ha proxy ssh add backend IP stops ssh connect

viragomann · Feb 22, 2023, 11:12 AM

@nopanic
You can do this on pfSense or in HAproxy as well.

nopanic · Feb 22, 2023, 11:38 AM

@viragomann okay. How? On the ssh server Im using an IDS for blocking and snort on pfsense. Are there other solutions?
thanks!
Stefan

viragomann · Feb 22, 2023, 1:02 PM

@nopanic
Do you want to simply block / allow certain IPs or do you need to inspect the traffic?
For inspection you can use snort or suricata, but I'm don't think that these tools can see much in an ssh traffic, since it's encrypted.

nopanic · Feb 22, 2023, 1:02 PM

@viragomann I want to inspect and in case ex. of bruteforcing block the client IP. With snort its running very well and on the the server I use ossec for blocking-

thanks
Stefan

nopanic · Feb 22, 2023, 1:52 PM

@nopanic courious: I disable the transparent mode and see on the server logs the client IP. Should it not be rewritten to the pfsense IP?

viragomann · Feb 22, 2023, 1:56 PM

@nopanic
I would expect to see the pfSense interface IP.
Maybe you forward the traffic to the backend by a NAT rule?

nopanic · Feb 22, 2023, 1:58 PM

@viragomann yes, the there is a forward nat rule

nopanic · Feb 22, 2023, 2:01 PM

@nopanic ahh okay , I disable those rules now I see the pfsense IP. But why I can not use the "opt" interface in transparent mode?

nopanic · Mar 7, 2023, 2:00 PM

@nopanic nat rule disabled, no connction, Trying now the opt interface in transparent.. its running!!

thanks for help!!

nopanic · Mar 7, 2023, 2:00 PM

@nopanic Hello all
I have to come back cause the traffic goes only from LAN to OPT. From WAN site I dont get a connection.
Courious: When I do tcp tranparent entries and wnat back to nat-forwarding I have to reboot the machine, so forwarding work again. I have to delete the entries and reboot. Disabling is not enough.

Can someone help?
Tia
Stefan