Secure server with Fail2ban and Docker

logging docker fail2ban

10,090

You could install fail2ban on the host then map the access log file from the nginx container to your host. Something like docker run -v /path/in/host:/var/log/nginx/access.log nginx. Then in fail2ban just reference that file.

10,090

Author by

chadyred

Morgana is the true statement ever made.

Updated on June 09, 2022

Comments

chadyred almost 2 years

I use nginx in a docker container and I can easily share my log file on my nginx docker container with host. The log are on it and work on /var/log/nginx folder.

I have install fail2ban on host to check logs files, particulary access.log.

I test a simple filter

# Fail2Ban configuration file
# Author: Miniwark

[Definition]
failregex = ^<HOST> .*"GET .*w00tw00t
# try to access to admin directory
            ^<HOST> .*"GET .*admin.* 403
            ^<HOST> .*"GET .*admin.* 404
# try to access to install directory
            ^<HOST> .*"GET .*install.* 404
# try to access to phpmyadmin
            ^<HOST> .*"GET .*dbadmin.* 404
            ^<HOST> .*"GET .*myadmin.* 404
            ^<HOST> .*"GET .*MyAdmin.* 404
            ^<HOST> .*"GET .*mysql.* 404
            ^<HOST> .*"GET .*websql.* 404
            ^<HOST> .*"GET \/pma\/.* 404
# try to access to wordpress (we use another CMS)
            ^<HOST> .*"GET .*wp-content.* 404
            ^<HOST> .*"GET .*wp-login.* 404
# try to access to typo3 (we use another CMS)
            ^<HOST> .*"GET .*typo3.* 404
# try to access to tomcat (we do not use it)      
            ^<HOST> .*"HEAD .*manager.* 404
# try to access various strange scripts and malwares
            ^<HOST> .*"HEAD .*blackcat.* 404
            ^<HOST> .*"HEAD .*sprawdza.php.* 404

ignoreregex =

And I active it easily in /etc/fail2ban/jail.local

[nginx-nokiddies]
# ban script kiddies
enabled  = true
port     = http,https
filter   = nginx-nokiddies
logpath  = /var/log/nginx*/*access.log
maxretry = 1

I restart/stop/start/reload fail2ban service. Then I test this regex with

fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-nokiddies.conf

It match thousands of line, especially with any admin request.

The main problem is fail2ban not working automatically, so doesn't send mail as before. Indeed, it works perfectly when I use an nginx install directly on host.

The log are in the basic format, call 'combined' formats like this :

log_format combined '$remote_addr - $remote_user [$time_local]  '
            '"$request" $status $body_bytes_sent '
            '"$http_referer" "$http_user_agent"';

No permissions problem because my nginx container and its children are full permissions (777) to be sure, I change it after of course !

Why fail2ban process not ban ip and not match anything with docker ?