Fail2ban with reverse proxy and Nethsecurity

Support
,
1

Hi,

I have setup Nethsecurity and trying to setup NS7.
I notices the fail2ban is not blocking IP after failes logins.
Looks like this has to do with i’m using a revery proxy in Nethsecurity

I’ve tried it with Sogo and Nextcloud from an external IP

2024-09-11 20:24:45,120 fail2ban.actions        [1051]: NOTICE  [sogo-auth] Restore Ban 77.63.74.125
2024-09-11 20:24:45,882 fail2ban.actions        [1051]: NOTICE  [sogo-auth] Restore Ban 85.12.30.199
2024-09-11 20:26:15,452 fail2ban.filter         [1051]: INFO    [nextcloud-auth] Ignore 192.168.1.1 by ip
2024-09-11 20:26:20,061 fail2ban.filter         [1051]: INFO    [nextcloud-auth] Ignore 192.168.1.1 by ip
2024-09-11 20:26:24,271 fail2ban.filter         [1051]: INFO    [nextcloud-auth] Ignore 192.168.1.1 by ip
2024-09-11 20:26:44,508 fail2ban.filter         [1051]: INFO    [nextcloud-auth] Ignore 192.168.1.1 by ip
2024-09-11 20:27:22,587 fail2ban.filter         [1051]: INFO    [nextcloud-auth] Ignore 192.168.1.1 by ip
2024-09-11 20:27:49,241 fail2ban.filter         [1051]: INFO    [nextcloud-auth] Ignore 192.168.1.1 by ip
2024-09-11 20:28:32,561 fail2ban.filter         [1051]: INFO    [nextcloud-auth] Ignore 192.168.1.1 by ip
2024-09-11 20:29:42,709 fail2ban.filter         [1051]: INFO    [nextcloud-auth] Ignore 192.168.1.1 by ip
2024-09-11 20:32:02,066 fail2ban.filter         [1051]: INFO    [sogo-auth] Found 77.63.74.125 - 2024-09-11 20:32:01
2024-09-11 20:32:34,138 fail2ban.filter         [1051]: INFO    [sogo-auth] Found 77.63.74.125 - 2024-09-11 20:32:33
2024-09-11 20:32:40,760 fail2ban.filter         [1051]: INFO    [sogo-auth] Found 77.63.74.125 - 2024-09-11 20:32:40
2024-09-11 20:32:40,915 fail2ban.actions        [1051]: WARNING [sogo-auth] 77.63.74.125 already banned

Nextcloud iven thinks i’m using my Nethserver IP.
I’ve tried this with my cell phone and wiif off

2

Just curious, why NS7, it is EOL?

3

Because i think NS8 is still buggy and too much in development.
So. First NS7 and then in the future NS8

4

When i google it looks like fail2ban will not work with reverse proxy.

But is NS8 working with reverse proxy ?
And how to set it up ? I’ve a testserver running now with NS8, but crowdsec does not block when login wrongly a few times.

5

Hello MadPatrick!
Let me help figuring out the setup you’re having issues with.

You have a Nethsecurity installation that does reverse proxy to a Nethserver 7, and fail2ban is installed on Nethserver 7, correct?

6

Hi

That would be wonderful.

I’ve indeed Nethsecurity with a reverse proxy to a NS7 (or NS8).
What i can see is that a port forward is working. I’ve a port forward for port 25 to my ClearOS server (which will be replaced by NS7). Only i need to double check if the fail2ban is indeed blocking the IP.

Let me know what info you nee and i will provide it.

7

Well SOGO appears to be logging just fine the authentication attempts, am I right? The issue might resides in the fact that Nextcloud might not honour the X-Forwarded-For header, what’s the actual log of nextcloud when someone tries to access it?

8

Yes. The login is correct. And in Fail2ban you see also the IP in the banlist, but it is not banned.
In my first post you see the log of fail2ban.
Do you need others logs ?

