Fail2ban

Fail2ban

Now its time to secure you're containers from DOS attacks and SSH Bruteforcing here comes Fail2ban into play. Fail2Ban is a security tool that helps protect servers from brute-force attacks and other malicious behavior. It works by monitoring log files for suspicious activity (such as repeated failed login attempts) and automatically updating firewall rules to block the offending IP addresses temporarily or permanently. Fail2Ban is highly configurable and supports a wide range of services like SSH, web servers, and email servers. It helps prevent unauthorized access by banning IPs that exhibit harmful patterns.

Requirements:
xcaddy

On Alma Linux you can install it with:

yum install epel-release
yum install fail2ban

Next of all you have to create you're ssh banning configuration:

create the file /etc/fail2ban/jail.local

[DEFAULT]
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
maxretry = 3

[sshd]
enabled = true
# initial ban time:
bantime = 1h
# incremental banning:
bantime.increment = true
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
bantime.factor = 24
# max banning time = 5 week:
bantime.maxtime = 5w

In this example we secure our ssh connection and increase the ban time for each failture login to the max bantime of 5 weeks. This file preventing us getting ssh brute forced.

Next we move on and secure our docker containers:

Create the file /etc/fail2ban/action.d/docker.conf

[Definition] 
actioncheck = iptables -n -L DOCKER-USER | grep -q 'DOCKER-USER[ \t]' 
actionban = iptables -I DOCKER-USER -s <ip> -j DROP 
actionunban = iptables -D DOCKER-USER -s <ip> -j DROP

This configuration is used when Fail2Ban is deployed on a host that runs Docker. It helps block (ban) malicious or unwanted IP addresses from accessing containers by directly interacting with Docker's network rules through the DOCKER-USER chain in iptables.

Let's move on and create the file /etc/fail2ban/filter.d/caddy.conf:

[Definition]

failregex = "client_ip":"<HOST>"(.*)"status":(400|401|403|422|500)

datepattern = LongEpoch

ignoreregex =

This configuration file defines a Fail2Ban filter for use with the Caddy web server. It specifies the patterns to detect and act on suspicious HTTP responses in Caddy's logs.

Last we need to create a third and final file /etc/fail2ban/jail.d/caddy.conf.

[caddy] 
enabled = true 
port = http,https 
filter = caddy 
logpath = /opt/caddy/data/log/access.log
maxretry = 3 
bantime = -1 
banaction = docker

This jail ensures Fail2Ban monitors Caddy logs for malicious activity and bans offending IPs using Docker rules.

Perfekt. Now you can adjust you're Caddyfile! In the example of nextcloud it should look like this.

nextcloud.youredomain.io:443 {
	tls /certs/certificate.cer /certs/private_key.key #Optional
    header Strict-Transport-Security max-age=31536000;
	reverse_proxy localhost:11000
	log {   
        format transform {common_log} 

        output file /data/log/access.log {
        roll_size 10mb
        roll_keep 10
        roll_keep_for 36h
    }
  }

}

And than restart xcaddy.

docker restart xcaddy

Now we can start and enable fail2ban:

systemctl start fail2ban
systemctl enable fail2ban

Perfekt now you're docker plattform is secured.