| 1 |
Rich Freeman <rich0@g.o> writes: |
| 2 |
|
| 3 |
> On Thu, Jan 15, 2015 at 3:32 PM, lee <lee@××××××××.de> wrote: |
| 4 |
>> Rich Freeman <rich0@g.o> writes: |
| 5 |
>> |
| 6 |
>>> 2. Run fail2ban in each container and have it monitor its own logs, |
| 7 |
>>> and then add host iptables rules to block connections. |
| 8 |
>> |
| 9 |
>> Containers must not be able to change the firewalling rules of the host. |
| 10 |
>> If they can do such things, what's the point of having containers? |
| 11 |
> |
| 12 |
> A "container" on linux is really a set of kernel namespaces. There |
| 13 |
> are six different namespaces in linux and a process can share any or |
| 14 |
> none of them with the host. |
| 15 |
> |
| 16 |
> In this case the network namespace determines whether a process can |
| 17 |
> see the host interfaces. There may also be capabilities that control |
| 18 |
> what the process can do with those interfaces (I'd have to read up on |
| 19 |
> that). A container may or may not have a separate network namespace. |
| 20 |
> If it does most likely you're going to have to set up a bridged |
| 21 |
> interface, DHCP/NAT, etc for the container. |
| 22 |
|
| 23 |
That's what I did. Until I learn more, I have to assume that the |
| 24 |
default settings are reasonably secure ... |
| 25 |
|
| 26 |
>>> 3. Run fail2ban in each container and have each container in its own |
| 27 |
>>> network namespace. Fail2ban can then add container iptables rules to |
| 28 |
>>> block connections. |
| 29 |
>> |
| 30 |
>> That would waste resources. |
| 31 |
> |
| 32 |
> Depends on how you run it, but yes, you might have multiple instances |
| 33 |
> of fail2ban running this way consuming additional RAM. If you were |
| 34 |
> really clever with your container setup they could share the same |
| 35 |
> binary and shared libraries, which means they'd share the same RAM. |
| 36 |
> However, it seems like nobody bothers running containers this way |
| 37 |
> (obviously way more work coordinating them). |
| 38 |
|
| 39 |
And they wouldn't be much separated anymore. |
| 40 |
|
| 41 |
> I doubt it would take more CPU - 1 process scanning 5 logs probably |
| 42 |
> doesn't use more CPU than 5 processes scanning 1 log each. |
| 43 |
|
| 44 |
Isn't there some sort of scheduling and/or other overhead involved when |
| 45 |
you run more processes? I mean the overhead of "just being there": A |
| 46 |
process scheduler that needs to consider 500 processes might require |
| 47 |
more CPU itself than a scheduler considering 150 processes. |
| 48 |
|
| 49 |
> You would get a security benefit from just running fail2ban on the |
| 50 |
> host, since a failure on one container would apply a block to all the |
| 51 |
> others. |
| 52 |
|
| 53 |
Plus when running fail2ban on the host, you can block connections from |
| 54 |
a particular IP for everyone. |
| 55 |
|
| 56 |
|
| 57 |
However, fail2ban didn't seem to do anything. It wrote into its |
| 58 |
logfile: |
| 59 |
|
| 60 |
|
| 61 |
,---- |
| 62 |
| INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1 |
| 63 |
| ERROR Unable to import fail2ban database module as sqlite is not available. |
| 64 |
`---- |
| 65 |
|
| 66 |
|
| 67 |
That was all for a couple days until I stopped it. If some squlite |
| 68 |
library or something is required, I would expect it to have been pulled |
| 69 |
in through dependencies. |
| 70 |
|
| 71 |
|
| 72 |
-- |
| 73 |
Again we must be afraid of speaking of daemons for fear that daemons |
| 74 |
might swallow us. Finally, this fear has become reasonable. |
Archives