Imported Fail2ban IPs into Pfsense urltable alias. How would I also kill states for any newly found IPs?

  • I am running several VMs behind a reverse proxy. These VMs are all running fail2ban, with appropriate jails for whatever services they are running.

    Fail2ban correctly sees the users real ip thanks to forwarded header, however because they are actually connecting through the reverse proxy the IP ban does not actually work.

    On each VM I have created a script and cron job to export the fail2ban IPs into an accessible URL.

    I then created a few Alias URL tables on pfsense and pointed them to the lists on the VMs.

    I wanted the lists to get pulled in faster than once per day so I created a cron job in pfsense to pull them in every minute:

    *,*,*,*,*,root, /usr/bin/nice -n20 /etc/rc.update_urltables now forceupdate reverseproxy

    Pfsense within a minute or so gets the new offending IPs from the fail2ban running on the VMs

    However when a new IP gets added, they can continue to try brute forcing until the state expires.

    Was thinking an edit to /etc/rc.update_urltables to accept a 4th argument, killstates, would be great:

    *,*,*,*,*,root, /usr/bin/nice -n20 /etc/rc.update_urltables now forceupdate reverseproxy killstates

    With the last argument it would kill states for any newly found IPs.

    Does anyone have anything in place that would accomplish what I am trying to do?

  • Also I see that pfblockerNG has the ability to drop states. and I can create an IPv4 list there and point it to the fail2ban lists on the VMs there.

    The only think I am not sure of is how to force a urltables update for pfblocker in the same manner as I did for this one:

    *,*,*,*,*,root, /usr/bin/nice -n20 /etc/rc.update_urltables now forceupdate reverseproxy

  • One idea I had was to set the reverse proxy to also be a remote syslog server. Then on the VMs that are running services that get routed through the reverse proxy, have them send their logs to the reverse proxys log server, then the reverse proxy can perform the fail2bans instead of the individual VMs. This would allow the outside users IP to match what fail2ban is trying to block.

Log in to reply