Block IPs on all ports with fail2ban on a docker host

Mathias Stjernstrom — Thu, 29 Oct 2020 19:41:33 +0000

Playing around with fail2ban on a local docker host I found that when blocking a host, all docker containers with open ports where still accessible.

I tried several different ways of getting the IP block to really block everything.

This is some notes from the steps I took to solve the problem.

Update your package lists

apt update

Install fail2ban

apt install fail2ban

We do not edit the default jail.conf since it can be overwritten by updates. So we create a new config for fail2ban.

vim /etc/fail2ban/jail.local

For this simple demonstration we are going to block all failed attempt over SSH. And we want to block the remote IP for 600s, for all services and ports.

[sshd]
ignoreip = 127.0.0.1
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime  = 600
findtime = 600
action = iptables-allports[actname=sshd,name=sshd,protocol=all]
         iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]

The trick was to setup two actions. One for the normal chain/traffic and one for dockers CHAIN.

Doing this block sessions not only to the host but also all containers.

DEV Community: Mathias Stjernstrom

Block IPs on all ports with fail2ban on a docker host