Getting Fail2Ban to work behind a proxy server

Dirtbag's Blog

Posts

[ 20191022211735 ]
Getting Fail2Ban to work behind a proxy server

[ 20190810215219 ]
Bad wifi performance with Intel wireless adapters on Arch Linux

[ 20190810212010 ]
Arch linux wont let me ssh in until user logs into the console

[ 20181204144314 ]
Wireguard VPN on Raspberry PI

[ 20180611200732 ]
TP-Link Archer T4U AC1200 on Fedora 28

[ 20170920211435 ]
Getting WingDing2 fonts working on fedora/centos

[ 20170920205029 ]
Why wont snmpget work anymore?!

[ 20141010153922 ]
Centos VM will not start on XENserver 6.2 after disabling selinux

[ 20140708205107 ]
Set system hostname on Centos 7

[ 20140627103441 ]
Change boot OS of a headless raspberrypi.

[ 20140511185046 ]
X11 Forwarding problem on smartos

[ 20140210104109 ]
LibreVPN between two linux boxes

[ 20130627091500 ]
Disabling visual ctrl-c "^C" in ssh sessions

[ 20100710201234 ]
Postfix and AT&Ts Uverse

[ 20100414190220 ]
X11 forwarding setup failed

[ 20100323214438 ]
vncserver wont start with 'fixed' font error

[ 20090930085525 ]
thunderbird wont open HTTP links with firefox

[ 20090723153406 ]
Solaris and the dreaded "couldn't set locale correctly" message

[ 20090522123520 ]
FAIL to mount cifs volume with return code = -13

[ 20090218205655 ]
Program failure (-25) of crm

[ 20081225004357 ]
getting Mailman and Postfix to play nice together on gentoo

[ 20081111115501 ]
Where the hell did my swap go?!

[ 20081030110717 ]
Enable tftp on slowaris 10

[ 20080617222744 ]
Getting smtp-auth to work on Gentoo with qmail

[ 20080606222212 ]
atheros AR5212 wireless on a Thinkpad T42

[ 20080226201837 ]
LOL Cats!

[ 20080217211812 ]
Installing mod_security on gentoo

[ 20080125213318 ]
getting qmail-scanner to emerge on gentoo

[ 20080120093607 ]
Using the perl MCPAN shell with wget behind a proxy

[ 20080111145948 ]
Getting Apache Tomcat 5.5.X to start/stop correctly

[ 20071228103211 ]
A VNC server is already running as :10, but it isn't

[ 20071211194258 ]
Problems compiling cyrus-sasl on solaris boxen

[ 20071210224851 ]
appropriate Inline DIRECTORY

[ 20071210194038 ]
Dirtbag's blog is launched!

Getting Fail2Ban to work behind a proxy server

[ link: fail2banproxy | tags: fail2ban proxy nginx | updated: Fri, 17 Apr 2020 12:03:23 -0400 ]

I have my webserver running roundcube behind an nginx proxy server and was having problems getting fail2ban to block repeat failed logins because of the way the remote addresses were showing up in the logs.

So to make a long story short, my roundcube "errors" log was showing remote ip addresses as

[04-Oct-2019 19:53:21 -0400]:  IMAP Error: Login failed for user from 127.0.0.1. AUTHENTICATE PLAIN:...

So, the first problem was that the real ip address of the client was not making it in from my nginx proxy. That's fixed easily
enough by adding the appropriate "proxy_set_header" lines in your nginx config. Google that, theres tons of info on it.
Now the "hard" part is getting fail2ban to correctly read the error log file and parse out the address that should look something
like this after you fix nginx to pass through the "real" ip address:

[22-Oct-2019 19:24:54 -0400]: IMAP Error: Login failed for user from 127.0.0.1(X-Forwarded-For: 29.220.116.34). AUTHENTICATE PLAIN: Authentication failed.

So what ended up working for me was the following in my /etc/fail2ban/jail.local file:

[roundcube-auth]
enabled = true
filter = roundcube
port     = http,https
logpath  = /var/log/roundcubemail/errors
maxretry = 4
bantime = 3600
findtime = 600

And the following in my /etc/fail2ban/filter.d/roundcube.conf file:

[INCLUDES]

before = common.conf

[Definition]
failregex = IMAP Error: Login failed for.*X-Forwarded-For: <HOST>
ignoreregex =

Restart fail2ban and it should pick up the new settings and work..

-db

Like this article? Buy me a beer!

Dirtbag's Blog

Tags

Posts

Getting Fail2Ban to work behind a proxy server

[ link: fail2banproxy | tags: fail2ban proxy nginx | updated: Fri, 17 Apr 2020 12:03:23 -0400 ]