如何使用Traefik实现fail2ban [英] How to implement fail2ban with Traefik

问题描述

我对我的Traefik部署中设置fail2ban感兴趣.我发现了要点，其中包含了一些摘要，但是我不清楚如何使用他们.任何人都可以填补空白吗?还是有更好的方法通过Traefik来实现fail2ban样式的安全性?

I'm interested in setting up fail2ban with my Traefik deployment. I found a gist that has some snippets in it, but I'm not clear on how to use them. Can anyone fill in the blanks please? Or, is there a better way to implement fail2ban style security with Traefik?

推荐答案

从您发布的要点开始，我就能够完成此任务.这是在您已经有Traefik的情况下进行的假设，想要阻止具有HTTP Basic Auth故障的IP，并使用iptables禁止它们.有两部分，所以让我开始介绍容器配置:

I was able to accomplish this starting with the gist you posted. This is under the assumptions you have Traefik already working, want to block IPs that have HTTP Basic Auth failures, and ban them with iptables. There's a couple of pieces so let me start with the container configurations:

version: '2'
services:
  traefik:
    image: traefik:alpine
    volumes:
    - /apps/docker/traefik/traefik.toml:/traefik.toml:ro
    - /apps/docker/traefik/acme:/etc/traefik/acme
    - /var/log/traefik:/var/log
    ports:
    - 8080:8080/tcp
    - 80:80/tcp
    - 443:443/tcp
    command:
    - --web
    - --accessLog.filePath=/var/log/access.log
    - --accessLog.filters.statusCodes=400-499

您可以在这里看到我正在将日志文件写入/var/log/access.log，并且仅将访问代码获取到400-499.然后，我将该文件挂载到主机/var/log/traefik:/var/log

You can see here I am writing the log file to /var/log/access.log and only getting access codes to 400-499. I am then mounting that file to my host /var/log/traefik:/var/log

现在，对于fail2ban部分，我使用的是 fail2ban Docker容器，而不是安装在我的主机上，但是从技术上讲，您也可以在那里做.

Now for the fail2ban part, I am using a fail2ban docker container rather than installing on my host, but you could technically do it there too.

version: '2'
services:
  fail2ban:
    image: crazymax/fail2ban:latest
    network_mode: "host"
    cap_add:
    - NET_ADMIN
    - NET_RAW
    volumes:
    - /var/log:/var/log:ro
    - /apps/docker/fail2ban/data:/data

您可以看到我将/var/log目录以只读方式安装到了fail2ban容器中.

You can see I mount the /var/log directory into the fail2ban container as read only.

/apps/docker/fail2ban/data/jail.d/traefik.conf文件包含:

[traefik-auth]
enabled = true
logpath = /var/log/traefik/access.log
port = http,https

/apps/docker/fail2ban/data/filter.d/traefik-auth.conf文件包含:

[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+\" 401 .+$
ignoreregex =

额外

默认的禁止操作是通过iptables禁止.如果要更改，可以在traefik.conf中更改默认的banaction，例如:

Extra

The default ban action is to ban via iptables. If you want to change that you can change the default banaction in the traefik.conf, for example:

[DEFAULT]
banaction = cloudflare

[traefik-auth]
enabled = true
logpath = /var/log/traefik/access.log
port = http,https

操作在此处: https://github.com/fail2ban/fail2ban/tree/0.11/config/action.d

如果需要修改一个，请将文件复制到/apps/docker/fail2ban/data/action.d目录并重新启动容器.

If you need to modify one, copy the file to the /apps/docker/fail2ban/data/action.d directory and restart the container.

这篇关于如何使用Traefik实现fail2ban的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！