-user-and-input-chains
Recommend
-
77
一、前言 fail2ban可以监视你的系统日志,然后匹配日志的错误信息执行相应的屏蔽动作。网上大部分教程都是关于fail2ban+iptables组合,考虑到CentOS 7已经自带Firewalld,所以这里我们也可以利用fail2ban+Firewalld来防CC攻击和SSH爆破。二、安装fail2b
-
72
fail2ban可以监视你的系统日志,然后匹配日志的错误信息(正则表达式匹配)执行相应的屏蔽动作(一般情况下是调用防火墙屏蔽)。比如有人在试探你的SSH、SMTP、FTP密码,只要达到你预设的次数,fail2ban就会调用防火墙屏蔽这个IP,而且可以发送e-mail通知系统管理...
-
10
fail2ban防暴力破解介绍使用 布鲁 ·
-
46
导读 Fail2ban 能够监控系统日志,匹配日志中的错误信息(使用正则表达式),执行相应的屏蔽动作(支持多种,一般为调用 iptables ),是一款很实用、强大的软件。 攻击者不断尝试穷举 SSH 、SMTP 、FTP 密码等,只要达到预设值,fail2ban 就...
-
32
This detailed guide teaches you what is Fail2Ban, how to configure it and how to use it for providing an additional layer of security on your Linux system. What is Fail2Ban If you havee...
-
16
If you run a server with a public-facing SST access, you might have experienced malicious login attempts. This article shows how to use two utilities to keep the intruder out of our systems. To protect against rep...
-
4
从互联网访问的所有服务器都存在恶意软件攻击的风险。 例如,如果您有可从公共网络访问的应用程序,则攻击者可以使用Brute-Force尝试访问应用程序。Fail2Ban是一种工具,它可以通过监控用于恶意活动的服务日志来保护您的Linux机器免受Brute-Force和其他...
-
6
A Fail2Ban installation monitors server access logs and automatically bans IP addresses of bots and attacking users in iptables. Fail2Ban analyses server logs and identifies a pattern where a suspicious user or bot is trying to access restric...
-
6
记录一下 配置 fail2ban 后一周的拦截情况 2022-01-19 直接贴上 iptables 禁止的 ip 吧,如下:target prot opt source destination REJECT all -- 39.103.152.13 anywhere...
-
4
[无线网卡] 配置模拟AP,获取到的是无效IP? 设置完成模拟...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK