Fail2ban for Wordpress on containers

johnmaher · February 14, 2019, 8:11pm

I’ve moved all of our Wordpress sites to containers, but now I can’t figure out how to implement fail2ban to ban excessive authentication attemps, because I’m using haproxy to handle the traffic to the containers. (As I’m writing this I just realized that this may not be to most appropriate forum, given I’m using haproxy, so feel free to direct me elsewhere.)

Because the container only sees haproxy’s IPv6 address, how does one configure fail2ban to manage auth attempts going to a container.

Thanks.
John

simos · February 14, 2019, 11:06pm

Hi!

You need to configure either HAProxy or LXD to pass on the real IP to the WordPress containers.

If you use iptables for the port-forwarding to the HAProxy container, then use the HAProxy option forwardfor option, and then setup REAL_IP in nginx.
If you use LXD’s proxy device, then enable proxy_protocol. Also enable proxy_protocol in HAProxy.

Your WordPress container sees HAProxy’s IPv6 address because you have setup HAProxy to direct to the hostname of the WordPress container (such as mywordpress.lxd) instead of the IPv4 address (such as 10.1.2.3). Yeah, I know.

johnmaher · February 15, 2019, 3:06pm

Thanks, simos.

I use iptables for port-forwarding to the HAProxy container, so I followed the option 1 suggestion. However, I use apache, so I used mod_rpaf. But . . . although all of this was very educational (thank you for that), I learned that all we needed to do was add the following to the Wordpress wp-config.php file:

define(‘WP_FAIL2BAN_PROXIES’,’<IPv6_address_redacted>’);

replacing <IPv6_address_redacted> with the haproxy’s IPv6 address. Now the fail2ban Wordpress plugin populates /var/log/auth.log with IPv4 addresses of the source, and blocking can ensue.

Thanks again.
John

johnmaher · February 20, 2019, 3:11pm

Just a brief update to mention a solution to a problem (not previously mentioned) implementing fail2ban on LXD containers. The problem was that everything seemed to be set up properly for fail2ban (on the LXD server) to watch the auth.logs of my LXD containers, but no banning would take place.

It turned out that the times on the two systems (LXD server and container) were different because I had neglected to configure ntp on the container. Once the times were the same, banned ensued.

Also, I found this link very helpful regarding setting up fail2ban actions: https://hibern8.wordpress.com/2016/02/04/fail2ban-and-lxc-containers/

John

votsalo · October 19, 2020, 11:46am

How is that possible? A container does not keep a separate time. It always has the same time as the server, but may have a different timezone.

votsalo · October 19, 2020, 11:53am

So, the way to use fail2ban on an LXD system is to run it on the host?

Is there a way to run fail2ban in a client/server fashion, where a fail2ban client runs on a container, decides which ip addresses to block, and sends those ip addresses to the host for blocking (via a fail2ban server)?