PfSense, HAProxy and Fail2ban



  • Hi Folks, I have an owncloud server behind a reverse proxy (HAProxy on PfSense). The owncloud server runs fail2ban, Owncloud logs to and fail2ban monitors the /var/log/owncloud.log file for auth errors.

    Fail2ban is blocking the reverse proxy server as opposed to the originating client IP as thats whats passed by default from HAproxy to the Owncloud server.

    So I turned on the 'X-Forwarded-For' option on HaProxy to forward the actual client IP to the Owncloud server. This presents the originating client IP to Fail2Ban and with a tweak of the RegEx i can get the firewall to block the client IP on the Owncloud server.

    Which i then learned is useless as the connection is coming from the Proxy server IP address and so whilst the client gets blocked it makes no difference to the connection.

    So i need to somehow tell PfSense's Firewall to block an ip that is logged by a different server.

    I thought of using SSH, but thats a bad idea as it could be compromised and i'd need to store my username/password. I then thought of some sort of cron job ran from the PfSense box which picks up a text file on that server that is updated by the fail2ban action but its getting complicated.

    Any suggestions?  Another thought was to use pfBlockerNG to periodically pick up a custom block file, the problem here is that it would be X time between pfBlockerNG / cron running to pick up the new block file before the attack is blocked.

    I've modified The Owncloud install for the time being to sleep for 10 seconds between incorrect attempts which will should help here it it will limit login attemps to 6 a minute and greatly slow down any brute force attempts but its not as clean a solution as i'd like.



  • Haproxy package has a option in the backend called "Transparent-client-ip". This would make it look like the connections to the backend come directly from the client-ip. And would allow firewall of the webserver to block the clientip.. There are some tricks (ipfw rules) needed to make it work though, so direct connections to the backend will no longer work passing through pfSense, and pfSense needs to be the default gateway.

    Sorry for waking this old thread, but as it was lacking an answer, i thought i should probably add one option that would work..





  • hi @ProxyMoron are you solve you problem? i'm looking for some similar now on 2019

    edited
    https://forums.freebsd.org/threads/fail2ban-behind-a-proxy.55041/


  • LAYER 8 Moderator

    Besides that a HAproxy request, it reads as if it's a fail2ban problem, isn't it? If you receive the X-Forwarded-For header and hand that to fail2ban it should ban the correct IP otherwise one should have to rewrite the ban-action or do a custom one?

    Another possibility would be to change your Owncloud Webserver to actually log the X-Forwarded-For IP instead of the client IP (haproxy itself). Then your fail2ban should actually read the correct IP from the log.

    Third possibility is something we do for a few customers: we set up fail2ban on their servers for a couple of different web apps and run it on the apps logfiles. If some conditions are met (e.g. trying for SQL injections or requestion known PHP shell URLs), the IP gets "blacklisted" by Fail2Ban, but the ban action is actually a HTTP POST to a central server that reports the source server, project, URL, IP and reason that IP is "reported". That is written into a small database and a web server on top of it serves that data as simple URL blacklist with various options (show only banned IPs from certain projects etc.). So via this URL you can setup pfSense and pfBlockerNG to refresh one or more various blocklists to your liking and use them in filter rules. So we can filter out IPs for different project either depending on IPs getting blocked from their services only or by the "collective" of all customers reporting "shady things" ;)

    Greets



  • @JeGr
    it sounds great ... I had read about the latest solution ... fail2ban typing ip in a central database ... block it late from other servers well ..
    that's another challenge for me because I'll make it read the ip address of the central database and block it ...
    I need something simpler ... for example, fail2ban after detecting an incorrect IP session start, write ip in a txt and convert it to an http server and pfsense can load it, and block it more easily ... with pfblockeng for example ...
    sorry for my English


  • LAYER 8 Moderator

    @luisenrique said in PfSense, HAProxy and Fail2ban:

    for example, fail2ban after detecting an incorrect IP session start, write ip in a txt and convert it to an http server and pfsense can load it, and block it more easily ... with pfblockeng for example ...

    If that's all you need and you don't have a problem of your system SSH'ing into the firewall, you can always use the pfSsh.php or easyrule.sh Skript to simply add an IP to the default easyrule block on WAN.

    Something like

    ssh root@pfsense easyrule block wan 1.2.3.4

    will add the IP 1.2.3.4/32 to the easyrule block alias on WAN and reload the filter - tadaa you've blocked the IP (almost) immediatly. Also can unblock the IP (custom unblock action of fail2ban could do that) with "unblock" or can even block an entire subnet with 1.2.3.4/29 for example.

    If you do the SSH'ing from an "API"-like central system, you can use it for blocking from multiple system without having them to ssh into your firewall but only sending an IP to the central system and that system blocking the IP for them. Should be simple to setup :)



  • @JeGr
    hi!
    I dont have trouble with ssh service because we are prohibited access to ssh on wan on all out system frontends... including webadmin(for example i cant connect from home to pfsense webadmin or terminal services, thats is part of our security policy) for example we are worried with imap, postfix and webmail there are the only services to internet space with authentication, maybe this is not a pfsense topic... thanks for u tips, i will go to read somes manual and man pages and look for somes examples and look on fail2ban mail-list to ask how i can make my own action ban and make it to block ip on somes pfsesen box using easyrule or pfssh.php script.. thanks! sorry my englis please.
    regards



  • Dear All, Dear JeGr,

    My situation is similar to others above: pfSense with HAProxy for ssl offloading and load balancing. Two apache webservers in the LAN. X-Forwarded-For-Header passed on. Aim to block IPs via fail2ban, but on the pfSense level.

    However, I DO hesitate to let the webservers root ssh to pfSense. So far, I only permit few fully internal servers to root ssh to pfSense to (a) copy the config file nightly and (b) copy letsencrypt certificates to a mailserver and a matrix-server needing them internally within the LAN side.

    Could JeGr or others please share some insights how to simplify the setup of an API-like central system to do the SSH based blocking on behalf of the webservers?

    Regards,

    Michael Schefczyk


  • LAYER 8 Moderator

    You don't necessarily have to use SSH and the easyrule block. It's just one possibility. You could always take fail2ban, add a custom action and use it to push the IPs that try to hit your webservers to a central instance/vm/whatever and collect it there. Then use pfBlockerNG to fetch this list of IPs and block it from WAN. Only "problem" is, that pfBNG isn't faster than "hourly", a thing that I tried to bring to the developers attention so that you had the possibility to go down to let's say 5-10min to blacklist an IP. But besides that, that's totally possible (we're running something along those lines ourselves).


Log in to reply