9

The Sogo log

Sep 14 08:53:09 sogod [1517]: SOGoRootPage Login from '192.168.1.228, 192.168.1.1' for user 'patrick' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 14 08:53:09 sogod [1517]: 192.168.1.228, 192.168.1.1 "POST /SOGo/connect HTTP/1.1" 403 33/84 0.020 - - 432K - 12
Sep 14 08:54:39 sogod [1517]: 77.63.47.187, 192.168.1.1 "GET /SOGo HTTP/1.1" 302 0/0 0.002 - - 0 - 12
Sep 14 08:54:39 sogod [1517]: 77.63.47.187, 192.168.1.1 "GET /SOGo/ HTTP/1.1" 200 10826/0 0.023 38855 72% 0 - 12
Sep 14 08:54:46 sogod [1517]: 77.63.47.187, 192.168.1.1 "POST /SOGo/so/passwordRecoveryEnabled HTTP/1.1" 403 0/36 0.003 - - 0 - 12
Sep 14 08:54:46 sogod [1517]: 77.63.47.187, 192.168.1.1 "POST /SOGo/so/passwordRecoveryEnabled HTTP/1.1" 403 0/36 0.002 - - 0 - 12
Sep 14 08:54:47 sogod [1517]: 77.63.47.187, 192.168.1.1 "POST /SOGo/so/passwordRecoveryEnabled HTTP/1.1" 403 0/36 0.002 - - 0 - 12
Sep 14 08:54:47 sogod [1517]: 77.63.47.187, 192.168.1.1 "POST /SOGo/so/passwordRecoveryEnabled HTTP/1.1" 403 0/36 0.001 - - 0 - 12
Sep 14 08:54:51 sogod [1517]: <0x0x55ebf251d580[LDAPSource]> <NSException: 0x55ebf250a430> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{"error_code" = 49; login = "uid=patrick,ou=people,dc=directory,dc=nh"; }
Sep 14 08:54:51 sogod [1517]: <0x0x55ebf251da10[LDAPSource]> <NSException: 0x55ebf2512bf0> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{"error_code" = 49; login = "cn=patrick,ou=groups,dc=directory,dc=nh"; }
Sep 14 08:54:51 sogod [1517]: SOGoRootPage Login from '77.63.47.187, 192.168.1.1' for user 'patrick' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Sep 14 08:54:51 sogod [1517]: 77.63.47.187, 192.168.1.1 "POST /SOGo/connect HTTP/1.1" 403 33/82 0.034 - - 0 - 12

