年初的时候配置 fail2ban 的时候没验证结果,以为只要 ban 了 ip 就可以,又默默承受了一年的爆破,用 ssh 访问举例:
如果 fail2ban 分析的日志来自宿主,即与 Docker 无关,不经 Docker 转发,请使用 INPUT
链。
[sshd] enabled = true chain = INPUT
如果 fail2ban 分析的日志来自容器,即访问会经过 Docker 转发至容器,请使用 DOCKER-USER
链。
[x-ssh-access] enabled = true chain = DOCKER-USER
无效的原因很简单,就是 Input 和 Forward 的关系:
XXXXXXXXXXXXXXXXXX XXX Network XXX XXXXXXXXXXXXXXXXXX + | v +-------------+ +------------------+ |table: filter| <---+ | table: nat | |chain: INPUT | | | chain: PREROUTING| +-----+-------+ | +--------+---------+ | | | v | v [local process] | **************** +--------------+ | +---------+ Routing decision +------> |table: filter | v **************** |chain: FORWARD| **************** +------+-------+ Routing decision | **************** | | | v **************** | +-------------+ +------> Routing decision <---------------+ |table: nat | | **************** |chain: OUTPUT| | + +-----+-------+ | | | | v v | +-------------------+ +--------------+ | | table: nat | |table: filter | +----+ | chain: POSTROUTING| |chain: OUTPUT | +--------+----------+ +--------------+ | v XXXXXXXXXXXXXXXXXX XXX Network XXX XXXXXXXXXXXXXXXXXX
重新配置 fail2ban 后,使用 iptables -L
显示结构应当是:
Chain INPUT (policy ACCEPT) target prot opt source destination f2b-sshd tcp -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere // ... Chain DOCKER-USER (1 references) target prot opt source destination f2b-http-error tcp -- anywhere anywhere f2b-x-ssh-access tcp -- anywhere anywhere RETURN all -- anywhere anywhere
参考:
https://github.com/crazy-max/docker-fail2ban#docker-user-and-input-chains
https://wiki.archlinux.org/title/Iptables
以上。
本站由以下主机服务商提供服务支持:
小原渚
这边建议每年年底写个年终终结有缘再见,希望以后还能刷到
Mosaic-C
可以是可以,主要作用是标识一下人还在是吧,哈哈哈~
jiyouzhan
这篇文章写得深入浅出,让我这个小白也看懂了!