Hallo,
ich betreibe einen VPS auf dem mehrere Docker Container laufen.
Diese Container sind mit Fail2ban konfiguriert, Fail2ban ist mit der UFW konfiguriert.
Soweit klappt auch alles, Fail2ban erkennt fehlerhafte Authentifizierungen und die UFW erstellt daraufhin Firewall Regeln.
Diese greifen allerdings nicht, wird eine IP über UFW gesperrt, kann diese IP dennoch auf den Container (HTTPS) zugreifen.
Hier ein Beispiel.
Fail2ban
Greift die IP nach dem Ban erneut auf den Webserver zu, gibt Fail2ban folgenden Auszug:
UFW
iptables Auszug Chain ufw-user-input
iptables Komplett
ich betreibe einen VPS auf dem mehrere Docker Container laufen.
Diese Container sind mit Fail2ban konfiguriert, Fail2ban ist mit der UFW konfiguriert.
Soweit klappt auch alles, Fail2ban erkennt fehlerhafte Authentifizierungen und die UFW erstellt daraufhin Firewall Regeln.
Diese greifen allerdings nicht, wird eine IP über UFW gesperrt, kann diese IP dennoch auf den Container (HTTPS) zugreifen.
Hier ein Beispiel.
Fail2ban
Code:
2023-03-27 08:04:01,172 fail2ban.filter [680]: INFO [npm] Found 82.113.99.92 - 2023-03-27 08:04:01
2023-03-27 08:04:43,124 fail2ban.filter [680]: INFO [npm] Found 82.113.99.92 - 2023-03-27 08:04:43
2023-03-27 08:04:45,828 fail2ban.filter [680]: INFO [npm] Found 82.113.99.92 - 2023-03-27 08:04:45
2023-03-27 08:04:45,995 fail2ban.actions [680]: NOTICE [npm] Ban 82.113.99.92
Greift die IP nach dem Ban erneut auf den Webserver zu, gibt Fail2ban folgenden Auszug:
Code:
2023-03-27 08:04:47,431 fail2ban.filter [680]: INFO [npm] Found 82.113.99.92 - 2023-03-27 08:04:47
2023-03-27 08:04:49,435 fail2ban.filter [680]: INFO [npm] Found 82.113.99.92 - 2023-03-27 08:04:49
2023-03-27 08:04:59,813 fail2ban.filter [680]: INFO [npm] Found 82.113.99.92 - 2023-03-27 08:04:59
2023-03-27 08:05:00,171 fail2ban.actions [680]: NOTICE [npm] 82.113.99.92 already banned
UFW
Code:
To Action From
-- ------ ----
Anywhere REJECT 82.113.99.92
Anywhere REJECT 102.214.191.138
Anywhere REJECT 43.136.27.80
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
10.0.0.2 80/tcp ALLOW FWD Anywhere
10.0.0.2 443/tcp ALLOW FWD Anywhere
iptables Auszug Chain ufw-user-input
Code:
Chain ufw-user-input (1 references)
target prot opt source destination
REJECT all -- 82.113.99.92 anywhere reject-with icmp-port-unreachable
REJECT all -- 102.214.191.138 anywhere reject-with icmp-port-unreachable
REJECT all -- 43.136.27.80 anywhere reject-with icmp-port-unreachable
iptables Komplett
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain DOCKER (4 references)
target prot opt source destination
ACCEPT tcp -- anywhere 10.0.0.4 tcp dpt:9000
ACCEPT tcp -- anywhere 10.0.0.4 tcp dpt:8000
ACCEPT tcp -- anywhere 10.0.0.5 tcp dpt:3001
ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:https
ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:81
ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (4 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
RETURN all -- 10.0.0.0/8 anywhere
RETURN all -- 172.16.0.0/12 anywhere
RETURN all -- 192.168.0.0/16 anywhere
RETURN udp -- anywhere anywhere udp spt:domain dpts:1024:65535
ufw-docker-logging-deny tcp -- anywhere 192.168.0.0/16 tcp flags:FIN,SYN,RST,ACK/SYN
ufw-docker-logging-deny tcp -- anywhere 10.0.0.0/8 tcp flags:FIN,SYN,RST,ACK/SYN
ufw-docker-logging-deny tcp -- anywhere 172.16.0.0/12 tcp flags:FIN,SYN,RST,ACK/SYN
ufw-docker-logging-deny udp -- anywhere 192.168.0.0/16 udp dpts:0:32767
ufw-docker-logging-deny udp -- anywhere 10.0.0.0/8 udp dpts:0:32767
ufw-docker-logging-deny udp -- anywhere 172.16.0.0/12 udp dpts:0:32767
RETURN all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-docker-logging-deny (6 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW DOCKER BLOCK] "
DROP all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:http
ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:https
Chain ufw-user-input (1 references)
target prot opt source destination
REJECT all -- 82.113.99.92 anywhere reject-with icmp-port-unreachable
REJECT all -- 102.214.191.138 anywhere reject-with icmp-port-unreachable
REJECT all -- 43.136.27.80 anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination