PfSense, HAProxy and Fail2ban

  • Hi Folks, I have an owncloud server behind a reverse proxy (HAProxy on PfSense). The owncloud server runs fail2ban, Owncloud logs to and fail2ban monitors the /var/log/owncloud.log file for auth errors.

    Fail2ban is blocking the reverse proxy server as opposed to the originating client IP as thats whats passed by default from HAproxy to the Owncloud server.

    So I turned on the 'X-Forwarded-For' option on HaProxy to forward the actual client IP to the Owncloud server. This presents the originating client IP to Fail2Ban and with a tweak of the RegEx i can get the firewall to block the client IP on the Owncloud server.

    Which i then learned is useless as the connection is coming from the Proxy server IP address and so whilst the client gets blocked it makes no difference to the connection.

    So i need to somehow tell PfSense's Firewall to block an ip that is logged by a different server.

    I thought of using SSH, but thats a bad idea as it could be compromised and i'd need to store my username/password. I then thought of some sort of cron job ran from the PfSense box which picks up a text file on that server that is updated by the fail2ban action but its getting complicated.

    Any suggestions?  Another thought was to use pfBlockerNG to periodically pick up a custom block file, the problem here is that it would be X time between pfBlockerNG / cron running to pick up the new block file before the attack is blocked.

    I've modified The Owncloud install for the time being to sleep for 10 seconds between incorrect attempts which will should help here it it will limit login attemps to 6 a minute and greatly slow down any brute force attempts but its not as clean a solution as i'd like.

  • Haproxy package has a option in the backend called "Transparent-client-ip". This would make it look like the connections to the backend come directly from the client-ip. And would allow firewall of the webserver to block the clientip.. There are some tricks (ipfw rules) needed to make it work though, so direct connections to the backend will no longer work passing through pfSense, and pfSense needs to be the default gateway.

    Sorry for waking this old thread, but as it was lacking an answer, i thought i should probably add one option that would work..