Nextcloud log

{"reqId":"ZuUukd6-WR1yXsHQ5lsF7QAAAAA","level":2,"time":"2024-09-14T06:35:00+00:00","remoteAddr":"192.168.1.1","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","version":"27.1.11.3","data":{"app":"user_ldap"}}
{"reqId":"ZuUukd6-WR1yXsHQ5lsF7QAAAAA","level":2,"time":"2024-09-14T06:35:00+00:00","remoteAddr":"192.168.1.1","user":"--","app":"no app in context","method":"POST","url":"/index.php/login","message":"Login failed: patrick (Remote IP: 192.168.1.1)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","version":"27.1.11.3","data":[]}
{"reqId":"ZuUwe2kfwQcl1qANIxIBpAAAAAM","level":2,"time":"2024-09-14T06:43:13+00:00","remoteAddr":"192.168.1.1","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","version":"27.1.11.3","data":{"app":"user_ldap"}}
{"reqId":"ZuUwe2kfwQcl1qANIxIBpAAAAAM","level":2,"time":"2024-09-14T06:43:13+00:00","remoteAddr":"192.168.1.1","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","version":"27.1.11.3","data":{"app":"user_ldap"}}
{"reqId":"ZuUwe2kfwQcl1qANIxIBpAAAAAM","level":2,"time":"2024-09-14T06:43:13+00:00","remoteAddr":"192.168.1.1","user":"--","app":"no app in context","method":"POST","url":"/index.php/login","message":"Login failed: patrick (Remote IP: 192.168.1.1)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","version":"27.1.11.3","data":[]}
{"reqId":"ZuUwr8zMdg6AVQoE9bJ80QAAAAE","level":2,"time":"2024-09-14T06:44:12+00:00","remoteAddr":"192.168.1.1","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","version":"27.1.11.3","data":{"app":"user_ldap"}}
{"reqId":"ZuUwr8zMdg6AVQoE9bJ80QAAAAE","level":2,"time":"2024-09-14T06:44:12+00:00","remoteAddr":"192.168.1.1","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","version":"27.1.11.3","data":{"app":"user_ldap"}}
{"reqId":"ZuUwr8zMdg6AVQoE9bJ80QAAAAE","level":2,"time":"2024-09-14T06:44:12+00:00","remoteAddr":"192.168.1.1","user":"--","app":"no app in context","method":"POST","url":"/index.php/login","message":"Login failed: patrick (Remote IP: 192.168.1.1)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","version":"27.1.11.3","data":[]}
{"reqId":"ZuUxJl6IhEXHaNZIKQkB8wAAAAI","level":2,"time":"2024-09-14T06:46:23+00:00","remoteAddr":"192.168.1.1","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","version":"27.1.11.3","data":{"app":"user_ldap"}}
{"reqId":"ZuUxJl6IhEXHaNZIKQkB8wAAAAI","level":2,"time":"2024-09-14T06:46:23+00:00","remoteAddr":"192.168.1.1","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","version":"27.1.11.3","data":{"app":"user_ldap"}}
{"reqId":"ZuUxJl6IhEXHaNZIKQkB8wAAAAI","level":2,"time":"2024-09-14T06:46:23+00:00","remoteAddr":"192.168.1.1","user":"--","app":"no app in context","method":"POST","url":"/index.php/login","message":"Login failed: patrick (Remote IP: 192.168.1.1)","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","version":"27.1.11.3","data":[]}
{"reqId":"ZuUxiKgcWIHy3x8P1qESqQAAAAQ","level":2,"time":"2024-09-14T06:48:01+00:00","remoteAddr":"192.168.1.1","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 17_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/129.0.6668.46 Mobile/15E148 Safari/604.1","version":"27.1.11.3","data":{"app":"user_ldap"}}
{"reqId":"ZuUxiKgcWIHy3x8P1qESqQAAAAQ","level":2,"time":"2024-09-14T06:48:01+00:00","remoteAddr":"192.168.1.1","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 17_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/129.0.6668.46 Mobile/15E148 Safari/604.1","version":"27.1.11.3","data":{"app":"user_ldap"}}
{"reqId":"ZuUxiKgcWIHy3x8P1qESqQAAAAQ","level":2,"time":"2024-09-14T06:48:01+00:00","remoteAddr":"192.168.1.1","user":"--","app":"no app in context","method":"POST","url":"/index.php/login","message":"Login failed: patrick (Remote IP: 192.168.1.1)","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 17_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/129.0.6668.46 Mobile/15E148 Safari/604.1","version":"27.1.11.3","data":[]}
{"reqId":"ZuUyWmrf0aroqBzTqM-mCwAAAAE","level":2,"time":"2024-09-14T06:51:31+00:00","remoteAddr":"192.168.1.1","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 17_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/129.0.6668.46 Mobile/15E148 Safari/604.1","version":"27.1.11.3","data":{"app":"user_ldap"}}
{"reqId":"ZuUyWmrf0aroqBzTqM-mCwAAAAE","level":2,"time":"2024-09-14T06:51:31+00:00","remoteAddr":"192.168.1.1","user":"--","app":"user_ldap","method":"POST","url":"/index.php/login","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 17_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/129.0.6668.46 Mobile/15E148 Safari/604.1","version":"27.1.11.3","data":{"app":"user_ldap"}}
{"reqId":"ZuUyWmrf0aroqBzTqM-mCwAAAAE","level":2,"time":"2024-09-14T06:51:31+00:00","remoteAddr":"192.168.1.1","user":"--","app":"no app in context","method":"POST","url":"/index.php/login","message":"Login failed: patrick (Remote IP: 192.168.1.1)","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 17_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/129.0.6668.46 Mobile/15E148 Safari/604.1","version":"27.1.11.3","data":[]}
10

