Is putting fail2ban/ufw in front of Docker+Traefik v2 necessary? How do Docker+Traefik handle the same need?

If I was not running Docker, then I use UFW and Fail2Ban to manage open ports and intrusion prevention.

Docker, by default, modifies iptables itself, ignoring/bypassing UFW. I know you can change this behavior but my understanding is that it is not advised to set DOCKER_OPTS="--iptables=false" because Docker networking is fairly complex.

This means that Fail2Ban is useless. I could tell Fail2Ban where to look for container traffic logs but I don't know if it'll matter since Fail2Ban won't be able to ban those IPs -- since Docker bypasses UFW.

I'm new to Docker and Traefik. I'm just trying to wrap my head around what I should do vs. I don't need to do. I'm only exposing one service on 80/443 using Traefik but is a sensitive service so I still want things to be secure.

I mean, I opened 80/443 on my FW (pfSense) and just within 24 hours I was getting hits from random IPs. There weren't a lot so I don't think anyone was trying to get in, probably some scanners, but still.

Any advise/perspective/thoughts/experience is appreciated.

As you already have pfsense, I would recommend using that for your protection methods(I am assuming this is separate from your docker host)

There is a plugin:

Yeah, I am using pfSense at the edge and even to limit traffic between VLANs but I still worry about a compromised device in my trusted VLAN.

And thanks for that link. I wish it was easier to integrate all these things with the OS installation of UFW and Fail2Ban so I can centrally manage everything.

It almost like you're not trusting it.

I mean trust isn't blind, nor is it forever. Someone could unknowingly execute malicious code on the laptop that then tries to hit my server.


Did you found this project?
GitHub - crazy-max/docker-fail2ban: Fail2ban Docker image based on Alpine Linux
it includes a sample between fail2ban and Traefik.

1 Like

I have seen that. I already have Fail2Ban installed on my server, directly on the OS, so ideally I'd like to get it working in conjunction with Docker and Traefik. I'm still playing around with it.

Actually We are using fail2ban stand-alone version with Docker swarm.
We found that for a rule that works with Docker instead of using INPUT chain We use INPUT+FORWARD, for example:
root@iguana:/etc/fail2ban/jail.d# more ../action.d/iptables-multiport-docker.conf

# Fail2Ban configuration file
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning


before = iptables-blocktype.conf


# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
actionstart = iptables -N fail2ban-in-<name>
              iptables -N fail2ban-fw-<name>
              iptables -A fail2ban-in-<name> -j RETURN
              iptables -A fail2ban-fw-<name> -j RETURN
              iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-in-<name>
              iptables -I FORWARD -p <protocol> -m multiport --dports <port> -j fail2ban-fw-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-in-<name>
             iptables -D FORWARD -p <protocol> -m multiport --dports <port> -j fail2ban-fw-<name>
             iptables -F fail2ban-in-<name>
             iptables -F fail2ban-fw-<name>
             iptables -X fail2ban-in-<name>
             iptables -X fail2ban-fw-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
actioncheck = iptables -n -L FORWARD | grep -q 'fail2ban-fw-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
actionban = iptables -I fail2ban-in-<name> 1 -s <ip> -j <blocktype>
            iptables -I fail2ban-fw-<name> 1 -s <ip> -j <blocktype>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
actionunban = iptables -D fail2ban-in-<name> -s <ip> -j <blocktype>
              iptables -D fail2ban-fw-<name> -s <ip> -j <blocktype>


# Default name of the chain
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

this action is called from

root@iguana:/etc/fail2ban/jail.d# cat customisation.local 
bantime = 24h
destemail =
sender =
action_m = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
           %(mta)s[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

enabled = true
maxretry = 3
action = %(action_m)s

enabled  = true
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
filter   = dovecot-pop3imap
action   = iptables-multiport-docker[name=dovecot-pop3imap, port="pop3,pop3s", protocol=tcp]
logpath  = /var/log/mail.log
maxretry = 6

enabled  = true
port     = smtp,submission
filter   = postfix-sasl
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
action   = iptables-multiport-docker[name=postfix, port="smtp,submission", protocol=tcp]
logpath  = /var/log/mail.log
maxretry = 6

HTH, Marcelo.

1 Like

I don't know what your usage case is, however why open up any ports to the world and just run like openvpn or wireguard on your pfsense and gain access to your network that way.

@marcelo-ochoa I will check this out. I am using ufw so hoping to get everything working together. Will have to do some more research I think.

@kevdog I'm trying to host a web site -- so VPN wouldn't make sense.

We have an HAProxy receiving all internet traffic to our swarm cluster, they runs on three nodes (masters) and intercepting all public protocols (pop3, smtp, http, https, etc).
To avoid DDNS attacks or brute force password finding a fail2ban standalone installation checks for that traffic and block externals IPs.