Update fail2ban faq doc

master
Tobias Käfer 3 years ago
parent 855f3b065b
commit e274ee762f

@ -664,6 +664,8 @@ The above will block flagged IPs for a week, you can of course change it to you
The above will block flagged IPs for a week, you can of course change it to you needs. The above will block flagged IPs for a week, you can of course change it to you needs.
7. Add the /etc/fail2ban/action.d/docker-action.conf 7. Add the /etc/fail2ban/action.d/docker-action.conf
Option 1: Use plain iptables
.. code-block:: bash .. code-block:: bash
@ -685,6 +687,33 @@ The above will block flagged IPs for a week, you can of course change it to you
Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/ Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
Option 2: Use ipset together with iptables
IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system.
See ipset homepage for details on ipset, https://ipset.netfilter.org/.
ipset and iptables provide one big advantage over just using iptables: This setup reduces the overall iptable rules.
There is just one rule for the bad authentications and the IPs are within the ipset.
Specially in larger setups with a high amount of brute force attacks this comes in handy.
Using iptables with ipset might reduce the system load in such attacks significantly.
.. code-block:: bash
[Definition]
actionstart = actionstart = ipset --create f2b-bad-auth iphash
iptables -I DOCKER-USER -p tcp -m multiport --dports 1:1024 -m set --match-set f2b-bad-auth src -j DROP
actionstop = iptables -D DOCKER-USER -p tcp -m multiport --dports 1:1024 -m set --match-set f2b-bad-auth src -j DROP
ipset --destroy f2b-bad-auth
actionban = ipset --test f2b-bad-auth <ip> || ipset --add f2b-bad-auth <ip>
actionunban = ipset --test f2b-bad-auth <ip> && ipset --del f2b-bad-auth <ip>
Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
8. Configure and restart the Fail2Ban service 8. Configure and restart the Fail2Ban service
Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration. Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration.

Loading…
Cancel
Save