1 |
Rich Freeman <rich0@g.o> writes: |
2 |
|
3 |
> On Thu, Jan 15, 2015 at 3:32 PM, lee <lee@××××××××.de> wrote: |
4 |
>> Rich Freeman <rich0@g.o> writes: |
5 |
>> |
6 |
>>> 2. Run fail2ban in each container and have it monitor its own logs, |
7 |
>>> and then add host iptables rules to block connections. |
8 |
>> |
9 |
>> Containers must not be able to change the firewalling rules of the host. |
10 |
>> If they can do such things, what's the point of having containers? |
11 |
> |
12 |
> A "container" on linux is really a set of kernel namespaces. There |
13 |
> are six different namespaces in linux and a process can share any or |
14 |
> none of them with the host. |
15 |
> |
16 |
> In this case the network namespace determines whether a process can |
17 |
> see the host interfaces. There may also be capabilities that control |
18 |
> what the process can do with those interfaces (I'd have to read up on |
19 |
> that). A container may or may not have a separate network namespace. |
20 |
> If it does most likely you're going to have to set up a bridged |
21 |
> interface, DHCP/NAT, etc for the container. |
22 |
|
23 |
That's what I did. Until I learn more, I have to assume that the |
24 |
default settings are reasonably secure ... |
25 |
|
26 |
>>> 3. Run fail2ban in each container and have each container in its own |
27 |
>>> network namespace. Fail2ban can then add container iptables rules to |
28 |
>>> block connections. |
29 |
>> |
30 |
>> That would waste resources. |
31 |
> |
32 |
> Depends on how you run it, but yes, you might have multiple instances |
33 |
> of fail2ban running this way consuming additional RAM. If you were |
34 |
> really clever with your container setup they could share the same |
35 |
> binary and shared libraries, which means they'd share the same RAM. |
36 |
> However, it seems like nobody bothers running containers this way |
37 |
> (obviously way more work coordinating them). |
38 |
|
39 |
And they wouldn't be much separated anymore. |
40 |
|
41 |
> I doubt it would take more CPU - 1 process scanning 5 logs probably |
42 |
> doesn't use more CPU than 5 processes scanning 1 log each. |
43 |
|
44 |
Isn't there some sort of scheduling and/or other overhead involved when |
45 |
you run more processes? I mean the overhead of "just being there": A |
46 |
process scheduler that needs to consider 500 processes might require |
47 |
more CPU itself than a scheduler considering 150 processes. |
48 |
|
49 |
> You would get a security benefit from just running fail2ban on the |
50 |
> host, since a failure on one container would apply a block to all the |
51 |
> others. |
52 |
|
53 |
Plus when running fail2ban on the host, you can block connections from |
54 |
a particular IP for everyone. |
55 |
|
56 |
|
57 |
However, fail2ban didn't seem to do anything. It wrote into its |
58 |
logfile: |
59 |
|
60 |
|
61 |
,---- |
62 |
| INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1 |
63 |
| ERROR Unable to import fail2ban database module as sqlite is not available. |
64 |
`---- |
65 |
|
66 |
|
67 |
That was all for a couple days until I stopped it. If some squlite |
68 |
library or something is required, I would expect it to have been pulled |
69 |
in through dependencies. |
70 |
|
71 |
|
72 |
-- |
73 |
Again we must be afraid of speaking of daemons for fear that daemons |
74 |
might swallow us. Finally, this fear has become reasonable. |