You can indeed see that NextCloud logs report only the firewall IP, fail2ban is being nice and won’t ban the firewall. I have however no knowledge on how to to that, probably something like this might help you: Reverse proxy — Nextcloud latest Administration Manual latest documentation

11

Hi Tommaso,

Isn’t this an Nethsecurity issue?
Whitin Nethsecury the portforwardingis arranged and Nextcloud is not the only application with this issue. Also Sogo or Kopano (on my ClearOS server)
I expect every Reverse Proxy

12

It’s unlikely, probably the issue is in how the Nethserver 7 applications are being set up, default configuration of the apps might not be ready for reverse proxying and additional changes are needed.
I’m stating this because when you run a reverse proxy, the server behind it will always be contacted by the IP of the front machine (in this case 192.168.1.1) and you’ll need to rely on X-Forward-For packet header to know what address actually reached you.

However it appears that Sogo is reporting the correct IPs and fail2ban is banning actively the malicious attempts, what do you expect from the NS7 machine? I ask you to be complete as possible so we can get the issue solved :smiley:

13

I see the same result on my ClearOS server and on a test NS8 server.
The IP is reported but not blocked.

So fail2ban is reporting the IP and puts it on the banlist, but the IP is not blocked.
When this IP is trying to acces again it can approach the server and fail2ban is reporting the IP again and days it is already on the ban list.

I hope this give you the required information.

14

If it’s of any help to understand the problem:

when host 192.0.2.7 says “Hey here’s a connection from 203.0.11.45 , the application knows that 203.0.11.45 is the client, and what it should log, but iptables isn’t seeing a connection from 203.0.11.45 , it’s seeing a connection from 192.0.2.7 that’s passing it on.

So the solution to this is to put the iptables rules on 192.0.2.7 instead, since that’s the one taking the actual connections.

15

@dnutan to the save, actually realized now that the iptables never checks for proxy presence (or well, not his job) :grimacing:
Since there’s no possibility to tell NethSecurity what are the IPs to ban, it’s unlikely that the ban ever happens.

I have no roadmap yet for anything that resembles something like fail2ban, CrowdSec it’s an option, but not included by default in NethSecurity due to great size and being completely untested so far.

Something neat could be the integration with NS8 CrowdSec, but it’s just personal speculation.

16

On Nethserver NG 7.9 try this configuration:

2 Likes
17

Thanks. This surely helped, but still Fail2ban is not blocking the IP

2024-09-20 19:14:51,210 fail2ban.filter         [1100]: INFO    [nextcloud-auth] Found 92.69.47.203 - 2024-09-20 19:14:51
2024-09-20 19:15:05,231 fail2ban.filter         [1100]: INFO    [nextcloud-auth] Found 92.69.47.203 - 2024-09-20 19:15:04
2024-09-20 19:15:25,458 fail2ban.filter         [1100]: INFO    [nextcloud-auth] Found 92.69.47.203 - 2024-09-20 19:15:25
2024-09-20 19:15:26,047 fail2ban.actions        [1100]: NOTICE  [nextcloud-auth] Ban 92.69.47.203
2024-09-20 19:15:26,237 fail2ban.filter         [1100]: INFO    [recidive] Found 92.69.47.203 - 2024-09-20 19:15:26
2024-09-20 19:15:27,465 fail2ban.filter         [1100]: INFO    [nextcloud-auth] Found 92.69.47.203 - 2024-09-20 19:15:27
2024-09-20 19:15:40,084 fail2ban.filter         [1100]: INFO    [nextcloud-auth] Found 92.69.47.203 - 2024-09-20 19:15:40

The IP is on the blocklist, but i can still access Nextcloud or Sogo

Could it be an setting in NS7 ?
I’ve no firewall setup in NS7 because Nethsecurity is my firewall