Ipv6 support with Ubuntu
Closed this issue · 1 comments
oddsund commented
Behaviour
Tried to ssh in from ipv6 host, which showed in the logs when the attempts failed. After the third try, fail2ban attempted to ban the ip address, which it managed to do in its database, but the ip6tables failed. On subsequent attempt, the same log lines appeared, and it seemed like I could try to log in again. After three attempts, a message appeared in the log stating that the ip is already banned.
Steps to reproduce this issue
- Start up multi-container example with sshd jail on INPUT chain
- Attempt three failed login attempts from ipv6 address
- Observe error message below in the logs
Expected behaviour
IP should be banned
Actual behaviour
IP is not banned, and the below is observed in the logs;
Suggested fix
Install insmod via the kmod package. I did this in the running container, and on subsequent attempt, the ip was successfully banned.
Configuration
- Docker version (type
docker --version
) : 18.06.1-ce, build e68fc7a - Docker compose version if applicable (type
docker-compose --version
) : 1.19.0, build 9e633ef - Platform (Debian 9, Ubuntu 18.04, ...) : Ubuntu 18.04.2
- Include all necessary configuration files :
docker-compose.yml
,.env
, ...
Docker info
Containers: 9
Running: 7
Paused: 0
Stopped: 2
Images: 33
Server Version: 18.06.1-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-36-generic
Operating System: Ubuntu 18.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.9GiB
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
Logs
2019-05-05 23:55:19,444 fail2ban.utils [1]: ERROR 7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,444 fail2ban.utils [1]: ERROR 7fe1bd8a4b58 -- stderr: "ip6tables v1.6.2: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2019-05-05 23:55:19,447 fail2ban.utils [1]: ERROR 7fe1bd8a4b58 -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2019-05-05 23:55:19,447 fail2ban.utils [1]: ERROR 7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,447 fail2ban.utils [1]: ERROR 7fe1bd8a4b58 -- stderr: "ip6tables v1.6.2: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2019-05-05 23:55:19,447 fail2ban.utils [1]: ERROR 7fe1bd8a4b58 -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2019-05-05 23:55:19,447 fail2ban.utils [1]: ERROR 7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,447 fail2ban.utils [1]: ERROR 7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,447 fail2ban.utils [1]: ERROR 7fe1bd8a4b58 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2019-05-05 23:55:19,447 fail2ban.utils [1]: ERROR 7fe1bd8a4b58 -- stderr: "ip6tables v1.6.2: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2019-05-05 23:55:19,447 fail2ban.utils [1]: ERROR 7fe1bd8a4b58 -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2019-05-05 23:55:19,447 fail2ban.utils [1]: ERROR 7fe1bd8a4b58 -- returned 3
2019-05-05 23:55:19,447 fail2ban.actions [1]: ERROR Failed to execute ban jail 'sshd' action 'iptables-multiport' info 'ActionInfo({'ip': '2a02:2121:343:a0d4:*something more*', 'fid': <function <lambda> at 0x7fe1bd8bb320>, 'family': 'inet6', 'raw-ticket': <function <lambda> at 0x7fe1bd8bb7d0>})': Error starting action Jail('sshd')/iptables-multiport
2019-05-05 23:56:47,178 fail2ban.filter [1]: INFO [sshd] Found 2a02:2121:343:a0d4:*something more* - 2019-05-05 23:56:46
2019-05-05 23:56:52,592 fail2ban.filter [1]: INFO [sshd] Found 2a02:2121:343:a0d4:*something more* - 2019-05-05 23:56:52
2019-05-05 23:56:54,614 fail2ban.filter [1]: INFO [sshd] Found 2a02:2121:343:a0d4:*something more* - 2019-05-05 23:56:54
2019-05-05 23:56:54,642 fail2ban.actions [1]: WARNING [sshd] 2a02:2121:343:a0d4:*something more* already banned
crazy-max commented
Hi @oddsund !
Thanks for this report. You right, kmod
is the way to go as suggested in moby/moby#33605