PfSense, HAProxy and Fail2ban



  • Hi Folks, I have an owncloud server behind a reverse proxy (HAProxy on PfSense). The owncloud server runs fail2ban, Owncloud logs to and fail2ban monitors the /var/log/owncloud.log file for auth errors.

    Fail2ban is blocking the reverse proxy server as opposed to the originating client IP as thats whats passed by default from HAproxy to the Owncloud server.

    So I turned on the 'X-Forwarded-For' option on HaProxy to forward the actual client IP to the Owncloud server. This presents the originating client IP to Fail2Ban and with a tweak of the RegEx i can get the firewall to block the client IP on the Owncloud server.

    Which i then learned is useless as the connection is coming from the Proxy server IP address and so whilst the client gets blocked it makes no difference to the connection.

    So i need to somehow tell PfSense's Firewall to block an ip that is logged by a different server.

    I thought of using SSH, but thats a bad idea as it could be compromised and i'd need to store my username/password. I then thought of some sort of cron job ran from the PfSense box which picks up a text file on that server that is updated by the fail2ban action but its getting complicated.

    Any suggestions?  Another thought was to use pfBlockerNG to periodically pick up a custom block file, the problem here is that it would be X time between pfBlockerNG / cron running to pick up the new block file before the attack is blocked.

    I've modified The Owncloud install for the time being to sleep for 10 seconds between incorrect attempts which will should help here it it will limit login attemps to 6 a minute and greatly slow down any brute force attempts but its not as clean a solution as i'd like.



  • Haproxy package has a option in the backend called "Transparent-client-ip". This would make it look like the connections to the backend come directly from the client-ip. And would allow firewall of the webserver to block the clientip.. There are some tricks (ipfw rules) needed to make it work though, so direct connections to the backend will no longer work passing through pfSense, and pfSense needs to be the default gateway.

    Sorry for waking this old thread, but as it was lacking an answer, i thought i should probably add one option that would work..





  • hi @ProxyMoron are you solve you problem? i'm looking for some similar now on 2019

    edited
    https://forums.freebsd.org/threads/fail2ban-behind-a-proxy.55041/


  • Rebel Alliance Moderator

    Besides that a HAproxy request, it reads as if it's a fail2ban problem, isn't it? If you receive the X-Forwarded-For header and hand that to fail2ban it should ban the correct IP otherwise one should have to rewrite the ban-action or do a custom one?

    Another possibility would be to change your Owncloud Webserver to actually log the X-Forwarded-For IP instead of the client IP (haproxy itself). Then your fail2ban should actually read the correct IP from the log.

    Third possibility is something we do for a few customers: we set up fail2ban on their servers for a couple of different web apps and run it on the apps logfiles. If some conditions are met (e.g. trying for SQL injections or requestion known PHP shell URLs), the IP gets "blacklisted" by Fail2Ban, but the ban action is actually a HTTP POST to a central server that reports the source server, project, URL, IP and reason that IP is "reported". That is written into a small database and a web server on top of it serves that data as simple URL blacklist with various options (show only banned IPs from certain projects etc.). So via this URL you can setup pfSense and pfBlockerNG to refresh one or more various blocklists to your liking and use them in filter rules. So we can filter out IPs for different project either depending on IPs getting blocked from their services only or by the "collective" of all customers reporting "shady things" ;)

    Greets



  • @JeGr
    it sounds great ... I had read about the latest solution ... fail2ban typing ip in a central database ... block it late from other servers well ..
    that's another challenge for me because I'll make it read the ip address of the central database and block it ...
    I need something simpler ... for example, fail2ban after detecting an incorrect IP session start, write ip in a txt and convert it to an http server and pfsense can load it, and block it more easily ... with pfblockeng for example ...
    sorry for my English


  • Rebel Alliance Moderator

    @luisenrique said in PfSense, HAProxy and Fail2ban:

    for example, fail2ban after detecting an incorrect IP session start, write ip in a txt and convert it to an http server and pfsense can load it, and block it more easily ... with pfblockeng for example ...

    If that's all you need and you don't have a problem of your system SSH'ing into the firewall, you can always use the pfSsh.php or easyrule.sh Skript to simply add an IP to the default easyrule block on WAN.

    Something like

    ssh root@pfsense easyrule block wan 1.2.3.4

    will add the IP 1.2.3.4/32 to the easyrule block alias on WAN and reload the filter - tadaa you've blocked the IP (almost) immediatly. Also can unblock the IP (custom unblock action of fail2ban could do that) with "unblock" or can even block an entire subnet with 1.2.3.4/29 for example.

    If you do the SSH'ing from an "API"-like central system, you can use it for blocking from multiple system without having them to ssh into your firewall but only sending an IP to the central system and that system blocking the IP for them. Should be simple to setup :)



  • @JeGr
    hi!
    I dont have trouble with ssh service because we are prohibited access to ssh on wan on all out system frontends... including webadmin(for example i cant connect from home to pfsense webadmin or terminal services, thats is part of our security policy) for example we are worried with imap, postfix and webmail there are the only services to internet space with authentication, maybe this is not a pfsense topic... thanks for u tips, i will go to read somes manual and man pages and look for somes examples and look on fail2ban mail-list to ask how i can make my own action ban and make it to block ip on somes pfsesen box using easyrule or pfssh.php script.. thanks! sorry my englis please.
    regards


Log in to reply