Secure server with Fail2ban and Docker

logging docker fail2ban
chadyred picture chadyred · Jun 23, 2016 · Viewed 9.2k times · Source

I use nginx in a docker container and I can easily share my log file on my nginx docker container with host. The log are on it and work on /var/log/nginx folder.

I have install fail2ban on host to check logs files, particulary access.log.

I test a simple filter 

# Fail2Ban configuration file
# Author: Miniwark

[Definition]
failregex = ^<HOST> .*"GET .*w00tw00t
# try to access to admin directory
            ^<HOST> .*"GET .*admin.* 403
            ^<HOST> .*"GET .*admin.* 404
# try to access to install directory
            ^<HOST> .*"GET .*install.* 404
# try to access to phpmyadmin
            ^<HOST> .*"GET .*dbadmin.* 404
            ^<HOST> .*"GET .*myadmin.* 404
            ^<HOST> .*"GET .*MyAdmin.* 404
            ^<HOST> .*"GET .*mysql.* 404
            ^<HOST> .*"GET .*websql.* 404
            ^<HOST> .*"GET \/pma\/.* 404
# try to access to wordpress (we use another CMS)
            ^<HOST> .*"GET .*wp-content.* 404
            ^<HOST> .*"GET .*wp-login.* 404
# try to access to typo3 (we use another CMS)
            ^<HOST> .*"GET .*typo3.* 404
# try to access to tomcat (we do not use it)      
            ^<HOST> .*"HEAD .*manager.* 404
# try to access various strange scripts and malwares
            ^<HOST> .*"HEAD .*blackcat.* 404
            ^<HOST> .*"HEAD .*sprawdza.php.* 404

ignoreregex =

And I active it easily in /etc/fail2ban/jail.local

[nginx-nokiddies]
# ban script kiddies
enabled  = true
port     = http,https
filter   = nginx-nokiddies
logpath  = /var/log/nginx*/*access.log
maxretry = 1

I restart/stop/start/reload fail2ban service. Then I test this regex with 

fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-nokiddies.conf

It match thousands of line, especially with any admin request.

The main problem is fail2ban not working automatically, so doesn't send mail as before. Indeed, it works perfectly when I use an nginx install directly on host.

The log are in the basic format, call 'combined' formats like this : 

log_format combined '$remote_addr - $remote_user [$time_local]  '
            '"$request" $status $body_bytes_sent '
            '"$http_referer" "$http_user_agent"';

No permissions problem because my nginx container and its children are full permissions (777) to be sure, I change it after of course !

Why fail2ban process not ban ip and not match anything with docker ?

Answer

uLan picture uLan · Aug 29, 2017

You could install fail2ban on the host then map the access log file from the nginx container to your host. Something like docker run -v /path/in/host:/var/log/nginx/access.log nginx. Then in fail2ban just reference that file.

Related questions

Where is the Docker daemon log?

Where is the Docker daemon log? Oddly cannot find an answer to this via man, StackOverflow or Docker Docs. Note I am not asking for the docker container STDOUT, but the daemon log for troubleshooting communications between the client and …

Read More
How to redirect docker container logs to a single file?

I want to redirect all the logs of my docker container to single log file to analyse them. I tried docker logs container > /tmp/stdout.log 2>/tmp/stderr.log but this gives log in two different file. I …

Read More
Redirecting command output in docker

I want to do some simple logging for my server which is a small Flask app running in a Docker container. Here is the Dockerfile # Dockerfile FROM dreen/flask MAINTAINER dreen WORKDIR /srv # Get source RUN mkdir -p /srv COPY …

Read More