Docker TLS authentication attack protection
I'm securing several Docker environments with TLS certificates (port 2376) and already use CrowdSec to block attacks on application level. Now I want to protect against Docker daemon TLS authentication attacks as well.
Current situation:
- Failed TLS authentication attempts are logged in journalctl -u docker
- No existing parsers or scenarios in CrowdSec Hub for Docker daemon TLS failures
- Looking to create custom parser for patterns like http: TLS handshake error from <IP> or similar authentication failures
Question:
Has anyone created a custom parser/scenario for Docker daemon TLS authentication failures? The logs show failed handshake attempts in journalctl, but there's no out-of-the-box solution to parse these and trigger bans.
Goal:
Detect and ban IPs attempting unauthorized Docker API access via failed TLS certificate authentication.
5 Replies
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type
/unresolve© Created By WhyAydan for CrowdSec ❤️
good idea, afaik no there is no existing parser/scenario but a
dockerd parser would be a good idea as you want to ban people.
that presuming the better solution of "deny all", "allowlist some" approach is not usable for you?Nope. Dynamic ips.
Done ✅
Resolving Docker TLS authentication attack protection
This has now been resolved. If you think this is a mistake please run
/unresolve