Tek's Domain

Fail2Ban Behind a Reverse Proxy: The Almost-Correct Way

2022-01-07 7 min read Programming Security Software Sysadmin stuff Tech Teknikal_Domain Unable to load comment count

Fail2Ban is a wonderful tool for managing failed authentication or usage attempts for anything public facing. However, by default, it’s not without it’s drawbacks: Fail2Ban uses iptables to manage it’s bans, inserting a --reject-with icmp-port-unreachable rule for each banned host. The thing with this is that I use a fairly large amount of reverse-proxying on this network to handle things like TLS termination and just general upper-layer routing. Since it’s the proxy that’s accepting the client connections, the actual server host, even if its logging system understands what’s happening (say, with PROXY protocol) and logs the real client’s IP address, even if Fail2Ban puts that IP into the iptables rules, since that’s not the connecting IP, it means nothing. What I really need is some way for Fail2Ban to manage it’s ban list, effectively, remotely. Luckily, it’s not that hard to change it to do something like that, with a little fiddling.

Continue reading
Dovecot Email Fail2Ban iptables SSH

Moving From Sophos UTM 9 to pfSense

2020-09-01 9 min read Behind the scenes Networking Sysadmin stuff Tech Teknikal_Domain Unable to load comment count
Updated May 4th, 2021

Yeah I figure why not, at the same time that I’m replacing another key piece of network infrastructure, I might as well just replace the (second) most important piece, right? So cue the music, because…

Now, this is a story, all about how my life network got flipped, turned upside down, and I’d like to take a minute, just sit right there, I’ll tell you how I became the prince of a town called Bel Air the owner of a… just… just cut the music. Let’s begin.

Continue reading
BSD DHCP Firewall FreeBSD FOSS iptables LAN NAT NIC pf pfSense Router Sophos Sophos UTM Sophos XG VLANs WAN
© 2023 Teknikal_Domain - rss
Modified fork of the Bilberry Hugo Theme