I want to block IP addresses that log on to a web server too often, i.e. call it too often ( no wrong logon )
And I want to do that on HAPROXY itself.
I have The following constellation:
HAPROXY
Web server 1
Web server 2
Apparently I have the problem to create the regex construct correctly.
I see the IP addresses in /var/log/haproxy.log but fail2ban does not lock.
I have been working on this topic since the day before yesterday and my eyes are glowing from reading web pages.
what I see in /var/log/haproxy.log many times is my IP Address that tries to access the mail server, and I simply want to block myself, when I try too often no matter if I sign up wrong or not, the HAPROXY cant see this anyway.
/var/log/haproxy.log
Code:
Sep 18 09:30:03 haproxy haproxy[513]: 37.24.59.146:61844 [18/Sep/2018:09:30:00.890] www_frontend~ mail_cluster/mail 3051/0/0/1/3052 200 321 - - ---- 2/2/0/1/0 0/0 "POST /webapp/kopano.php?service=fingerprint&type=keepalive HTTP/1.1"
1. iptables is configured to accept only 80,443.
2. fail2ban is configured as follows
I have tested many other configurations before..
/etc/fail2ban/jail.local
Code:
..
[haproxy]
# Check /var/log/haproxy.log, then block for 1200 Seconds addresses that made 3 requests in 20 Seconds
enabled = true
bantime = 1200
findtime = 10
maxretry = 3
filter = haproxy
logpath = /var/log/haproxy.log
port = 80,443
banaction = iptables-allports
action = iptables-multiport[name=haproxy,port="http,https", protocol=tcp]
/etc/fail2ban/filter.d/haproxy.conf
Code:
[Definition]
#failregex = ^.*haproxy\[[0-9]+\]: <HOST>:.* "(GET |POST )/Login HTTP/1.1"$
failregex = ^<HOST> -.*"GET.*
ignoreregex =
But no matter how hard I demand the proxy, I'm simply not blocked
Please do me a favor and help me with this, if you have another idea.
Already read:
https://github.com/fail2ban/fail2ban...nfig/jail.conf
https://github.com/fail2ban/fail2ban/issues/1307
https://raymii.org/s/snippets/haprox...addresses.html
https://security.stackexchange.com/q...ts-in-a-second
etc..etc.etc..
EDIT1:
Although I've tried so many configurations, fail2ban just doesn't seem to work.
I slowly get the feeling that what this has to do with is that all the servers are in LXD containers and fail2ban just doesn't have permission to interfere with iptables.
EDIT2:
Ok, confirmed. fail2ban does not have the right to alter iptables in LXC Containers.puhh.
Doesn't anyone work productively with it?
How is something like this properly secured?