Fail2ban scans log files and bans IPs that show the malicious signs.
We are going to be using a prebuilt docker image by crazymax to facilitate the process. There are a lot of fail2ban configurations availabe on the internet, and you can even create your own, this guide provides the following features :
- SSH jail configuration
- Vaultwarden jail configuration
.
|-- data/
| |-- action.d/
| |-- db/
| |-- filter.d/
| | |-- bitwarden-admin.conf
| | |-- bitwarden-auth.conf
| `-- jail.d/
| |-- bitwarden-admin.conf
| |-- bitwarden.conf
| |-- sshd.conf
`-- docker-compose.yml
data/action.d
- a directory containing custom action configuration to execute when banning an IPdata/db
- a directory used to store fail2ban sqlite databasedata/filter.d
- a directory containing custom filter configuration used by a jail to match malicious signsdata/jail.d
- a directory containing custom jail configuration for your servicesdocker-compose.yml
- a docker-compose file, use to configure your application’s services
Please make sure that all the files and directories are present.
Links to the following docker-compose.yml and the corresponding .env.
- docker-compose.yml
version: '3' services: fail2ban: image: crazymax/fail2ban:latest container_name: fail2ban restart: unless-stopped volumes: - /var/log:/var/log:ro - ./data:/data environment: - TZ=${TZ} network_mode: "host" cap_add: - NET_ADMIN - NET_RAW labels: # Watchtower Update - "com.centurylinklabs.watchtower.enable=true"
- .env
TZ=Europe/Paris
We are gonna use /var/log
directory to parse log files.
The jail.d directory is provided with three examples.
-
sshd.conf : provides ssh protection, will ban any IP trying to bruteforce your ssh credentials, a must-have if you are still on port 22.
-
vaultwarden.conf : provides your vaultwarden password manager from bruteforce.
-
vaultwarden-admin : provides your vaultwarden admin dashboard from bruteforce.
You can find the vaultwarden filters in the filter.d directory. For example, in filter.d/vaultwarden-auth
you can find :
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$
ignoreregex =
This filter is using regex and will match any log that fails to connect to your vaultwarden vault. The log file that is parsed is /var/log/syslog
, redirection is provided with the docker-compose available in the vaultwarden guide.
Replace the environment variables in .env
with your own, then run :
sudo docker-compose up -d
The jails and filters configured are going to be active, you can now create as many as you want to protect your services.
The image is automatically updated with watchtower thanks to the following label :
# Watchtower Update
- "com.centurylinklabs.watchtower.enable=true"
Be careful not to get ban as the iptable action is pretty aggressive, you will not be able to SSH with the banned IP.
Docker volumes are globally backed up using borg-backup.