How to add network interface card (NIC) to Docker’s container and bridging with phisical NIC

1. Create Docker Network
• # docker network create --driver=bridge [docker's network name]
• *Docker automatically create network bridge with brctl when running command (for linux environment).
2. Bridge created network with another interface
• # brctl addif [brid name] [NIC’s name]
• *brctl show (for lookup bridge name).
• **Manual add interface to bridge everytime after restart host.
3. Create Docker Cointainer
4. Connect Docker to bridge
• # docker network connect [Network Name] [Container ID]
• *Container will be connect and automatically create another interface on container that connect with created network.

Detection and Prevention SSH Brute Force Attacks with Logstash and iptables

This topic talking about alternative way to "Detect and Prevent ssh brute force" 

for Linux Server with logstash ipset and iptables on CentOS7

First Step: Create Preventive Mechanism 

Create a preventive mechanism with iptable and ipset for blocking an attack source 

with brute force's source ip.

install and config ipset: 

 yum -y install ipset  
 ipset create block hash:ip  

config iptables rule:

iptables -A INPUT -p tcp -m set --match-set block src -j DROP  

Second Step: Create Detection Mechanism

Install and config Logstash for analyze sshd log (/var/log/secure) to identify 

source ip address of ssh brute force

enable logstash on boot:

systemctl enable logstash  

config logstash: copy this configuration and replace in to file "/etc/logstash/conf.d/logstash"

 input{  
      file{  
           path => ["/var/log/secure"]  
      }  
 }  
 output{  
      #push output to file  
      file {path => "/var/log/blacklist"}  
 #     stdout { codec => json_lines }  
 }  
 filter{  
      grok {  
           match => ["message","%{MONTH:month}(?: | )%{MONTHDAY:day} %{TIME:time} %{WORD} %
{WORD:prog}\[%{DATA}: %{DATA:detail}(?: logname=(?:%{WORD:logname}|)|)(?: uid=(?:%{WORD:uid}|)|)(?: euid=(?:%{WORD:euid}|)|)(?: tty=(?:%{WORD:tty}|)|)(?: ruser=(?:%{WORD:ruser}|)|) rhost=%{IP:remoteIP}(?: user=%{DATA:remoteUser}|)"]  
           remove_field => ["message"]  
      }  
      #drop event if remoteIP is missing.  
      if ![remoteIP] {  
           drop { }  
      }  
      # block remoteIP when authentication fail 3 time.  
      throttle {  
           before_count => 0  
           after_count => 3  
           period => 30  
           key => "%{remoteIP}"  
           add_field => { "block" => "true"}  
      }  
      if [remoteIP] and [block] == "true"{  
           ruby {  
                code => "  
                      `/usr/sbin/ipset add block #{event['remoteIP']} timeout 86400 `  
                "  
           }  
      }  
 }  

restart logstash service: 

systemctl restart logstash

optional : You can send event data form logstash to elasticsearch for long-term analyze