Running Fail2ban behind a reverse proxy
Description of the situation - target
In my current network I have placed several web servers (e.g. Joomla! or Nextcloud) in the DMZ behind the firewall (OPNSense).
As the SSL certificates are managed by the OPNSense, I use "HAProxy" on the OPNSense as a reverse proxy to redirect the requests to the corresponding web server.
I would like to protect the web servers against brute force attacks and want to use "fail2ban" for this purpose.
Following problems / steps must be done:
the login job is done by the app (Joomla) and not by the web server
=> fail2ban must look after the logs of the webapp ans not after the logs of the web server
the web servers get requests only from the OPNSense.
In the stock configuration the logs of the servers only show the IP of the OPNSense for the incomming connection.
So fail2ban would block the HAProxy, it means all incomming connections. It is good for protection, but makes troubles for the "good" requests!!
=> As fail2ban runs on the web servers, we must find a way to transmit the real IP of the requesting machine (can bee the attacker too!) through the OPNSense to the servers
installation and configuration of fail2ban on the web servers
Make the web servers and OPNSense work together:
The logs of the web servers show now the IP of the requesting/attacking machine. It is good but this doen't allow fail2ban to block the incomming traffic from this machine because viewed for the iptables of the servers, the traffic is further comming from the OPNSense.
With other words, Apache kowns the "external IP" from the request, but the request continues to arrive from the OPNSense => so fail2ban will block over the iptables the traffic comming from the "external IP" as if the "external IP" would connect directely to the web servers. But as the traffic comes from the HAProxy, it is not blocked by the iptables => fail2ban would ban nothing in reality.
=> Therefore. the blocking action can't be done by the web servers, but it must be done "earlier", therefore by the OPNSense. The web servers must also be able to tell OPNSense "please be so kind and don't forward requests coming from "external IP", this is a mess maker".
Make it run
Please read my notes (currently in french!!) into the wiki for the different steps explained above - I'm too lazy to rewrite them here.
Even if it looks confusing, it makes sense (for me!) to configure the different machines in a different order than the above "logical" sequences.
- step one is the installation and the basic configuration of fail2ban on the web server
⇒ can be tested
# fail2ban-client set <one_of_the_enabled_jail> banip 192.168.1.1with for exemple
- step two forwards the IP of the requesting machine trough the OPNSense to the Joomla machine
⇒ the logs of the web server and of Joomla should show another IP than the one of the HAPRoxy
- step three concists into making a new jail looking after the logs of joomla giving the IP of the connecting machine and running a script for communication with the OPNSense
⇒ can be tested by taking a wrong password by trying to login into Joomla
- step four configures the OPNSense to block the IP given by fail2ban of the web server
- step five is communicating the IP to ban from the web server to the OPNSense
A lot of things, but all is logical and should do the job in a correct way.
- Catégorie : Informatique