Playing around with fail2ban on a local docker host I found that when blocking a host, all docker containers with open ports where still accessible.
I tried several different ways of getting the IP block to really block everything.
This is some notes from the steps I took to solve the problem.
- Update your package lists
- Install fail2ban
apt install fail2ban
- We do not edit the default jail.conf since it can be overwritten by updates. So we create a new config for fail2ban.
For this simple demonstration we are going to block all failed attempt over SSH. And we want to block the remote IP for 600s, for all services and ports.
[sshd] ignoreip = 127.0.0.1 enabled = true port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 600 findtime = 600 action = iptables-allports[actname=sshd,name=sshd,protocol=all] iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]
The trick was to setup two actions. One for the normal chain/traffic and one for dockers CHAIN.
Doing this block sessions not only to the host but also all containers.