Fail2Ban Behind a Reverse Proxy: The Almost-Correct Way

Fail2Ban is a wonderful tool for managing failed authentication or usage attempts for anything public facing. However, by default, it’s not without it’s drawbacks: Fail2Ban uses iptables to manage it’s bans, inserting a --reject-with icmp-port-unreachable rule for each banned host. The thing with this is that I use a fairly large amount of reverse-proxying on this network to handle things like TLS termination and just general upper-layer routing. Since it’s the proxy that’s accepting the client connections, the actual server host, even if its logging system understands what’s happening (say, with PROXY protocol) and logs the real client’s IP address, even if Fail2Ban puts that IP into the iptables rules, since that’s not the connecting IP, it means nothing. What I really need is some way for Fail2Ban to manage it’s ban list, effectively, remotely. Luckily, it’s not that hard to change it to do something like that, with a little fiddling.

Continue reading

Publishing SSH Fingerprints in DNS

So here’s the thing about SSH: The first time you connect to a server, you have no real idea of if that’s legitimate or not, right? Well, you could compare the key fingerprint to the fingerprint that the server admin gave you and make sure they match, but nobody does that.

Well… there is a way. Using everyone’s favorite always-broken service, DNS.

Continue reading

BorgBackup: (TODO: Insert Borg Joke Here)

I was really fighting with my inner self to have a straightforward title for this one, but alas, resistance is futile.

BorgBackup, or, for short, just “Borg”, is a relatively fast (more on that later), efficient, secure, and authenticated way of backing up multiple devices either on a single network, or even across networks (you’ll see, again, later). This is currently what I use for backing up my stuff, and, well, it’s just cool, and definitely something you should take a look at.

Continue reading

Adventures in HAProxy

For those of you that do not know, HAProxy is an amazing piece of kit that can proxy HTTP and arbitrary TCP connections. It’s also so customizable that I’m practically using it as my main entry point to my network, and do indeed refer to it internally as the “border gateway.” With two exceptions (SSH and SMTP, more on that later), everything that comes into the TD-StorageBay network, yes, that includes this site too, passes through that one process. However, HA cannot do everything… and I feel that I’m pushing its limits. Not in the “sheer workload” sense, no, I am way far off from that. I mean in the old Mythbusters style “using things in ways for which they were never intended” manner.

Continue reading