[Users] CentOS 7 image, ModSecurity and Fail2Ban?

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jun 3 10:46:04 PDT 2016 

Hi Jeff, Scott,

we did not check if fail2ban works, but if fail2ban uses ipset, following info can be useful for you:
https://bugs.openvz.org/browse/OVZ-5736

In brief:
* OpenVZ 6 (2.6.32-x kernels) does not allow to use ipset inside Containers (it's just not virtualized)
* OpenVZ 7 (3.10.0-x kernels) does have ipset virtualized => it works inside Containers.

If you try fail2ban in OpenVZ 7, please post here the results. :)

Hope that helps.

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 06/02/2016 03:19 AM, Scott Dowdle wrote:
> Greetings,
>
> ----- Original Message -----
>> Has anyone experienced any problems with OpenVZ, CentOS 7 and
>> fail2ban?
>
> I haven't done a lot with firewalls inside of containers... although I have started using firewalld lately on a few EL7 containers and it seems to work just fine even with live migration... making sure to "vzctl set {ctid} --netfilter {stateful | full}".  You have to ensure that any OpenVZ needed hostnode / container settings are configured properly.
>
> As you probably know fail2ban uses ipset... and I'm not sure ipset works in a container.  The only thing I've used fail2ban for is sshd brute force protection... and in most of my containers I either turn sshd off (and access it via the host node with vzctl enter) or I run sshd on a port other than 22 (eliminating most ssh brute force attacks)... so I haven't had the need to run fail2ban in a container.
>
> If ipset works with the netfilter set correctly (I haven't verified)... you also have to make sure to configure fail2ban (from EPEL) so it looks at the appropriate logs.  Are you using rsyslog?  Are you using journald in persistent storage mode without rsyslog?  And then there are also a handful of services (like apache / httpd) that do their own logging and use neither journald nor rsyslog.  The default fail2ban backend of "auto" has not always worked for me... even on physical hosts.
>
> Anyway, there are lots of moving pieces and I haven't given you a complete answer, but there are some of the pieces.
>
> TYL,
>

More information about the Users mailing list