diff --git a/Dockerfile b/Dockerfile index 761f355..d3800aa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,10 @@ -FROM debian:unstable-slim +FROM debian:stable-slim RUN apt-get update \ - && apt-get install -y --no-install-recommends iptables sshguard systemd \ + && apt-get install -y --no-install-recommends ipset iptables nftables sshguard systemd tini \ && rm -rf /var/lib/apt/lists/* +RUN echo > /etc/sshguard/sshguard.conf ADD start-sshguard.sh / -ENTRYPOINT ["/start-sshguard.sh"] +ENTRYPOINT ["tini", "--", "/start-sshguard.sh"] diff --git a/README.md b/README.md index 725ec76..0199948 100644 --- a/README.md +++ b/README.md @@ -3,13 +3,13 @@ Dockerised sshguard for CoreOS. Your iptable must already contain an sshguard chain. -This will correctly log using as the sshguard unit. +This will correctly log as the sshguard unit. # Installation -Add the ``sshguard-docker.service`` or ``sshguard-rkt.service`` file to your CoreOS installation. You probably want to rename it to ``sshguard.service``. +Add one of the ``sshguard-*.service`` files to your CoreOS installation as ``sshguard.service``. -For instance: +CoreOS: ```yaml coreos: units: @@ -18,3 +18,19 @@ coreos: content: | ``` + +Fedora CoreOS: +```yaml +systemd: + units: + - name: sshguard.service + enabled: true + contents: | + +``` + +# Configuration + +All configuration variables are exposed as environment variables. Check out `start-sshguard.sh` for more information and the defaults. + +You can also mount /etc/sshguard/sshguard.conf into the container with your overrides. diff --git a/sshguard-docker.service b/sshguard-docker.service index 740fd62..6224206 100644 --- a/sshguard-docker.service +++ b/sshguard-docker.service @@ -5,10 +5,10 @@ Requires=network-online.target docker.service [Service] TimeoutStartSec=0 -ExecStartPre=/bin/sh -c 'docker ps -a -q --filter "name=%n" | xargs -0 --no-run-if-empty docker rm -f' +ExecStartPre=/usr/bin/docker rm -f %n ExecStartPre=/usr/bin/docker run --rm -v /opt/bin:/opt/bin ibuildthecloud/systemd-docker:v0.2.1 -ExecStart=/opt/bin/systemd-docker run \ +ExecStart=/opt/bin/systemd-docker run --rm \ --name=%n \ --net=host \ --cap-add=NET_ADMIN \ @@ -17,11 +17,11 @@ ExecStart=/opt/bin/systemd-docker run \ -v /var/run/systemd/journal/socket:/var/run/systemd/journal/socket \ -v /var/log/journal:/var/log/journal:ro \ -v /var/db/sshguard/:/var/db/sshguard/ \ + -v /run/xtables.lock:/run/xtables.lock \ chillichef/coreos-sshguard:latest \ -a 120 -b /var/db/sshguard/blacklist.db ExecStop=/usr/bin/docker stop %n -ExecStop=/usr/bin/docker rm %n [Install] WantedBy=multi-user.target diff --git a/sshguard-podman.service b/sshguard-podman.service new file mode 100644 index 0000000..3dc5b10 --- /dev/null +++ b/sshguard-podman.service @@ -0,0 +1,24 @@ +[Unit] +Description=sshguard +After=network-online.target iptables-restore.service +Requires=network-online.target + +[Service] +TimeoutStartSec=0 +ExecStartPre=-/usr/bin/podman rm --force %n + +ExecStart=/opt/bin/podman run --rm \ + --name=%n \ + --net=host \ + --cap-add=CAP_NET_ADMIN,CAP_NET_RAW \ + --mount volume=dev-log,target=/dev/log --volume dev-log,kind=host,source=/dev/log,readOnly=true \ + --mount volume=journal,target=/var/log/journal --volume journal,kind=host,source=/var/log/journal,readOnly=true \ + --mount volume=config,target=/var/db/sshguard --volume config,kind=host,source=/var/db/sshguard \ + --mount volume=run-xtables,target=/run/xtables.lock --volume run-xtables,kind=host,source=/run/xtables.lock \ + chillichef/coreos-sshguard:latest \ + -a 120 -b /var/db/sshguard/blacklist.db + +ExecStop=/usr/bin/podman stop %n + +[Install] +WantedBy=multi-user.target diff --git a/sshguard-rkt.service b/sshguard-rkt.service index 72b473f..72e2c1a 100644 --- a/sshguard-rkt.service +++ b/sshguard-rkt.service @@ -8,8 +8,9 @@ ExecStart=/usr/bin/rkt --insecure-options=image run \ --inherit-env \ --net=host \ --mount volume=dev-log,target=/dev/log --volume dev-log,kind=host,source=/dev/log,readOnly=true \ - --mount volume=journal,target=/var/log/journal --volume journal,kind=host,source=/var/log/journal \ + --mount volume=journal,target=/var/log/journal --volume journal,kind=host,source=/var/log/journal,readOnly=true \ --mount volume=config,target=/var/db/sshguard --volume config,kind=host,source=/var/db/sshguard \ + --mount volume=run-xtables,target=/run/xtables.lock --volume run-xtables,kind=host,source=/run/xtables.lock \ docker://chillichef/coreos-sshguard:latest \ --name=%p-service \ --caps-retain=CAP_NET_ADMIN,CAP_NET_RAW \ diff --git a/start-sshguard.sh b/start-sshguard.sh index e629301..3f8ef98 100755 --- a/start-sshguard.sh +++ b/start-sshguard.sh @@ -1,3 +1,14 @@ #!/bin/sh -journalctl -D /var/log/journal --no-pager -n0 -xfq -t sshd | /usr/sbin/sshguard "$@" +set -eu + +BACKEND=${BACKEND:-/usr/lib/x86_64-linux-gnu/sshg-fw-ipset} +LOGREADER=${LOGREADER:-LANG=C /bin/journalctl -afb -p info -n1 -D /var/log/journal -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10} +THRESHOLD=${THRESHOLD:-30} +BLOCK_TIME=${BLOCK_TIME:-120} +DETECTION_TIME=${DETECTION_TIME:-1800} +WHITELIST_FILE=${WHITELIST_FILE:-/etc/sshguard/whitelist} + +export BACKEND LOGREADER THRESEHOLD BLOCK_TIME DETECTION_TIME WHITELIST_TIME + +exec /usr/sbin/sshguard "$@"