Merge #2216

2216: Add iptables+ipset as additional FAQ entry for fail2ban r=mergify[bot] a=tkaefer ## What type of PR? (Feature, enhancement, bug-fix, documentation) ## What does this PR do? ### Related issue(s) closes #2214 ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Tobias Käfer <tobias@tkaefer.de>
2025-01-28 03:56:43 +02:00 · 2022-02-17 13:02:11 +00:00 · 2022-02-17 13:02:11 +00:00 · c83457a2fa
commit c83457a2fa
parent 6d348b1650 314145868c
2 changed files with 32 additions and 3 deletions
--- a/docs/faq.rst
+++ b/docs/faq.rst
@ -664,6 +664,8 @@ The above will block flagged IPs for a week, you can of course change it to you
 The above will block flagged IPs for a week, you can of course change it to you needs.

 7. Add the /etc/fail2ban/action.d/docker-action.conf
+  
+Option 1: Use plain iptables

 .. code-block:: bash

@ -671,9 +673,9 @@ The above will block flagged IPs for a week, you can of course change it to you
  
  actionstart = iptables -N f2b-bad-auth
                iptables -A f2b-bad-auth -j RETURN
-                iptables -I DOCKER-USER -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
+                iptables -I DOCKER-USER -j f2b-bad-auth
  
-  actionstop = iptables -D DOCKER-USER -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth
+  actionstop = iptables -D DOCKER-USER -j f2b-bad-auth
               iptables -F f2b-bad-auth
               iptables -X f2b-bad-auth
  
@ -685,7 +687,34 @@ The above will block flagged IPs for a week, you can of course change it to you

 Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/

-8. Configure and restart the Fail2Ban service
+Option 2:  Use ipset together with iptables
+IMPORTANT: You have to install ipset on the host system, eg. `apt-get install ipset` on a Debian/Ubuntu system.
+
+See ipset homepage for details on ipset, https://ipset.netfilter.org/.
+
+ipset and iptables provide one big advantage over just using iptables: This setup reduces the overall iptable rules.
+There is just one rule for the bad authentications and the IPs are within the ipset. 
+Specially in larger setups with a high amount of brute force attacks this comes in handy.
+Using iptables with ipset might reduce the system load in such attacks significantly.
+
+.. code-block:: bash
+
+  [Definition]
+
+  actionstart = actionstart = ipset --create f2b-bad-auth iphash
+                iptables -I DOCKER-USER -m set --match-set f2b-bad-auth src -j DROP
+
+  actionstop = iptables -D DOCKER-USER -m set --match-set f2b-bad-auth src -j DROP
+               ipset --destroy f2b-bad-auth
+
+
+  actionban = ipset add -exist f2b-bad-auth <ip>
+
+  actionunban = ipset del -exist f2b-bad-auth <ip>
+
+Using DOCKER-USER chain ensures that the blocked IPs are processed in the correct order with Docker. See more in: https://docs.docker.com/network/iptables/
+
+1. Configure and restart the Fail2Ban service

 Make sure Fail2Ban is started after the Docker service by adding a partial override which appends this to the existing configuration.

--- a/towncrier/newsfragments/2214.doc
+++ b/towncrier/newsfragments/2214.doc