crazy-max/docker-fail2ban

Ipv6 support with Ubuntu

Closed this issue · 1 comments

oddsund commented

Behaviour

Tried to ssh in from ipv6 host, which showed in the logs when the attempts failed. After the third try, fail2ban attempted to ban the ip address, which it managed to do in its database, but the ip6tables failed. On subsequent attempt, the same log lines appeared, and it seemed like I could try to log in again. After three attempts, a message appeared in the log stating that the ip is already banned.

Steps to reproduce this issue

  1. Start up multi-container example with sshd jail on INPUT chain
  2. Attempt three failed login attempts from ipv6 address
  3. Observe error message below in the logs

Expected behaviour

IP should be banned

Actual behaviour

IP is not banned, and the below is observed in the logs;

Suggested fix

Install insmod via the kmod package. I did this in the running container, and on subsequent attempt, the ip was successfully banned.

Configuration

  • Docker version (type docker --version) : 18.06.1-ce, build e68fc7a
  • Docker compose version if applicable (type docker-compose --version) : 1.19.0, build 9e633ef
  • Platform (Debian 9, Ubuntu 18.04, ...) : Ubuntu 18.04.2
  • Include all necessary configuration files : docker-compose.yml, .env, ...

Docker info

Containers: 9
 Running: 7
 Paused: 0
 Stopped: 2
Images: 33
Server Version: 18.06.1-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-36-generic
Operating System: Ubuntu 18.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.9GiB
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Logs

2019-05-05 23:55:19,444 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,444 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "ip6tables v1.6.2: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "ip6tables v1.6.2: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: "ip6tables v1.6.2: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2019-05-05 23:55:19,447 fail2ban.utils          [1]: ERROR   7fe1bd8a4b58 -- returned 3
2019-05-05 23:55:19,447 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'sshd' action 'iptables-multiport' info 'ActionInfo({'ip': '2a02:2121:343:a0d4:*something more*', 'fid': <function <lambda> at 0x7fe1bd8bb320>, 'family': 'inet6', 'raw-ticket': <function <lambda> at 0x7fe1bd8bb7d0>})': Error starting action Jail('sshd')/iptables-multiport
2019-05-05 23:56:47,178 fail2ban.filter         [1]: INFO    [sshd] Found 2a02:2121:343:a0d4:*something more* - 2019-05-05 23:56:46
2019-05-05 23:56:52,592 fail2ban.filter         [1]: INFO    [sshd] Found 2a02:2121:343:a0d4:*something more* - 2019-05-05 23:56:52
2019-05-05 23:56:54,614 fail2ban.filter         [1]: INFO    [sshd] Found 2a02:2121:343:a0d4:*something more* - 2019-05-05 23:56:54
2019-05-05 23:56:54,642 fail2ban.actions        [1]: WARNING [sshd] 2a02:2121:343:a0d4:*something more* already banned
crazy-max commented

Hi @oddsund !

Thanks for this report. You right, kmod is the way to go as suggested in moby/moby#33605