Linux – fail2ban on server with LXC Containers

debianfail2baniptableslinuxlxc

The issue is modprobe and iptables don't work inside an LXC Container.

LXC is the userspace control package for Linux Containers, a
lightweight virtual system mechanism sometimes described as “chroot on
steroids”.

iptables error inside the container is:

# iptables -I INPUT -s 122.129.126.194 -j DROP
> iptables v1.4.8: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I am guessing that it can't work because the LXC containers share one kernel, the main server kernel.

How do I do fail2ban in this case.
modprobe and iptables work in the main server so I could install it there and link to the logfiles somehow, my guess?

Any suggestions?

Best Answer

Maybe tcp wrappers works for you. fail2ban can manage /etc/hosts.allow and /etc/hosts.deny files

Related Solutions

Fail2Ban – How to Unban an IP Properly

With Fail2Ban before v0.8.8:

fail2ban-client get YOURJAILNAMEHERE actionunban IPADDRESSHERE

With Fail2Ban v0.8.8 and later:

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

The hard part is finding the right jail:

Use iptables -L -n to find the rule name...
...then use fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g' to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.

How to create a LXC container on LVM from an OpenVZ template

I do this all the time using LXC and the OpenVZ CentOS templates.

The two guides I followed initially are here and here.

I usually place my containers under /srv/ or /srv/lxc/. I don't bother with LVM, but if you want to, just mount your new LVM volume under /srv/lxc/container_name per-container. That makes sense, right?

In this example, I have a ZFS-on-Linux mount at the place where I want the container to reside under /srv:

[root@Lancaster_Mirror1 ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/cciss/c0d0p2      12G  1.9G  9.4G  17% /
tmpfs                 7.8G     0  7.8G   0% /dev/shm
/dev/cciss/c0d0p1     291M   59M  218M  22% /boot
/dev/cciss/c0d0p7     2.0G  119M  1.8G   7% /tmp
/dev/cciss/c0d0p3     9.9G  1.9G  7.5G  20% /usr
/dev/cciss/c0d0p6     6.0G  321M  5.3G   6% /var
vol2/images            98G   43G   56G  44% /images
vol3/Lancaster_Test    98G   22G   77G  22% /srv/Lancaster_Test <<--container

As for the LXC installation, I take the prebuilt OpenVZ image and put it in the destination container directory, then unpack it - tar -ztvf centos-6-x86_64-devel.tar.gz. Nothing needs to be modified on the template to make this work.

  426  wget http://downloads.sourceforge.net/project/lxc/lxc/lxc-0.7.3/lxc-0.7.3.tar.gz
  427  rpmbuild -ta lxc-0.7.3.tar.gz
  429  rpmbuild -ta lxc-0.7.3.tar.gz
  434  yum --nogpg install lxc-0.7.3-1.x86_64.rpm libvirt
  437  lxc-create -f /etc/lxc/Lancaster_Test.conf -n Lancaster_Test
  438  lxc-checkconfig
  441  screen -dmS init-Lancaster_Test /usr/bin/lxc-start -n Lancaster_Test
  442  screen -dmS console-Lancaster_Test /usr/bin/lxc-console -n Lancaster_Test

Maybe I'm off, but I choose to use the containers directly on a filesystem. Are you doing something different?

I can provide excerpts of the lxc config files, but you don't seem to have an issue with that.

Best Answer

Related Solutions

Fail2Ban – How to Unban an IP Properly

How to create a LXC container on LVM from an OpenVZ template

Related Topic