HAPROXY and fail2ban - block IPs

I want to block IP addresses that log on to a web server too often, i.e. call it too often ( no wrong logon )
And I want to do that on HAPROXY itself.

I have The following constellation:
HAPROXY
Web server 1
Web server 2

Apparently I have the problem to create the regex construct correctly.
I see the IP addresses in /var/log/haproxy.log but fail2ban does not lock.
I have been working on this topic since the day before yesterday and my eyes are glowing from reading web pages.

what I see in /var/log/haproxy.log many times is my IP Address that tries to access the mail server, and I simply want to block myself, when I try too often no matter if I sign up wrong or not, the HAPROXY cant see this anyway.

/var/log/haproxy.log

Code:

Sep 18 09:30:03 haproxy haproxy[513]: 37.24.59.146:61844 [18/Sep/2018:09:30:00.890] www_frontend~ mail_cluster/mail 3051/0/0/1/3052 200 321 - - ---- 2/2/0/1/0 0/0 "POST /webapp/kopano.php?service=fingerprint&type=keepalive HTTP/1.1"

1. iptables is configured to accept only 80,443.
2. fail2ban is configured as follows
I have tested many other configurations before..



/etc/fail2ban/jail.local

Code:

..
[haproxy]
# Check /var/log/haproxy.log, then block for 1200 Seconds addresses that made 3 requests in 20 Seconds
enabled  = true
bantime  = 1200
findtime = 10
maxretry = 3
filter   = haproxy
logpath  = /var/log/haproxy.log
port     = 80,443
banaction =  iptables-allports
action = iptables-multiport[name=haproxy,port="http,https", protocol=tcp]

/etc/fail2ban/filter.d/haproxy.conf

Code:

[Definition]

#failregex = ^.*haproxy\[[0-9]+\]: <HOST>:.* "(GET |POST )/Login HTTP/1.1"$
failregex = ^<HOST> -.*"GET.*
ignoreregex =

But no matter how hard I demand the proxy, I'm simply not blocked
Please do me a favor and help me with this, if you have another idea.

Already read:
https://github.com/fail2ban/fail2ban...nfig/jail.conf
https://github.com/fail2ban/fail2ban/issues/1307
https://raymii.org/s/snippets/haprox...addresses.html
https://security.stackexchange.com/q...ts-in-a-second

etc..etc.etc..

EDIT1:

Although I've tried so many configurations, fail2ban just doesn't seem to work.

I slowly get the feeling that what this has to do with is that all the servers are in LXD containers and fail2ban just doesn't have permission to interfere with iptables.


EDIT2:
Ok, confirmed. fail2ban does not have the right to alter iptables in LXC Containers.puhh.
Doesn't anyone work productively with it?
How is something like this properly secured?

Quote:

Originally Posted by taumeister Ok, confirmed. fail2ban does not have the right to alter iptables in LXC Containers.

Showing reproducible evidence of that may help fellow LQ members help you. Apart from that: any reason not to implement HAproxy's stick tables for rate limiting?

Quote:

Originally Posted by taumeister /etc/fail2ban/jail.local Code: .. [haproxy] findtime = 10

every 10 seconds is a little excessive,
If it takes f2b 11 seconds to scan a file, what do you think happens? f2b constantly running.

When i doubt, use defaults values. (60 in this case)

Just sayin'

Peace
John out.