Fail2Ban is an open-source intrusion prevention framework that helps protect Linux servers from various types of attacks. It works by monitoring log files for patterns that may indicate malicious activity, such as repeated failed login attempts, and then takes action to block the source of the suspicious activity.
In this example, I will show how to protect your SSH service.
Predefined filters
fail2ban docker image is shipped with already predefined filters, that can be used to filter logs and detect malicious behavior of common softwares like sshd. They are located in the /etc/fail2ban/filter.d folder.
Firstly, enable the sshdjail by creating a file in data/jail.d/sshd.conf with the following content:
[sshd]enable = true
Since fail2ban watch logs to detect intrusive behavior, you will need to give access to the sshd log file /var/log/auth.log (may vary from your distribution).
You can check the status of fail2ban using the command:
docker exec -it fail2ban fail2ban-client status
Status|- Number of jail: 1`- Jail list: sshd
You can also specify a jail:
docker exec -it fail2ban fail2ban-client status sshd
Status for the jail: sshd|- Filter| |- Currently failed: 0| |- Total failed: 0| `- File list: /var/log/auth.log`- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: