Search code examples
systemdfail2ban

How should I customize a fail2ban filter for a usage in conjunction of a sshd that runs in a container and logs with systemd?

I'm running an SSH daemon in a container with Docker. As the latter is managed by systemd and the sshd logs to stdout, the relevant data to detect attackers appears in systemd's journal, but its entries have an extra prefix like this:

Feb 13 21:51:25 my.example.com dockerd[427]: Feb 13 18:51:25 sshd[555]: Invalid user ts3bot from 180.166.17.122 port 43474

The jail is configured with this snippet:

[sshd]

enabled = true
mode    = aggressive
filter  = sshd[mode=%(mode)s]
port    = ssh

It seems that this line from filters.d/sshd.conf contains what I want to change:

journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

But I can't find any helpful documentation on journalmatch's configuration. I'm using fail2ban 0.10.

Can someone explain how the part on the right of the equal sign is to be interpreted ?

When I hopefully will figure out how to adjust that value, should I edit the filters.d/sshd.conf directly (it's provided from an Arch package) or somewhere else?

Solution

  • To preserve the option having an extra sshd jail for the host system itself, here's what I would do:

    1. Version – Use fail2ban version >= 0.9 that supports use of systemd as backend. (BTW: Version 0.11 is pretty new and might not be stable yet, but I like the new feature to automatically increase ban times for each new match from the same IP.)

    2. Jail –  Create a separate jail jail.d/sshd-docker. Adopt settings from original sshd jail as needed. Maybe start low ban times for safety first and increase later. Add backend = systemd to that new sshd-docker jail. Could look like this: 

      [sshd-docker]
enabled  = true
filter   = sshd-docker
action   = iptables
backend  = systemd
maxretry = 5
findtime = 1d
bantime  = 2w

    3. Filter – I prefer to leave filter files and original jail.conf file untouched so I can easily upgrade to newer fail2ban versions. Therefore I would suggest to duplicate the filter file filter.d/sshd.conf to filter.d/sshd-docker.conf and refer to that new filter in your sshd-docker jail (as seen above).

    4. Filter/regex – Adopt regex in filter.d/sshd-docker.conf to match your log entries. Could be as simple as changing this

      _daemon = sshd

      to

      _daemon = docker

      as the _daemon directive is used to construct the __prefix_line regex as you can see in filter.d/common.conf.

    5. Filter/journalmatch – As far as I can see from fail2ban-regex man page the journalmatch directive overrides other filters. Therefore you might also need to change this line in your filter.d/sshd-docker.conf

      journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

      to 

      journalmatch =

      (In fail2ban 0.11 you could also just remove this line. Not sure when prior versions stopped to require a journalmatch = entry in a filter file.)

    6. Test – Reload fail2ban and check how it works.