Created
November 8, 2024 10:05
-
-
Save composite/6e6931d3be6f5f490f36ab6512382db9 to your computer and use it in GitHub Desktop.
fail2ban: BAN docker services for security (for Docker Host that installed fail2ban)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # INSERT fail2ban FORWARD for Docker host | |
| sudo iptables -I FORWARD -j f2b-postgres | |
| # DELETE fail2ban FORWARD for Docker host | |
| sudo iptables -D FORWARD -j f2b-postgres | |
| # Save | |
| sudo iptables-save |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/fail2ban/filter.d/postgres.conf | |
| [Definition] | |
| failregex = \{<HOST>\} .+? FATAL: password authentication failed for user .+$ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/fail2ban/jail.d/postgres.conf | |
| [postgresql] | |
| enabled = true | |
| filter = postgres | |
| logpath = /path/to/docker/postgres/data/log/postgresql*.log | |
| banaction = iptables-allports # or iptables-multiport, nftables-*, etc... | |
| maxretry = 3 | |
| findtime = 1200 | |
| bantime = 86400 | |
| port = 5432 | |
| usedns = raw | |
| mode = aggressive | |
| backend = polling # fail2ban can't track docker generated files... | |
| ignoreip = 192.168.0.0/16 #for example |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| log_destination = 'stderr' | |
| logging_collector = on | |
| log_directory = 'log' | |
| log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' | |
| log_connections = on | |
| log_line_prefix = '%m {%h} [%p] ' | |
| log_timezone = 'Etc/UTC' # Do not change timezone or fail2ban will not collect failed data. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment