Fail2Ban Behind a Reverse Proxy: The Almost-Correct Way
Fail2Ban is a wonderful tool for managing failed authentication or usage attempts for anything public facing.
However, by default, it’s not without it’s drawbacks: Fail2Ban uses
iptables to manage it’s bans, inserting a
--reject-with icmp-port-unreachable rule for each banned host.
The thing with this is that I use a fairly large amount of reverse-proxying on this network to handle things like TLS termination and just general upper-layer routing.
Since it’s the proxy that’s accepting the client connections, the actual server host, even if its logging system understands what’s happening (say, with PROXY protocol) and logs the real client’s IP address, even if Fail2Ban puts that IP into the
iptables rules, since that’s not the connecting IP, it means nothing.
What I really need is some way for Fail2Ban to manage it’s ban list, effectively, remotely.
Luckily, it’s not that hard to change it to do something like that, with a little fiddling.