Fail2ban on container-mounted log files

Julian_Edwards · December 17, 2022, 11:50pm

I’ve got a container on my host running a service exposed to the Internet, currently via a lxc proxy (config device add foo proxy etc), and the log it generates is via a mounted file from the host so that I can use fail2ban on the host.

You may have spotted my problem already - all the IPs on the log for external access are the proxy’s 127.0.0.1 address, so fail2ban cannot work.

Can anyone suggest a way to set up my networking so that the original IPs appear in the log? (Hi @tomp !) I guess ideally I’d have a shared IP between host and container(s) with certain ports routed in to specific containers. Or perhaps I should just share the network? Or can proxying handle this natively? I see there’s a proxy_protocol setting, but the docs do not explain how to make this work.

Cheers.

Julian_Edwards · December 18, 2022, 12:42am

Ok I think I fixed this. With some judicious forum searching, I found Making sure that IP's "connected" to the containers gameserver proxy shows users real IP? - #5 by tomp and my Dovecot service is now showing the rip properly. This is some sort of black magic.

tomp · December 18, 2022, 5:38am

Glad to hear you got it working.

Did you use nat mode with the proxy?

Julian_Edwards · December 18, 2022, 5:50am

Yep, works like a charm. Cheers!

For some background, I am migrating some services off a very old Linode server (created 11 years ago) which is on 18.04 but 32-bit, which is preventing further dist-upgrades and crucially I cannot upgrade LXD any more either, so I have no migration options. I’ve rebuilt a few things but I just did a filthy hack by copying /var/lib/lxd into a new 18.04 64 bit instance and doing an lxd.migrate there. Phew.