How to implement fail2ban with Traefik

docker traefik fail2ban
Seffyroff picture Seffyroff · Sep 1, 2018 · Viewed 10.5k times · Source

I'm interested in setting up fail2ban with my Traefik deployment. I found a gist that has some snippets in it, but I'm not clear on how to use them. Can anyone fill in the blanks please? Or, is there a better way to implement fail2ban style security with Traefik?

Answer

Devin B. picture Devin B. · Oct 12, 2018

I was able to accomplish this starting with the gist you posted. This is under the assumptions you have Traefik already working, want to block IPs that have HTTP Basic Auth failures, and ban them with iptables. There's a couple of pieces so let me start with the container configurations:

Traefik docker-compose.yaml

version: '2'
services:
  traefik:
    image: traefik:alpine
    volumes:
    - /apps/docker/traefik/traefik.toml:/traefik.toml:ro
    - /apps/docker/traefik/acme:/etc/traefik/acme
    - /var/log/traefik:/var/log
    ports:
    - 8080:8080/tcp
    - 80:80/tcp
    - 443:443/tcp
    command:
    - --web
    - --accessLog.filePath=/var/log/access.log
    - --accessLog.filters.statusCodes=400-499

You can see here I am writing the log file to /var/log/access.log and only getting access codes to 400-499. I am then mounting that file to my host /var/log/traefik:/var/log

Now for the fail2ban part, I am using a fail2ban docker container rather than installing on my host, but you could technically do it there too.

Fail2ban docker-compose.yaml

version: '2'
services:
  fail2ban:
    image: crazymax/fail2ban:latest
    network_mode: "host"
    cap_add:
    - NET_ADMIN
    - NET_RAW
    volumes:
    - /var/log:/var/log:ro
    - /apps/docker/fail2ban/data:/data

You can see I mount the /var/log directory into the fail2ban container as read only.

Fail2ban configuration

The /apps/docker/fail2ban/data/jail.d/traefik.conf file contains:

[traefik-auth]
enabled = true
logpath = /var/log/traefik/access.log
port = http,https

The /apps/docker/fail2ban/data/filter.d/traefik-auth.conf file contains:

[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+\" 401 .+$
ignoreregex =

Extra

The default ban action is to ban via iptables. If you want to change that you can change the default banaction in the traefik.conf, for example:

[DEFAULT]
banaction = cloudflare

[traefik-auth]
enabled = true
logpath = /var/log/traefik/access.log
port = http,https

Actions are here: https://github.com/fail2ban/fail2ban/tree/0.11/config/action.d

If you need to modify one, copy the file to the /apps/docker/fail2ban/data/action.d directory and restart the container.

Related questions

How to redirect http to https with Traefik 2.0 and Docker Compose labels?

Please note that it is a Traefik V2 question. I had a solution on V1 but V2 is a total rewamp. This above is supposed to redirect http://whoami.mysite.com to https://whoami.mysite.com. The https is working …

Read More
Traefik Bad Gateway

I've got some strange issue. I have following setup: one docker-host running traefik as LB serving multiple sites. sites are most php/apache. HTTPS is managed by traefik. Each site is started using a docker-compose YAML containing the following: version: …

Read More
Traefik > "Bad gateway" (error 502) for some containers

I meet some problems using traefik with docker and I don't know why. With some containers, it's works like a charm and for other ones, I have an error when I try to access to these ones : Bad gateway (error 502). …

Read More