- Ubuntu 22.04
- Portainer with Remote access
- apache2 as reverse proxy e.g. as described here
- fail2ban and e.g. iptables are installed
- Portainer is accesible via https://YourDomain/portainer/
User --> https --> Apache2 --> http(s) --> Portainer
| Usually it is a bad idea to make portainer accessible via internet as front end. It has a HUGE SECURITY RISK, please know what you are doing! |
|---|
Install fail2ban:
sudo apt update && sudo apt install fail2ban -yCreate the Portainer-filter:
sudo nano /etc/fail2ban/filter.d/apache-portainer.confPortainer will not write Host IP in authentication errors in logs, but you have chance to track it via apache2 access.log as 401 and 422 errors.
Paste the following lines in /etc/fail2ban/filter.d/apache-portainer.conf, this will cover GUI Failed login attempts:
[Definition]
failregex = ^<HOST>.+?\/portainer\/api\/.+? HTTP\/\d+(?:\.\d+)?\" 4(?:01|22)
ignoreregex =
[Init]
datepattern = \[%%d/%%b/%%Y:%%H:%%M:%%S %%z\]
Create a new jail:
sudo nano /etc/fail2ban/jail.d/apache-portainer.localPaste the following rows:
[apache_portainer]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = apache_portainer
# Number of retrys before to ban. Portainer produces from 2 to 5 log entries per request or failed login.
maxretry = 10
#time in seconds
bantime = 36000
findtime = 36000
# Log path, on Ubuntu usually is following
logpath = /var/log/apache2/access.log
Re-start the fail2ban-service:
sudo service fail2ban restartand enjoy your Portainer!
Not really, portainer itself do not log such kind of activities. But it will answer with correct http codes so you can catch it via reverse proxy.