Login/Register
How to use Fail2ban under Kubernetes? [closed]
Asked Answered
dockerkubernetesfirewallfail2banufw
W

3

6

Until now I'm using Docker for a hand-made hosting solution on single-VPCs, with fail2ban installed on host and watching at Docker logs from Nginx containers (Each server can host multiple websites, served through an Nginx proxy)

I wonder how it would be possible to achieve same feature with Kubernetes, especially blocking POST requests to /wp-admin access after X attempts?

I thought about building a custom Docker image for Nginx proxy (Ingress in K8s), including Fail2ban; but maybe there's a simpler solution: Network Policies ?

Warlock answered 15/5, 2019 at 22:46 Comment(1)
Do you still have this problem ? I wonder if ModSecurity can solve this case.Shoemake
S
4

That's an old question probably resolved by the author, but for other community members I decided to provide an answer with a few clarifications.

I have tried to find a fail2ban solution that can help with this case. Unfortunately, I did not find anything suitable and easy to use at the same time.
It may be reasonable to create a GitHub issue for fail2ban integration with Kubernetes.

Below are some other solutions that may help you:

ModSecurity

Using Kubernetes Ingress to expose HTTP and HTTPS routes from outside the cluster to services within the cluster may be a good starting point for you.

As we can see in the Kubernetes Ingress documentation:

You must have an Ingress controller to satisfy an Ingress. Only creating an Ingress resource has no effect. You may need to deploy an Ingress controller such as ingress-nginx.

In the NGINX Ingress Controller you can use ModSecurity as a third party addons:

ModSecurity is an OpenSource Web Application firewall. It can be enabled for a particular set of ingress locations. The ModSecurity module must first be enabled by enabling ModSecurity in the ConfigMap. Note this will enable ModSecurity for all paths, and each path must be disabled manually.

You can enable the OWASP Core Rule Set by setting the following annotation at the ingress level (more information can be found in the NGINX ModSecurity configuration documentation):

nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"

It seems possible to use ModSecurity as a Brute-Force Authentication Protection as described in this article: Defending WordPress Logins from Brute Force Attacks.

Additionally, it is worth mentioning that NGINX Ingress Controller has many annotations that can be used to mitigate DDoS Attacks e.g.:

nginx.ingress.kubernetes.io/limit-whitelist: client IP source ranges to be excluded from rate-limiting. The value is a comma separated list of CIDRs.

nginx.ingress.kubernetes.io/limit-rps: number of requests accepted from a given IP each second. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, limit-req-status-code default: 503 is returned.

nginx.ingress.kubernetes.io/limit-connections: number of concurrent connections allowed from a single IP address. A 503 error is returned when exceeding this limit.

WordPress Plugins

As you are using WordPress, you can use many WordPress Plugins. For example the Web Application Firewall plugin offers Real Time IP Blocking feature.

Web Application Firewall (WAF)

Whether you use an onprem or cloud environment, you can use a specialized firewall (WAF) and DDoS mitigation service such as Google Cloud Armor (see Cloud Armor for on-prem and cloud workloads).

Shoemake answered 15/5, 2019 at 22:46 Comment(0)
U
0

CrowdSec

CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), it uses Grok patterns to parse logs and YAML scenarios to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM-based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security.

CrowdSec on GitHub: https://github.com/crowdsecurity/crowdsec

Documentation: https://doc.crowdsec.net

Comparison to Fail2Ban: https://www.crowdsec.net/blog/crowdsec-not-your-typical-fail2ban-clone

Umbrella answered 5/6 at 10:11 Comment(0)
M
-1

I think you're talking about monitoring requests, k8s cannot monitor traffic. Network policies can be used only to load balancing between nodes. You can monitore traffic using Istio, but is connected with microservices.

You need to install Istio on your cluster. Then you have to visualize metrics with Grafana and follow steps in tutorial below https://istio.io/docs/tasks/telemetry/metrics/using-istio-dashboard/ at the and visualizing workload dashboards gives details about metrics for each workload.

Istio has many others advantages, you can also trace requests using Zipkin

I hope this helps.

Merline answered 16/5, 2019 at 11:44 Comment(3)
Thanks for your answer. But as far as I understand Istio/Zipkin have nothing to do with any kind of WAF. More than visualizing requests, I would like to be able to ban IPs matching custom filters.Warlock
Yes, but Istio will help you to visualize request and then base on it you can write your own script to block requests you want to. There is no such feature in Kubernetes, you have to do it manually.Merline
@MaggieO could you please describe about script, like after analysing logs I would like to block an IP, so what kind of request script should send and where? to block an IP?Tacit

© 2022 - 2024 — McMap. All rights reserved.