| 1 |
On Thu, Jan 15, 2015 at 3:32 PM, lee <lee@××××××××.de> wrote: |
| 2 |
> Rich Freeman <rich0@g.o> writes: |
| 3 |
> |
| 4 |
>> 2. Run fail2ban in each container and have it monitor its own logs, |
| 5 |
>> and then add host iptables rules to block connections. |
| 6 |
> |
| 7 |
> Containers must not be able to change the firewalling rules of the host. |
| 8 |
> If they can do such things, what's the point of having containers? |
| 9 |
|
| 10 |
A "container" on linux is really a set of kernel namespaces. There |
| 11 |
are six different namespaces in linux and a process can share any or |
| 12 |
none of them with the host. |
| 13 |
|
| 14 |
In this case the network namespace determines whether a process can |
| 15 |
see the host interfaces. There may also be capabilities that control |
| 16 |
what the process can do with those interfaces (I'd have to read up on |
| 17 |
that). A container may or may not have a separate network namespace. |
| 18 |
If it does most likely you're going to have to set up a bridged |
| 19 |
interface, DHCP/NAT, etc for the container. |
| 20 |
|
| 21 |
So, you can have it either way, which is why I offered three options. |
| 22 |
There are pros and cons to each. But, yes, if you do share the host |
| 23 |
interface then the amount of interaction is higher than if you don't. |
| 24 |
|
| 25 |
And, keep in mind that a container is not as compartmentalized as a VM |
| 26 |
in any case. |
| 27 |
|
| 28 |
> |
| 29 |
>> 3. Run fail2ban in each container and have each container in its own |
| 30 |
>> network namespace. Fail2ban can then add container iptables rules to |
| 31 |
>> block connections. |
| 32 |
> |
| 33 |
> That would waste resources. |
| 34 |
|
| 35 |
Depends on how you run it, but yes, you might have multiple instances |
| 36 |
of fail2ban running this way consuming additional RAM. If you were |
| 37 |
really clever with your container setup they could share the same |
| 38 |
binary and shared libraries, which means they'd share the same RAM. |
| 39 |
However, it seems like nobody bothers running containers this way |
| 40 |
(obviously way more work coordinating them). I doubt it would take |
| 41 |
more CPU - 1 process scanning 5 logs probably doesn't use more CPU |
| 42 |
than 5 processes scanning 1 log each. You would get a security |
| 43 |
benefit from just running fail2ban on the host, since a failure on one |
| 44 |
container would apply a block to all the others. |
| 45 |
|
| 46 |
-- |
| 47 |
Rich |
Archives