Menu
▾
▴
Re: [SSHGuard-users] Blocked attackers can still access docker containers
|
From: <gi1...@gm...> - 2019-10-30 19:12:34
|
On Wed, Oct 30, 2019 at 11:14:04AM -0700, Kevin Zheng wrote:
> Thanks for the report. I think you're right in pointing out that the
> priority for SSHGuard is -10, but the priority for Docker is -100.
>
> Is someone on the list familiar with firewalls on Linux? Is the right
> fix here just to decrease the priority for SSHGuard?
>From the nft man page:
The priority parameter accepts a signed integer value which
specifies the order in which chains with same hook value are
traversed. The ordering is ascending, i.e. lower priority values
have precedence over higher ones.
I just opened /usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets. In fw_init()
sshguard does
run_nft "add chain" "${NFT_CHAIN}"' { type filter hook input priority -10 ; }' 4
run_nft "add chain" "${NFT_CHAIN}"' { type filter hook input priority -10 ; }' 6
I changed priority to -200 (Docker had -100), and restarted sshguard.
There was no change in the behavior. I can still access containers from
blocked IPs.
Best,
GI
PS: If you're trying to reproduce it, it might be simpler to run a
vanilla nginx container instead of the gitolite container I
suggested in my last email.
mkdir ./html
# put static web content in ./html. Plain text files are fine
docker run --rm --name=nginx-test \
-v ./html:/usr/share/nginx/html:ro -p 8080:80 -d nginx
This exposes port 8080 on the host. The exposed port stays
accessible from all sshguard blocked attackers.
--
'Civilization' -- Going from shoeless toes to toeless shoes.
|
