Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RancherOS support? #25

Closed
vitobotta opened this issue Jun 15, 2019 · 3 comments
Closed

RancherOS support? #25

vitobotta opened this issue Jun 15, 2019 · 3 comments
Labels
help wanted status/stale

Comments

@vitobotta
Copy link

Hi! This is not really a bug report so I hope it's OK if I ask a question here. I am looking to use RancherOS both for the Rancher management platform and for my Kubernetes hosts. Since everything in RancherOS runs as a container - including system services - I was looking for how to use fail2ban as a container, and found this repo. Has anyone tried docker-fail2ban with RancherOS? Does it work?

Thanks a lot in advance for your help!
@cryptoDevTrader
Copy link

I was able to get it working for sshd on RancherOS using the following docker-compose.yml. Note the F2B_LOG_LEVEL env is optional.

version: '3'
services:
  fail2ban:
    image: crazymax/fail2ban
    restart: always
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      F2B_LOG_LEVEL: DEBUG
    volumes:
      - ./data:/data
      - /var/log:/var/log:ro

The contents of ./data/jail.d/sshd.conf is as follows. Note that the only thing changed from the example is logpath.

[sshd]
enabled = true
chain = INPUT
port = ssh
filter = sshd[mode=aggressive]
logpath = /var/log/messages
maxretry = 5

After IPs are banned, you should see some data when running sudo iptables -L f2b-sshd from the host, like so:

Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  218.92.0.246         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  112.85.42.174        anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

One thing I do find odd are DEBUG logs like these. It would be interesting to know if this is resolvable or if it has any negative impact.

2020-11-22 01:05:46,903 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-11-22 01:05:46,904 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >

@vitobotta
Copy link
Author

Hi @divThis, RancherOS is being deprecated and there won't be any further development according to Rancher, so I would recommend against using it. :)

@stale
Copy link

stale bot commented Mar 16, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the status/stale label Mar 16, 2021
@stale stale bot closed this as completed Mar 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted status/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vitobotta @cryptoDevTrader @crazy-max