Fail2Ban is an intrusion prevention software that shields your server against malicious activity by scanning log files and banning IPs that exhibit suspicious behaviors. Fail2Ban’s operation primarily relies on three main components: Jails, Filters, and Actions.
So how do you set this up to protect your service within docker?
First we will need to understand Jails, Filters, and Actions
Jails: A jail is essentially an instance of Fail2Ban that applies to a specific service or application. Each jail utilizes a filter to scan specified logs for suspicious activity and an action to execute when such behavior is detected.
Filters: These are sets of rules that Fail2Ban uses to scan logs for malicious patterns. The filter determines what Fail2Ban perceives as an attack. For instance, repeated failed login attempts within a specified timeframe could be seen as a potential threat.
Actions: Once Fail2Ban identifies a threat based on the filter, it executes a specified action. Typically, this action involves banning the offending IP for a specific period, hence mitigating the threat.
Now, let’s apply this knowledge in creating a custom setup for Vaultwarden logs using Fail2Ban.
Step 1: Create a Custom Action
First, you need to create an action. An action defines the commands or applications that Fail2Ban should run in response to a detected threat. For this setup, you will create an action that modifies the iptables firewall rules.
Important Note on Docker Networking: When running services in Docker containers, we use the FORWARD chain instead of the traditional INPUT chain. This is because Docker uses network address translation (NAT) to route traffic between the host and containers, which involves packet forwarding. For non-Docker setups (services running directly on the host), you would typically use the INPUT chain instead.
Here’s how you can create the file /etc/fail2ban/action.d/iptables-forward.conf for your action:
[INCLUDES]
before = iptables-common.conf
[Definition]
# Create f2b-vault chain in FORWARD table
actionstart = <iptables> -N f2b-<name>
<iptables> -A f2b-<name> -j <returntype>
<iptables> -I <chain> -j f2b-<name>
# Remove f2b-chain from FORWARD table
actionstop = <iptables> -D <chain> -j f2b-<name>
<iptables> -F f2b-<name>
<iptables> -X f2b-<name>
# Check Forward chain to see if chain is there
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Add IP address to f2b-vault chain and ban it
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
# Remove IP address from f2b-vault chain and unban it
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
[Init]
# Variables used in the action
# The default chain in iptables-common.conf is INPUT, but we use FORWARD for Docker
# because Docker manages container networking through the FORWARD chain via NAT
# For non-Docker setups, you would change this to: chain = INPUT
chain = FORWARD
Step 2: Set Up a Jail File
Next, you need to set up a jail file, /etc/fail2ban/jail.d/vaultwarden.local, which specifies the filter and action to use, the log file to monitor, and other configurations.
[vaultwarden]
enabled = true
filter = vaultwarden
banaction = %(banaction_forward)s
logpath = /path/to/log-file/vaultwarden.log
maxretry = 3
bantime = 14400
findtime = 14400
Step 3: Add the Ban Action to jail.local
Add the ban action to the [DEFAULT] section of your jail.local file. This step tells Fail2Ban to use your custom action for the Vaultwarden jail:
banaction_forward = iptables-forward
Step 4: Create a Custom Filter
Now, create a custom filter to parse the Vaultwarden log files for failed logins. Your filter will look for logs indicating incorrect usernames or passwords, tagging the offending IP with <ADDR>.
Create the file /etc/fail2ban/filter.d/vaultwarden.conf with these contents:
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
Step 5: Restart Your Fail2Ban Service
Finally, restart your Fail2Ban service to apply all these changes:
sudo systemctl restart fail2ban
Additional Considerations
- Docker Compose Networks: If you’re using Docker Compose with custom networks, ensure your iptables rules account for the specific network interfaces Docker creates.
- Log Rotation: Ensure your Vaultwarden logs are properly rotated to prevent disk space issues.
- Testing: After setup, test your configuration by intentionally triggering failed login attempts from a test IP to verify the banning works correctly.
Troubleshooting
If bans aren’t working as expected, check:
sudo fail2ban-client status vaultwardento see jail statussudo iptables -L f2b-vaultwarden -v -nto verify rules are being added- Ensure the log path in your jail configuration matches your actual Vaultwarden log location
That’s it! Your Fail2Ban service is now all set to monitor and protect your Vaultwarden service from potential threats. Remember, the strength of Fail2Ban lies in its flexibility to cater to any service, and this Docker-specific configuration ensures proper integration with containerized environments.
Buy Me a Coffee