### Tek's Domain

#<NTA:NnT:SSrgS:H6.6-198:W200-90.72:CBWg>

# Fail2Ban Behind a Reverse Proxy: The Almost-Correct Way

Fail2Ban is a wonderful tool for managing failed authentication or usage attempts for anything public facing. However, by default, it’s not without it’s drawbacks: Fail2Ban uses iptables to manage it’s bans, inserting a --reject-with icmp-port-unreachable rule for each banned host. The thing with this is that I use a fairly large amount of reverse-proxying on this network to handle things like TLS termination and just general upper-layer routing. Since it’s the proxy that’s accepting the client connections, the actual server host, even if its logging system understands what’s happening (say, with PROXY protocol) and logs the real client’s IP address, even if Fail2Ban puts that IP into the iptables rules, since that’s not the connecting IP, it means nothing. What I really need is some way for Fail2Ban to manage it’s ban list, effectively, remotely. Luckily, it’s not that hard to change it to do something like that, with a little fiddling.

# Publishing SSH Fingerprints in DNS

So here’s the thing about SSH: The first time you connect to a server, you have no real idea of if that’s legitimate or not, right? Well, you could compare the key fingerprint to the fingerprint that the server admin gave you and make sure they match, but nobody does that.

Well… there is a way. Using everyone’s favorite always-broken service, DNS.

# BorgBackup: (TODO: Insert Borg Joke Here)

I was really fighting with my inner self to have a straightforward title for this one, but alas, resistance is futile.

BorgBackup, or, for short, just “Borg”, is a relatively fast (more on that later), efficient, secure, and authenticated way of backing up multiple devices either on a single network, or even across networks (you’ll see, again, later). This is currently what I use for backing up my stuff, and, well, it’s just cool, and definitely something you should take a look at.