Run fail2ban service sidecar with sshd jail

Change-type: patch
Signed-off-by: Kyle Harding <kyle@balena.io>

docker-compose.yml

@@ -13,8 +13,25 @@ services:
       - home:/home
       - docker:/var/lib/docker
       - ssh:/etc/ssh
+      - shared:/shared
+
+  fail2ban:
+    build: fail2ban
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    volumes:
+      - fail2ban:/data
+      - shared:/shared:ro
+    environment:
+      F2B_LOG_TARGET: STDOUT
+      F2B_LOG_LEVEL: INFO
+      F2B_DB_PURGE_AGE: 1d
 
 volumes:
   home: {}
   docker: {}
   ssh: {}
+  shared: {}
+  fail2ban: {}

fail2ban/Dockerfile

@@ -0,0 +1,3 @@
+FROM crazymax/fail2ban:1.0.2
+
+COPY jail.d/ /data/jail.d/

fail2ban/jail.d/jail.local

@@ -0,0 +1,2 @@
+[DEFAULT]
+bantime = 1h

fail2ban/jail.d/sshd.conf

@@ -0,0 +1,7 @@
+[sshd]
+enabled = true
+chain = INPUT
+port = ssh
+filter = sshd[mode=aggressive]
+logpath = /shared/logs/sshd.log
+maxretry = 5

yocto-build-env/s6-overlay/s6-rc.d/sshd/run

@@ -5,10 +5,12 @@ set -euo pipefail
 [[ ${VERBOSE:-,,} =~ true|yes|on|1 ]] && set -x
 
 mkdir -p /run/sshd
+mkdir -p /shared/logs
 
 ssh-keygen -A
 
 # run sshd in the foreground
+# inject the date into the log output for fail2ban parsing
 /usr/sbin/sshd -De \
     -o "LogLevel=${SSHD_LOG_LEVEL:-INFO}" \
     -o PermitRootLogin=no \
@@ -17,4 +19,5 @@ ssh-keygen -A
     -o UsePAM=yes \
     -o AcceptEnv="LANG LC_*" \
     -o PrintMotd=no \
-    -o Banner=none
+    -o Banner=none \
+    2>&1 | while IFS= read -r line; do echo "$(date '+%b %d %H:%M:%S') $line"; done | tee /shared/logs/sshd.log