Mix and match Docker, UFW and SSHGuard
Purpose
The purpose of this post is to configure Docker, UFW (Uncomplicated Firewall) and SSHGuard to work together. A GNU/Linux machine/server will be required to follow this tutorial.
Configure Docker
By default Docker can manipulate iptables. If you open and publish ports these could be accessed externally by default. To prevent previous behaviour once Docker is installed make sure exists a file called /etc/docker/daemon.json
and add the following lines in order to disable iptables write access:
{
"iptables": false
}
And restart docker daemon service:
$ sudo docker service restart
Once docker is running again make sure you can access previously opened ports locally
:
$ docker run -it -p 8080:80 nginx
# You can access nginx locally:
$ curl localhost:8088
But you cannot access it externally
:
$ curl [EXTERNAL_SERVER_IP]:8080
If previous port has to be accessed externally you can run the following command to open it (jump to the next section Configure UFW
if you haven’t installed UFW):
$ ufw allow 8080
Configure UFW
UFW aka Uncomplicated Firewall is a wrapper build on top of iptables designed to be easy to use.
Make sure UFW is installed and enabled, otherwise run:
$ apt-get update -y
$ apt-get install ufw -y
$ sudo ufw enable
Don’t forget to allow SSH input access otherwise you cannot SSH this server anymore.
# ufw allow [SSH_PORT]
$ ufw allow 22
Configure sshguard
In order to prevent SSH attacks you can install sshguard:
$ apt-get install sshguard
# make sure sshguard service is running
$ service sshguard status
To check sshguard is properly configured open a new console and try to SSH to your server with a fake user (fake@[SERVER_IP]
). On the first console make sure sshguard created automatically an iptable rule with your current IP:
$ sudo iptables -S | grep [YOUR_IP]
(Optional) You can also configure your IP in /etc/sshguard/whitelist to prevent being blocked by sshguard:
# Add your IP in the following file
$ vim /etc/sshguard/whitelist
# restart service
$ sudo service sshgaurd restart
Recommended books to expand your Linux knowledge:
Finally, you should definitely take a look at these books to fuel your Docker knowledge:
DevOps books:
Cloud providers:
DigitalOcean offers affordable pricing for VMs and many other public cloud services. You can sign up for DigitalOcean and receive a $100 free credit using this referral link.