Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard
verified publisher icon flatcar

New Package Request: fail2ban for SSH protection against malicious servers on the internet

Open bignay2000 opened this issue 1 year ago • 5 comments

Package name and purpose Fail2Ban actively looks for authentication errors across various logs and add ip addresses to deny list for IPTables firewall. By having the firewall deny the IP, this prevents any further processing from the malicious server.

  • Package upstream repo: https://github.com/fail2ban/fail2ban
  • Gentoo ebuild: [ link to package’s Gentoo ebuild if exists ]

Impact of adding this package to the Flatcar OS image

The package improves on the following core values:

  • [ ] Secure by default Currently their is no real alternative to prevent DDOS attacks against SSH or other ports for public facing smaller servers (1 vCPU, 512 MB RAM Digital Ocean droplet).
  • [ ] Always up to date
  • [ ] Improve container experience Ability to firewall incoming traffic at the host. Decreases the possibility of memory and cpu usage caused by a malicious ddos attack.
  • [ ] Operate at scale / automation / telemetry

The package will increase the image size by: [estimated] MBytes.

How might this package increase the attack surface: Built from Python

Benefits of adding this package Gain the ability to protect a publicly facing Flatcar server from bot attacks.

Additional information IPTables by themselves is not sufficient to protect against modern bots. Too hard to figure out rules that would block these attacks while ensuring real users can still connect to the server - whether the rate limit causes them to be blocked OR if the DDOS is triggering a lot of CPU, Memory, Disk from SSH processing an invalid user.

jan 28 03:18:49 server.example.net sshd[3376]: Invalid user toma from 34.100.230.128 port 45440

Grabbing a random hour from yesterday shows 63 Invalid user attempts in an hour.

journalctl -x --since "10 hour ago" | grep "Invalid user" | wc -l

So these are happening slowly, so my currrent IPTables is not catching them. So I think Fail2Ban is really the only option...

bignay2000 avatar Jan 28 '24 16:01 bignay2000

https://hub.docker.com/r/linuxserver/fail2ban might be an option to run in a container

bignay2000 avatar Jan 29 '24 00:01 bignay2000

Hi @bignay2000 . https://hub.docker.com/r/linuxserver/fail2ban seems like a good option to run fail2ban in a Linux container, since Flatcar is an immutable Linux distribution for running containers. There has been a lot of progress on the system extension front. Perhaps you could try bundling fail2ban into a systemd-sysext image and then use fail2ban that way.

krishjainx avatar Jan 29 '24 07:01 krishjainx

Hello @bignay2000, thanks for reaching out! As Krish mentioned, we're trying to keep Flatcar lean. I know of a few users who managed to get an alpine docker container of fail2ban working on Flatcar. Needs host networking (obviously) as well as bind-mounts of /var/log and probably other directories into the container for logfile parsing.

This might be a more straightforward (and faster) solution than trying to add fail2ban to the base OS.

t-lo avatar Jan 29 '24 13:01 t-lo

Oh, and just as with #1333 if you manage to find a good way to run fail2ban in a container, feel free to add a how-to to our documentation: https://github.com/flatcar/flatcar-website

t-lo avatar Jan 29 '24 14:01 t-lo

Note that Flatcar already sets up pam_faillock

pothos avatar Jan 31 '24 10:01 pothos