Purpose

The purpose of this post is to configure Docker, UFW (Uncomplicated Firewall) and Sshguard to work together. A GNU/Linux machine/server will be required to follow this tutorial.

Configure Docker

By default Docker can manipulate iptables. If you open and publish ports these could be accessed externally by default. To prevent previous behaviour once Docker is installed make sure exists a file called /etc/docker/daemon.json and add the following lines in order to disable iptables write access:

{
  "iptables": false
}

And restart docker daemon service:

$ sudo docker service restart

Once docker is running again make sure you can access previously opened ports locally:

$ docker run -it -p 8080:80 nginx

# You can access nginx locally:
$ curl localhost:8088

But you cannot access it externally:

$ curl [EXTERNAL_SERVER_IP]:8080

If previous port has to be accessed externally you can run the following command to open it (jump to the next section Configure UFW if you haven’t installed UFW):

$ ufw allow 8080

Configure UFW

UFW aka Uncomplicated Firewall is a wrapper build on top of iptables designed to be easy to use.

Make sure UFW is installed and enabled, otherwise run:

$ apt-get update -y
$ apt-get install ufw -y
$ sudo ufw enable

Don’t forget to allow SSH input access otherwise you cannot SSH this server anymore.

# ufw allow [SSH_PORT]
$ ufw allow 22

Configure sshguard

In order to prevent SSH attacks you can install sshguard:

$ apt-get install sshguard

# make sure sshguard service is running
$ service sshguard status

To check sshguard is properly configured open a new console and try to SSH to your server with a fake user (fake@[SERVER_IP]). On the first console make sure sshguard created automatically an iptable rule with your current IP:

$ sudo iptables -S | grep [YOUR_IP]

(Optional) You can also configure your IP in /etc/sshguard/whitelist to prevent being blocked by sshguard:

# Add your IP in the following file
$ vim /etc/sshguard/whitelist

# restart service
$ sudo service sshgaurd restart