I've already asked the question on the Docker forums but so far no luck with a reply. I'm hoping I will have better fortune here.
I’m in the process of making an ssh bastion (with fail2ban for security) in a Docker container. The container will serve no other purpose than being an ssh bastion and will serve to access bound volumes via sshfs.
Currently, I’m using what I suspect is a very poor method. My Dockerfile:
- pulls the latest debian stable-slim image,
- installs ssh and fail2ban via apt,
- adds users, sshd_config and fail2ban jails,
- then specifies a wrapper bash script in which I unconditionally start ssh and fail2ban with custom configuration paths in /app
It works, with some caveats (no /var/log/auth.log for fail2ban to eat so quite a bit of configuration twisting there), but I feel I’m doing it wrong.
The problem is it’s super hard to find information regarding how to properly do what I’m trying to do. There are endless pages listing how to ssh into a container for debugging, backup etc. There are also some interesting pages about why you shouldn’t ssh into a container. But I haven’t found the holy grail page of “this is how you properly setup an ssh bastion with fail2ban in a Docker container”. Does it even exist? Or am I right to do it the way I am?
Thanks!
N.B. I know this is an older question, but it came up in a search engine. Writing my answer to help any who have the same question.
It's best practice to have as few services per container as possible.
This reduces the complexity in upgrading containers, and recovery should anything go wrong.
You should have two containers - an
SSH
container and aFail2Ban
container.For the
SSH
container, you map the appropriate log file to a directory on the host. Configure the container as per your needs.The
Fail2Ban
container will need permissions to edit theIPTables
firewall on the host. TheFail2Ban
container will also need to map to the sameSSH
log files (and even append with:ro
for "read-only" in the mapping as it should not need to write to the log files)