Greetings,
----- Original Message -----
> Has anyone experienced any problems with OpenVZ, CentOS 7 and
> fail2ban?
I haven't done a lot with firewalls inside of containers... although I have
started using firewalld lately on a few EL7 containers and it seems to work
just fine even with live migration... making sure to "vzctl set {ctid}
--netfilter {stateful | full}". You have to ensure that any OpenVZ needed
hostnode / container settings are configured properly.
As you probably know fail2ban uses ipset... and I'm not sure ipset works in a
container. The only thing I've used fail2ban for is sshd brute force
protection... and in most of my containers I either turn sshd off (and access
it via the host node with vzctl enter) or I run sshd on a port other than 22
(eliminating most ssh brute force attacks)... so I haven't had the need to run
fail2ban in a container.
If ipset works with the netfilter set correctly (I haven't verified)... you
also have to make sure to configure fail2ban (from EPEL) so it looks at the
appropriate logs. Are you using rsyslog? Are you using journald in persistent
storage mode without rsyslog? And then there are also a handful of services
(like apache / httpd) that do their own logging and use neither journald nor
rsyslog. The default fail2ban backend of "auto" has not always worked for
me... even on physical hosts.
Anyway, there are lots of moving pieces and I haven't given you a complete
answer, but there are some of the pieces.
TYL,
--
Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
