Question

DigitalOcean Firewall + fail2ban

I’m using the digitalocean firewall, I would like to know if is necessary to use fail2ban too?

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Security wise, allow only what is required and keep it high and tight! monitor everything.

Digital Ocean Firewall manages port and IP addreses allowed to access the droplettes associated with it as well as a droplettes allowed traffic out. This is done before the traffic reaches the droplette.

Fail2Ban provides intrusion and bruteforce prevention by monitoring the associated logs for a given service. This would require traffic reaches the server and accesses a particular service. This traffic would be behind the firewall.

For example SSH on port 22 is configured for your server on the Digital Ocean firewall. Attempts to connect would be allowed. A malicious user now attempts to connect to port ssh and initiates a brute force attack, repeatedly attempting a list of user names and passwords. This is where fail2Ban could detect this break-in attempt, and take action such as blocking the incoming IP.

Similarly, attacks on your web server (or any service allow through the firewall) could be monitored for by fail2ban by detecting known attempts - such as repeated auth failures malformed urls, code injection, sql injection, login/info pages etc.

Where as the Digital Ocean firewall could be used to restrict the allowed IP/subnets on a per-port basis. Similarly the firewall allows control of IP and port for both Inbound AND Outbound traffic.

Different complimentary tools providing different controls.

It is still highly recommended to use additional security controls in addition to active monitoring. IDS, Reverse Proxy,OS Firewall, VPN etc. as a non-exhaustive example. The Marketplace has many of these in 1-click deployments.

An effective tip is to consider the Digital Ocean firewall as a firewall ruleset (because, thats what it is!). Create different ‘rulesets’ (aka firewalls) for various services and droplett clusters.

So to answer you question, yes it would be advised to use both as they provided totally different functions, but additional or alternative controls fitting your unique deployment and use case would be necessary.

Hi @LargeLightCyanAxolotl,

Necessary, no but it’s always good to add more layers of security if you feel it’s needed. If I were in your shoes, I wouldn’t bother as DigitalOcean’s Firewall and your Droplet’s firewall should be enough to get you started.

Having said that, if you are experiencing some brute force attacks which you want to stop, there are two ways to go about it, once is a service like fail2ban the other is a CDN like cloudflare.

Hope this helps.

Hi LargeLightCyanAxolotl,

No is necessary, but if you need to use it you can check this document.

Hope that helps you,

Sergio Turpín