Fail2ban

Now its time to secure you're containers from DOS attacks and SSH Bruteforcing here comes Fail2ban into play. Fail2Ban is a security tool that helps protect servers from brute-force attacks and other malicious behavior. It works by monitoring log files for suspicious activity (such as repeated failed login attempts) and automatically updating firewall rules to block the offending IP addresses temporarily or permanently. Fail2Ban is highly configurable and supports a wide range of services like SSH, web servers, and email servers. It helps prevent unauthorized access by banning IPs that exhibit harmful patterns.
Requirements:
xcaddy
On Alma Linux you can install it with:
yum install epel-release
yum install fail2ban
Next of all you have to create you're ssh banning configuration:
create the file /etc/fail2ban/jail.local
[DEFAULT]
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
maxretry = 3
[sshd]
enabled = true
# initial ban time:
bantime = 1h
# incremental banning:
bantime.increment = true
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
bantime.factor = 24
# max banning time = 5 week:
bantime.maxtime = 5w
In this example we secure our ssh connection and increase the ban time for each failture login to the max bantime of 5 weeks. This file preventing us getting ssh brute forced.
Next we move on and secure our docker containers:
Create the file /etc/fail2ban/action.d/docker.conf
[Definition]
actioncheck = iptables -n -L DOCKER-USER | grep -q 'DOCKER-USER[ \t]'
actionban = iptables -I DOCKER-USER -s <ip> -j DROP
actionunban = iptables -D DOCKER-USER -s <ip> -j DROP
This configuration is used when Fail2Ban is deployed on a host that runs Docker. It helps block (ban) malicious or unwanted IP addresses from accessing containers by directly interacting with Docker's network rules through the DOCKER-USER
chain in iptables.
Let's move on and create the file /etc/fail2ban/filter.d/caddy.conf:
[Definition]
failregex = "client_ip":"<HOST>"(.*)"status":(400|401|403|422|500)
datepattern = LongEpoch
ignoreregex =
This configuration file defines a Fail2Ban filter for use with the Caddy web server. It specifies the patterns to detect and act on suspicious HTTP responses in Caddy's logs.
Last we need to create a third and final file /etc/fail2ban/jail.d/caddy.conf.
[caddy]
enabled = true
port = http,https
filter = caddy
logpath = /opt/caddy/data/log/access.log
maxretry = 3
bantime = -1
banaction = docker
This jail ensures Fail2Ban monitors Caddy logs for malicious activity and bans offending IPs using Docker rules.
Perfekt. Now you can adjust you're Caddyfile! In the example of nextcloud it should look like this.
nextcloud.youredomain.io:443 {
tls /certs/certificate.cer /certs/private_key.key #Optional
header Strict-Transport-Security max-age=31536000;
reverse_proxy localhost:11000
log {
format transform {common_log}
output file /data/log/access.log {
roll_size 10mb
roll_keep 10
roll_keep_for 36h
}
}
}
And than restart xcaddy.
docker restart xcaddy
Now we can start and enable fail2ban:
systemctl start fail2ban
systemctl enable fail2ban
Perfekt now you're docker plattform is secured.