search

MarkusMcNugen / docker-sftp

Fork of atmoz SFTP container built with Ubuntu and includes fail2ban
MIT License
17 stars 8 forks source link

fail2ban is unable to execute iptables rules #3

Open millermarkj opened 5 years ago

millermarkj commented 5 years ago

The container starts without errors. The fail2ban process starts but cannot execute any bans because it doesn't appear to have permissions to call iptables:

2019-06-15 14:03:07,667 fail2ban.action         [171]: ERROR   iptables -w -N f2b-sshd
iptables -w -A f2b-sshd -j RETURN
iptables -w -I INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -- stdout: b''
2019-06-15 14:03:07,668 fail2ban.action         [171]: ERROR   iptables -w -N f2b-sshd
iptables -w -A f2b-sshd -j RETURN
iptables -w -I INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -- stderr: b"iptables v1.6.0: can't initialize iptables
 table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\ngetsockopt failed strangely: Operation not permitted\n"
2019-06-15 14:03:07,668 fail2ban.action         [171]: ERROR   iptables -w -N f2b-sshd
iptables -w -A f2b-sshd -j RETURN
iptables -w -I INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -- returned 1
2019-06-15 14:03:07,668 fail2ban.actions        [171]: ERROR   Failed to start jail 'sshd' action 'iptables-multiport': Error starting action
2019-06-15 14:08:51,080 fail2ban.filter         [171]: INFO    [sshd] Found 123.456.789.123
2019-06-15 14:08:52,053 fail2ban.actions        [171]: NOTICE  [sshd] Ban 123.456.789.123
2019-06-15 14:08:52,156 fail2ban.action         [171]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: b''
2019-06-15 14:08:52,156 fail2ban.action         [171]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: b"iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n"
2019-06-15 14:08:52,157 fail2ban.action         [171]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
2019-06-15 14:08:52,157 fail2ban.CommandAction  [171]: ERROR   Invariant check failed. Trying to restore a sane environment
2019-06-15 14:08:52,259 fail2ban.action         [171]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stdout: b''
2019-06-15 14:08:52,259 fail2ban.action         [171]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stderr: b"getsockopt failed strangely: Operation not permitted\niptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n"

(I've redacted the IPs included here)

Any ideas?

millermarkj commented 5 years ago

I was able to resolve this issue with multiple changes to the Dockerfile and other components:

  1. phusion/baseimage should not be using the latest tag! The "Getting started now" documentation on the main page recommends calling out a specific version. In the Dockerfile, I switched from: FROM phusion/baseimage:latest to FROM phusion/baseimage:0.11 This has the benefit of updating to 18.04, however...

  2. Now syslog-ng won't start. You need to pull in your own syslog-ng.conf. I created a new syslog-ng directory under config, put a copy of syslog-ng.conf in there, and copied it in with COPY syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf You'll need to update the version at the top, changing @version: 3.5 to @version: 3.13 Then you'll need to update line 56 to remove the backtick (`) from the comment. I replaced mine with a standard single-quote (') char.

  3. Now you need to grant the NET_ADMIN permissions to your container. It's possible this is the only part that's needed to change, but I wanted it running the 18.04 phusion/baseimage anyhow. I'm using docker-compose, so add the following to your docker-compose.yml:

    cap_add:
  - NET_ADMIN

    If you're running directly from the prompt without making changes, you'd call it as:

    docker run \
-v /host/config/path:/config \
-p 22:22 -d markusmcnugen/sftp \
--cap-add=NET_ADMIN \
user:pass:::upload

I'll be submitting a change up to git as soon as I can figure out how.