Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fail2ban is unable to execute iptables rules #3

Open
millermarkj opened this issue Jun 16, 2019 · 1 comment
Open

fail2ban is unable to execute iptables rules #3

millermarkj opened this issue Jun 16, 2019 · 1 comment

Comments

@millermarkj
Copy link

The container starts without errors. The fail2ban process starts but cannot execute any bans because it doesn't appear to have permissions to call iptables:

2019-06-15 14:03:07,667 fail2ban.action         [171]: ERROR   iptables -w -N f2b-sshd
iptables -w -A f2b-sshd -j RETURN
iptables -w -I INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -- stdout: b''
2019-06-15 14:03:07,668 fail2ban.action         [171]: ERROR   iptables -w -N f2b-sshd
iptables -w -A f2b-sshd -j RETURN
iptables -w -I INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -- stderr: b"iptables v1.6.0: can't initialize iptables
 table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\ngetsockopt failed strangely: Operation not permitted\n"
2019-06-15 14:03:07,668 fail2ban.action         [171]: ERROR   iptables -w -N f2b-sshd
iptables -w -A f2b-sshd -j RETURN
iptables -w -I INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -- returned 1
2019-06-15 14:03:07,668 fail2ban.actions        [171]: ERROR   Failed to start jail 'sshd' action 'iptables-multiport': Error starting action
2019-06-15 14:08:51,080 fail2ban.filter         [171]: INFO    [sshd] Found 123.456.789.123
2019-06-15 14:08:52,053 fail2ban.actions        [171]: NOTICE  [sshd] Ban 123.456.789.123
2019-06-15 14:08:52,156 fail2ban.action         [171]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: b''
2019-06-15 14:08:52,156 fail2ban.action         [171]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: b"iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n"
2019-06-15 14:08:52,157 fail2ban.action         [171]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
2019-06-15 14:08:52,157 fail2ban.CommandAction  [171]: ERROR   Invariant check failed. Trying to restore a sane environment
2019-06-15 14:08:52,259 fail2ban.action         [171]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stdout: b''
2019-06-15 14:08:52,259 fail2ban.action         [171]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stderr: b"getsockopt failed strangely: Operation not permitted\niptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n"

(I've redacted the IPs included here)

Any ideas?
@millermarkj
Copy link
Author

millermarkj commented Jun 28, 2019
edited
Loading

I was able to resolve this issue with multiple changes to the Dockerfile and other components:

  1. phusion/baseimage should not be using the latest tag! The "Getting started now" documentation on the main page recommends calling out a specific version. In the Dockerfile, I switched from:
    FROM phusion/baseimage:latest
    to
    FROM phusion/baseimage:0.11
    This has the benefit of updating to 18.04, however...

  2. Now syslog-ng won't start. You need to pull in your own syslog-ng.conf. I created a new syslog-ng directory under config, put a copy of syslog-ng.conf in there, and copied it in with
    COPY syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
    You'll need to update the version at the top, changing
    @version: 3.5
    to
    @version: 3.13
    Then you'll need to update line 56 to remove the backtick (`) from the comment. I replaced mine with a standard single-quote (') char.

  3. Now you need to grant the NET_ADMIN permissions to your container. It's possible this is the only part that's needed to change, but I wanted it running the 18.04 phusion/baseimage anyhow.
    I'm using docker-compose, so add the following to your docker-compose.yml:

    cap_add:
      - NET_ADMIN

If you're running directly from the prompt without making changes, you'd call it as:

docker run \
    -v /host/config/path:/config \
    -p 22:22 -d markusmcnugen/sftp \
    --cap-add=NET_ADMIN \
    user:pass:::upload

I'll be submitting a change up to git as soon as I can figure out how.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@millermarkj