[Users] CentOS 7 image, ModSecurity and Fail2Ban?

Scott Dowdle dowdle at montanalinux.org
Wed Jun 1 17:19:41 PDT 2016


----- Original Message -----
> Has anyone experienced any problems with OpenVZ, CentOS 7 and
> fail2ban?

I haven't done a lot with firewalls inside of containers... although I have started using firewalld lately on a few EL7 containers and it seems to work just fine even with live migration... making sure to "vzctl set {ctid} --netfilter {stateful | full}".  You have to ensure that any OpenVZ needed hostnode / container settings are configured properly.

As you probably know fail2ban uses ipset... and I'm not sure ipset works in a container.  The only thing I've used fail2ban for is sshd brute force protection... and in most of my containers I either turn sshd off (and access it via the host node with vzctl enter) or I run sshd on a port other than 22 (eliminating most ssh brute force attacks)... so I haven't had the need to run fail2ban in a container.

If ipset works with the netfilter set correctly (I haven't verified)... you also have to make sure to configure fail2ban (from EPEL) so it looks at the appropriate logs.  Are you using rsyslog?  Are you using journald in persistent storage mode without rsyslog?  And then there are also a handful of services (like apache / httpd) that do their own logging and use neither journald nor rsyslog.  The default fail2ban backend of "auto" has not always worked for me... even on physical hosts.

Anyway, there are lots of moving pieces and I haven't given you a complete answer, but there are some of the pieces.

Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]

More information about the Users mailing list