Whats the best way to implement fail2ban behind a NodeBalancer?
We are experiencing a high volume of attacks on our servers and want to implement fail2ban to shut these down. Can you give recommendations on the best way to implement fail2ban behind our NodeBalancer?
Thanks.
3 Replies
There are two options here, one that's an off-the-shelf solution, and another that's may take some fine tuning. The option you choose will depend on the amount of time you want to invest in setting up a solution and additional budget concerns.
With a NodeBalancer, there isn't a straight forward way to set up Fail2Ban. If you have HTTP/HTTPS mode set up between your NodeBalancer and the backend nodes, you can use the information included in the Apache X-Forwarded-For Header to identify the originating IP address. If you are in TCP mode, then the packets being sent from your NodeBalancer to the back end aren't altered at all.
With that information in the packets, you could follow this guide for setting up Fail2Ban behind a lode balancer:
A very important point to note is that NodeBalancers all have private IP addresses in the 192.168.255.0/24 range. While their public IP address is persistent, the private IP address will change. When configuring Fail2Ban, a firewall, or other network restriction on back-end Linodes, be sure to allow the entire 192.168.255.0/24 range and not a specific IP address.
If you go with this option, you'll need to maintain an additional service on your Linodes and verify that it's not affecting harmless traffic to your backend nodes.
The other option I'd recommend is a CDN service like Cloudflare. Not only do they provide DDoS protection, they also provide protection against bots.
As I mentioned, this will depend on the resources available to you if you can set up and maintain Fail2Ban on the backend nodes, or use a CDN service like Cloudflare to provide that service for you.
Thanks for the suggestions, @watrick. I've now got fail2ban running on both web servers that are behind our Node Balancer, but only blocking ssh connections. After reading the centos.tips article you linked above, I checked out the Apache Access Logs, and I see user's real IP addresses, not the private IP of the NodeBalancer. Does that mean the default settings for fail2ban's HTTP jail will/should work?
Thanks for your assistance.
@duncan_diamondl Awesome! I would recommend reviewing the settings to make sure they work for your set up. Our guide on setting up Fail2Ban can be helpful for this: