Docker Community Forums

Share and learn in the Docker community.

Is putting fail2ban/ufw in front of Docker+Traefik v2 necessary? How do Docker+Traefik handle the same need?

If I was not running Docker, then I use UFW and Fail2Ban to manage open ports and intrusion prevention.

Docker, by default, modifies iptables itself, ignoring/bypassing UFW. I know you can change this behavior but my understanding is that it is not advised to set DOCKER_OPTS="--iptables=false" because Docker networking is fairly complex.

This means that Fail2Ban is useless. I could tell Fail2Ban where to look for container traffic logs but I don’t know if it’ll matter since Fail2Ban won’t be able to ban those IPs – since Docker bypasses UFW.

I’m new to Docker and Traefik. I’m just trying to wrap my head around what I should do vs. I don’t need to do. I’m only exposing one service on 80/443 using Traefik but is a sensitive service so I still want things to be secure.

I mean, I opened 80/443 on my FW (pfSense) and just within 24 hours I was getting hits from random IPs. There weren’t a lot so I don’t think anyone was trying to get in, probably some scanners, but still.

Any advise/perspective/thoughts/experience is appreciated.