Using Fail2ban Inside Docker With NET_ADMIN Capability

Fail2ban is a popular intrusion prevention tool designed to protect servers from brute-force attacks and other malicious activities by monitoring log files and taking proactive measures to block suspicious IP addresses. When running Fail2ban inside a Docker container, there are some additional considerations to ensure proper functionality. In this article, we will explore how to configure and run Fail2ban inside a Docker container, including the need for the NET_ADMIN capability.

Prerequisites

Before proceeding, ensure you have the following:

1. Docker installed on your host machine.
2. Basic knowledge of Docker and its concepts.

Docker Setup

To run Fail2ban inside a Docker container with the necessary NET_ADMIN capability, follow these steps:

1. Create the Fail2ban Configuration

Create a directory on your host machine to store the Fail2ban configuration files. Inside this directory, create the necessary configuration files, such as jail.local and jail.d/your-custom-jail.local to define your desired rules and actions.

Sample jail.local:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

2. Create Dockerfile

Next, create a Dockerfile in the same directory as your Fail2ban configuration files. This file will be used to build the Fail2ban Docker image with the required configurations.

1
2
3
4
5
6

# Use an official Fail2ban base image
FROM fail2ban/fail2ban:latest

# Copy the Fail2ban configurations to the container
COPY jail.local /etc/fail2ban/
COPY jail.d/your-custom-jail.local /etc/fail2ban/jail.d/

3. Build the Docker Image

Open a terminal, navigate to the directory containing your Dockerfile, and build the Docker image using the following command:

1

docker build -t my_fail2ban_image .

4. Run the Fail2ban Container

Now that you have the Docker image, it’s time to run the Fail2ban container. When running Fail2ban inside Docker, we need to grant the container the NET_ADMIN capability. This capability allows the container to manipulate network settings and iptables, which is necessary for Fail2ban to function effectively.

1
2
3
4
5

docker run -d \
  --name my_fail2ban_container \
  --cap-add=NET_ADMIN \
  -v /path/to/your/fail2ban/configs:/etc/fail2ban \
  my_fail2ban_image

• The --name flag sets a custom name for the container (in this case, my_fail2ban_container).
• The --cap-add=NET_ADMIN flag grants the NET_ADMIN capability to the container.
• The -v flag mounts the host directory containing the Fail2ban configurations into the container at the appropriate path.

5. Verify Fail2ban Functionality

To verify that Fail2ban is running correctly inside the Docker container, you can check its logs:

1

docker logs my_fail2ban_container

Additionally, you can access the running container’s shell to interact with Fail2ban inside the container:

1

docker exec -it my_fail2ban_container /bin/bash

Conclusion

By following the steps outlined in this article, you can effectively set up and run Fail2ban inside a Docker container with the necessary NET_ADMIN capability. This ensures that Fail2ban has the required permissions to monitor log files and manipulate network settings, providing an additional layer of security for your server.

Remember that Fail2ban is just one component of a comprehensive security strategy. Always keep your software and systems up to date, implement strong authentication measures, and regularly monitor and review your security configurations to maintain a robust and secure environment.