docker sshd容器使用syslog的Fail2banfilter
我们正在尝试使用Fail2ban将无效的login信息发送到运行SSHD的Docker容器。 我们已经将主机SSH端口移到了更高的数字。
我目前在我的jail.local文件中有2个监狱:
#Filters [ssh-iptables-22] enabled = true filter = docker-sshd action = iptables[name=SSHCONTAINER, port=22, protocol=tcp] logpath = /var/log/messages [ssh-iptables-2222] enabled = true filter = sshd action = iptables[name=SSHHOST, port=2222, protocol=tcp] logpath = /var/log/secure 我们使用驱动程序“syslog”进行容器日志logging,最后到/ var / log / messages文件。
主机正在login到AUTHPRIV,所以这些将要/ var / log / secure
主机检查工作正常,在2222上尝试托pipeSSH的次数过多,就会被禁止。
但是,/ var / log / messages中的docker check in没有捕获。
这是从/ var / log / secure中的主机连接尝试(被捕获)输出的:
Apr 7 01:14:58 ip-172-31-234-123 sshd[16458]: input_userauth_request: invalid user bobby [preauth] Apr 7 01:14:58 ip-172-31-234-123 sshd[16458]: Connection closed by 71.123.222.65 [preauth] Apr 7 01:14:59 ip-172-31-234-123 sshd[16483]: Invalid user bobby from 71.123.222.65 Apr 7 01:14:59 ip-172-31-234-123 sshd[16483]: input_userauth_request: invalid user bobby [preauth] Apr 7 01:14:59 ip-172-31-234-123 sshd[16483]: Connection closed by 71.123.222.65 [preauth] Apr 7 01:15:00 ip-172-31-234-123 sshd[16505]: Invalid user bobby from 71.123.222.65 Apr 7 01:15:00 ip-172-31-234-123 sshd[16505]: input_userauth_request: invalid user bobby [preauth]
这是从/ var / log / messages中的容器尝试(未捕获)输出的:
Apr 7 01:19:02 ip-172-31-25-230 docker/fb68f48c8dd6[8371]: Disconnected from 71.83.234.123 port 62890#015 Apr 7 01:19:07 ip-172-31-25-230 docker/fb68f48c8dd6[8371]: Invalid user apachetest.com from 71.83.234.123 port 62951#015 Apr 7 01:19:07 ip-172-31-25-230 docker/fb68f48c8dd6[8371]: input_userauth_request: invalid user apachetest.com [preauth]#015 Apr 7 01:19:07 ip-172-31-25-230 docker/fb68f48c8dd6[8371]: Connection closed by 71.83.234.123 port 62951 [preauth]#015 Apr 7 01:19:07 ip-172-31-25-230 docker/fb68f48c8dd6[8371]: Received disconnect from 172.31.8.214 port 42421:11: [preauth]#015 Apr 7 01:19:07 ip-172-31-25-230 docker/fb68f48c8dd6[8371]: Disconnected from 172.31.8.214 port 42421 [preauth]#015 Apr 7 01:19:09 ip-172-31-25-230 docker/fb68f48c8dd6[8371]: Invalid user apachetest.com from 71.83.234.123 port 62957#015
因此,查看filter.d/sshd.conf文件,它将守护程序列为“sshd”。 我把这个文件复制到了filter.d/docker-sshd.conf ,并试图用这样的东西改变守护进程的正则expression式,但是它不起作用:
docker\/[a-z0-9]+
有没有人有一个线索,以便能够正确捕捉来自docker / fb68f48c8dd6风格的守护进程的SSHD输出?
谢谢!