0

My Situation at the moment: I'm setting up a mail server and just after getting it to work, the logs are flooded with authentication failed messages from an suspicious iran network trying to login to random accounts.

After some googeling I found out that fail2ban can stop those attacks, but there's one problem: how to use fail2ban in kubernetes? My Ideas:

  • I found this plugin for traefik, but it requres the traefik instance to be connected to thei SaaS managment service, what I don't need
  • Installing fail2ban on the host: As kubernetes connects multiole nodes, fail2ban on node 1 only gets the logs from this node and cannot block traffik coming in on node 2.

Is there a solution to run fail2ban In kubernetes, maybe linked to the ingress controller, as it is possible with traefik, but without any connection to a SaaS provider?

8bit
  • 528
  • 2
  • 6
  • 25

2 Answers2

1

There isn't really a good way to do this. Both on the log access front, and more importantly on tweaking the iptables rules from inside a container. You could definitely use the core engine of fail2ban to build a tool around the k8s native APIs (pods/logs, NetworkPolicy) however I don't know any such project at time of writing.

coderanger
  • 52,400
  • 4
  • 52
  • 75
0

In theory, you will need to run fail2ban with certain capabilities:

  "spec": {
    "hostNetwork": true,
    "containers": [{
      "name": "netadmin",
      "securityContext": {"capabilities": { "add": ["NET_ADMIN", "NET_RAW"] }}

See here:

Docker - modifying IPTABLES for host from container

and here:

relationship between K8S iptables and the one of a container inside a pod

You will also need to pass the correct logs to fail2ban inside the container.

oz123
  • 27,559
  • 27
  • 125
  • 187