Secure server with Fail2ban and Docker
You could install fail2ban on the host then map the access log file from the nginx container to your host. Something like docker run -v /path/in/host:/var/log/nginx/access.log nginx
. Then in fail2ban just reference that file.
Comments
-
chadyred almost 2 years
I use nginx in a docker container and I can easily share my log file on my nginx docker container with host. The log are on it and work on
/var/log/nginx
folder.I have install fail2ban on host to check logs files, particulary
access.log
.I test a simple filter
# Fail2Ban configuration file # Author: Miniwark [Definition] failregex = ^<HOST> .*"GET .*w00tw00t # try to access to admin directory ^<HOST> .*"GET .*admin.* 403 ^<HOST> .*"GET .*admin.* 404 # try to access to install directory ^<HOST> .*"GET .*install.* 404 # try to access to phpmyadmin ^<HOST> .*"GET .*dbadmin.* 404 ^<HOST> .*"GET .*myadmin.* 404 ^<HOST> .*"GET .*MyAdmin.* 404 ^<HOST> .*"GET .*mysql.* 404 ^<HOST> .*"GET .*websql.* 404 ^<HOST> .*"GET \/pma\/.* 404 # try to access to wordpress (we use another CMS) ^<HOST> .*"GET .*wp-content.* 404 ^<HOST> .*"GET .*wp-login.* 404 # try to access to typo3 (we use another CMS) ^<HOST> .*"GET .*typo3.* 404 # try to access to tomcat (we do not use it) ^<HOST> .*"HEAD .*manager.* 404 # try to access various strange scripts and malwares ^<HOST> .*"HEAD .*blackcat.* 404 ^<HOST> .*"HEAD .*sprawdza.php.* 404 ignoreregex =
And I active it easily in
/etc/fail2ban/jail.local
[nginx-nokiddies] # ban script kiddies enabled = true port = http,https filter = nginx-nokiddies logpath = /var/log/nginx*/*access.log maxretry = 1
I restart/stop/start/reload fail2ban service. Then I test this regex with
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-nokiddies.conf
It match thousands of line, especially with any admin request.
The main problem is fail2ban not working automatically, so doesn't send mail as before. Indeed, it works perfectly when I use an nginx install directly on host.
The log are in the basic format, call 'combined' formats like this :
log_format combined '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"';
No permissions problem because my nginx container and its children are full permissions (777) to be sure, I change it after of course !
Why fail2ban process not ban ip and not match anything with docker ?