invis.net

Fail2Ban behind ReverseProxy -> Right IP is blocked but access is still possible

Hey guys
nice plugin btw. - I try to get it running behind a reverse proxy. If I test it, after two login attempts I got all entries, a mail and the iptables entry with “reject-with icmp-port-unreachable” - but I think here is the problem.

Via tcpdump I got the IP from the reverse proxy and not the real ip. I enabled the x-forwarded-for header for the apache2 and activated the reverse proxy in the plugin - but how can I do that with fail2ban?

Greetz
Ovrld

Welcome!

If you’ve got WPf2b configured correctly it’ll be passing the real IP address to iptables - that should be all that’s needed.

I don’t think I fully understood your question - could you expand please?

Hey wp-fail2ban!

I think it is configured correctly: Via the Apache2 log I got the real IP (not the IP from the reverse proxy) and when fail2ban blocks the IP I have the correct IP in the iptables (not the IP from the reverse proxy).

Correct IP = the WAN ip from the visitor

But the access is still possible and nothing is blocked.

If you’re getting the correct IP in the logs via WPf2b, fail2ban is adding the correct IP to iptables, but you can still connect to the server, there are only a couple of possibilities I can think of:

  1. iptables isn’t configured correctly,
  2. The proxy and Apache are on different servers, i.e. iptables is blocking on the Apache server instead of the proxy.

I don’t really have any other ideas at this point.