Dirtbag's Blog

Getting Fail2Ban to work behind a proxy server

[ link: fail2banproxy | tags: fail2ban proxy nginx | updated: Fri, 17 Apr 2020 12:03:23 -0400 ]

I have my webserver running roundcube behind an nginx proxy server and was having problems getting fail2ban to block repeat failed logins because of the way the remote addresses were showing up in the logs.

So to make a long story short, my roundcube "errors" log was showing remote ip addresses as

[04-Oct-2019 19:53:21 -0400]:  IMAP Error: Login failed for user from 127.0.0.1. AUTHENTICATE PLAIN:...


So, the first problem was that the real ip address of the client was not making it in from my nginx proxy. That's fixed easily
enough by adding the appropriate "proxy_set_header" lines in your nginx config. Google that, theres tons of info on it.
Now the "hard" part is getting fail2ban to correctly read the error log file and parse out the address that should look something
like this after you fix nginx to pass through the "real" ip address:

[22-Oct-2019 19:24:54 -0400]: IMAP Error: Login failed for user from 127.0.0.1(X-Forwarded-For: 29.220.116.34). AUTHENTICATE PLAIN: Authentication failed.


So what ended up working for me was the following in my /etc/fail2ban/jail.local file:

[roundcube-auth]
enabled = true
filter = roundcube
port     = http,https
logpath  = /var/log/roundcubemail/errors
maxretry = 4
bantime = 3600
findtime = 600 


And the following in my /etc/fail2ban/filter.d/roundcube.conf file:

[INCLUDES]

before = common.conf

[Definition]
failregex = IMAP Error: Login failed for.*X-Forwarded-For: <HOST>
ignoreregex = 


Restart fail2ban and it should pick up the new settings and work..

-db

Like this article? Buy me a beer!