Secure server with Fail2ban and Docker

Question

I use nginx in a docker container and I can easily share my log file on my nginx docker container with host. The log are on it and work on /var/log/nginx folder.

I have install fail2ban on host to check logs files, particulary access.log.

I test a simple filter

# Fail2Ban configuration file
# Author: Miniwark

[Definition]
failregex = ^<HOST> .*"GET .*w00tw00t
# try to access to admin directory
            ^<HOST> .*"GET .*admin.* 403
            ^<HOST> .*"GET .*admin.* 404
# try to access to install directory
            ^<HOST> .*"GET .*install.* 404
# try to access to phpmyadmin
            ^<HOST> .*"GET .*dbadmin.* 404
            ^<HOST> .*"GET .*myadmin.* 404
            ^<HOST> .*"GET .*MyAdmin.* 404
            ^<HOST> .*"GET .*mysql.* 404
            ^<HOST> .*"GET .*websql.* 404
            ^<HOST> .*"GET \/pma\/.* 404
# try to access to wordpress (we use another CMS)
            ^<HOST> .*"GET .*wp-content.* 404
            ^<HOST> .*"GET .*wp-login.* 404
# try to access to typo3 (we use another CMS)
            ^<HOST> .*"GET .*typo3.* 404
# try to access to tomcat (we do not use it)      
            ^<HOST> .*"HEAD .*manager.* 404
# try to access various strange scripts and malwares
            ^<HOST> .*"HEAD .*blackcat.* 404
            ^<HOST> .*"HEAD .*sprawdza.php.* 404

ignoreregex = 

And I active it easily in /etc/fail2ban/jail.local

[nginx-nokiddies]
# ban script kiddies
enabled  = true
port     = http,https
filter   = nginx-nokiddies
logpath  = /var/log/nginx*/*access.log
maxretry = 1

I restart/stop/start/reload fail2ban service. Then I test this regex with

fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-nokiddies.conf

It match thousands of line, especially with any admin request.

The main problem is fail2ban not working automatically, so doesn't send mail as before. Indeed, it works perfectly when I use an nginx install directly on host.

The log are in the basic format, call 'combined' formats like this :

log_format combined '$remote_addr - $remote_user [$time_local]  '
            '"$request" $status $body_bytes_sent '
            '"$http_referer" "$http_user_agent"';

No permissions problem because my nginx container and its children are full permissions (777) to be sure, I change it after of course !

Why fail2ban process not ban ip and not match anything with docker ?

Answer 1

You could install fail2ban on the host then map the access log file from the nginx container to your host. Something like docker run -v /path/in/host:/var/log/nginx/access.log nginx. Then in fail2ban just reference that file.