From 872e6de0065f655a0abf46528ff83fe1ac1fd809 Mon Sep 17 00:00:00 2001
From: Kyle Harding <kyle@balena.io>
Date: Tue, 21 Nov 2023 10:45:35 -0500
Subject: [PATCH] Run fail2ban service sidecar with sshd jail

Change-type: patch
Signed-off-by: Kyle Harding <kyle@balena.io>
---
 docker-compose.yml                          | 17 +++++++++++++++++
 fail2ban/Dockerfile                         |  3 +++
 fail2ban/jail.d/sshd.conf                   |  9 +++++++++
 yocto-build-env/s6-overlay/s6-rc.d/sshd/run | 12 +++++++++---
 4 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 fail2ban/Dockerfile
 create mode 100644 fail2ban/jail.d/sshd.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index 72c1f01..098f5c5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,8 +13,25 @@ services:
       - home:/home
       - docker:/var/lib/docker
       - ssh:/etc/ssh
+      - shared:/shared
+
+  fail2ban:
+    build: fail2ban
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    volumes:
+      - fail2ban:/data
+      - shared:/shared:ro
+    environment:
+      F2B_LOG_TARGET: STDOUT
+      F2B_LOG_LEVEL: INFO
+      F2B_DB_PURGE_AGE: 1d
 
 volumes:
   home: {}
   docker: {}
   ssh: {}
+  shared: {}
+  fail2ban: {}
diff --git a/fail2ban/Dockerfile b/fail2ban/Dockerfile
new file mode 100644
index 0000000..266e5be
--- /dev/null
+++ b/fail2ban/Dockerfile
@@ -0,0 +1,3 @@
+FROM crazymax/fail2ban:1.0.2
+
+COPY jail.d/ /data/jail.d/
diff --git a/fail2ban/jail.d/sshd.conf b/fail2ban/jail.d/sshd.conf
new file mode 100644
index 0000000..59fa7ac
--- /dev/null
+++ b/fail2ban/jail.d/sshd.conf
@@ -0,0 +1,9 @@
+[sshd]
+enabled = true
+chain = INPUT
+port = ssh
+filter = sshd[mode=aggressive]
+logpath = /shared/logs/sshd.log
+# datepattern = ^+%b %d %H:%M:%S
+maxretry = 5
+bantime = 1h
diff --git a/yocto-build-env/s6-overlay/s6-rc.d/sshd/run b/yocto-build-env/s6-overlay/s6-rc.d/sshd/run
index 8e14f76..414c183 100644
--- a/yocto-build-env/s6-overlay/s6-rc.d/sshd/run
+++ b/yocto-build-env/s6-overlay/s6-rc.d/sshd/run
@@ -5,11 +5,13 @@ set -euo pipefail
 [[ ${VERBOSE:-,,} =~ true|yes|on|1 ]] && set -x
 
 mkdir -p /run/sshd
+mkdir -p /shared/logs
 
 ssh-keygen -A
 
-# run sshd in the foreground
-/usr/sbin/sshd -De \
+# run sshd in the foreground and format the logs such
+# that fail2ban can parse them
+exec /usr/sbin/sshd -De \
     -o "LogLevel=${SSHD_LOG_LEVEL:-INFO}" \
     -o PermitRootLogin=no \
     -o PasswordAuthentication=no \
@@ -17,4 +19,8 @@ ssh-keygen -A
     -o UsePAM=yes \
     -o AcceptEnv="LANG LC_*" \
     -o PrintMotd=no \
-    -o Banner=none
+    -o Banner=none \
+    2>&1 |
+    while IFS= read -r line; do
+        echo "$(date '+%b %d %H:%M:%S') $HOSTNAME sshd[$$]: $line"
+    done | tee /shared/logs/sshd.log