Tek's Domain

Fail2Ban Behind a Reverse Proxy: The Almost-Correct Way

2022-01-07 7 min read Programming Security Software Sysadmin stuff Tech Teknikal_Domain Unable to load comment count

Fail2Ban is a wonderful tool for managing failed authentication or usage attempts for anything public facing. However, by default, it’s not without it’s drawbacks: Fail2Ban uses iptables to manage it’s bans, inserting a --reject-with icmp-port-unreachable rule for each banned host. The thing with this is that I use a fairly large amount of reverse-proxying on this network to handle things like TLS termination and just general upper-layer routing. Since it’s the proxy that’s accepting the client connections, the actual server host, even if its logging system understands what’s happening (say, with PROXY protocol) and logs the real client’s IP address, even if Fail2Ban puts that IP into the iptables rules, since that’s not the connecting IP, it means nothing. What I really need is some way for Fail2Ban to manage it’s ban list, effectively, remotely. Luckily, it’s not that hard to change it to do something like that, with a little fiddling.

Continue reading
Dovecot Email Fail2Ban iptables SSH

TDNET 2.0: the New Homelab (Part 2)

2021-02-11 24 min read Behind the scenes Homelab Maintenance Systems administration Teknikal_Domain Unable to load comment count
Part 2 of 2

Now, this is the second part of a two-part post, that one covered the tech and background, and this will be the tour. So, let’s begin, running this one front-to-back.

Continue reading
Amazon S3 Amazon AWS AWS Storage Gateway Bazarr BookStack BorgBackup Dendrite Docker Dovecot GitLab Graylog HAProxy Hypervisor Jellyfin Linux containers Lychee Matrix NAS Netatalk Nextcloud NFS PGP pfSense Pi-Hole Postfix Proxmox Radarr SaltStack Samba Sieve SKS Keyserver SLAPD Sonarr SpamAssassin Synapse Syncthing Time Capsule Transmission UnrealIRCd Zabbix
© 2023 Teknikal_Domain - rss
Modified fork of the Bilberry Hugo Theme