Is there a recommended way to use fail2ban (or snort or the firewall) on FCOS?

Is there a recommended way to use fail2ban (or snort or the firewall) on FCOS?

Looking around, it seems that some users are happily running fail2ban in a container this way: https://github.com/crazy-max/docker-fail2ban

Hhm, I’m having the impression that fedora wants to get away from docker in the long run. However, the docker-fail2ban solution looks like it could only work on docker (Or is there any change to get this working with podman in root mode? What about the --cap-add NET_ADMIN --cap-add NET_RAW stuff with podman?)

I guess installing fail2ban with rpm-ostree is rather discouraged and/or will not work?!?

Podman does support privileged mode and can add/drop specific capabilities for a container.

In general, installing packages directly on the host is discouraged and likely to break auto-upgrades. Consider using containerized services wherever possible.

For firewalls, there are the following (disabled) systemd unit:

  • /usr/lib/systemd/system/nftables.service
  • /usr/lib/systemd/system/iptables.service
  • /usr/lib/systemd/system/ip6tables.service

Configuration could be placed in:

  • /etc/sysconfig/nftables.conf
  • /etc/sysconfig/iptables
  • /etc/sysconfig/iptables-config
  • /etc/sysconfig/ip6tables
  • /etc/sysconfig/ip6tables-config

Please be aware that ip(6)tables is the legacy version. To use nft and ip(6)table in conjunction, you have to switch to the *-nft versions (see alternatives).

See this doc page for setting up alternatives on Fedora CoreOS: Setting alternatives :: Fedora Docs