I’ve moved all of our Wordpress sites to containers, but now I can’t figure out how to implement fail2ban to ban excessive authentication attemps, because I’m using haproxy to handle the traffic to the containers. (As I’m writing this I just realized that this may not be to most appropriate forum, given I’m using haproxy, so feel free to direct me elsewhere.)
Because the container only sees haproxy’s IPv6 address, how does one configure fail2ban to manage auth attempts going to a container.
You need to configure either HAProxy or LXD to pass on the real IP to the WordPress containers.
If you use iptables for the port-forwarding to the HAProxy container, then use the HAProxy option forwardfor option, and then setup REAL_IP in nginx.
If you use LXD’s proxy device, then enable proxy_protocol. Also enable proxy_protocol in HAProxy.
Your WordPress container sees HAProxy’s IPv6 address because you have setup HAProxy to direct to the hostname of the WordPress container (such as mywordpress.lxd) instead of the IPv4 address (such as 10.1.2.3). Yeah, I know.
I use iptables for port-forwarding to the HAProxy container, so I followed the option 1 suggestion. However, I use apache, so I used mod_rpaf. But . . . although all of this was very educational (thank you for that), I learned that all we needed to do was add the following to the Wordpress wp-config.php file:
replacing <IPv6_address_redacted> with the haproxy’s IPv6 address. Now the fail2ban Wordpress plugin populates /var/log/auth.log with IPv4 addresses of the source, and blocking can ensue.
Just a brief update to mention a solution to a problem (not previously mentioned) implementing fail2ban on LXD containers. The problem was that everything seemed to be set up properly for fail2ban (on the LXD server) to watch the auth.logs of my LXD containers, but no banning would take place.
It turned out that the times on the two systems (LXD server and container) were different because I had neglected to configure ntp on the container. Once the times were the same, banned ensued.
So, the way to use fail2ban on an LXD system is to run it on the host?
Is there a way to run fail2ban in a client/server fashion, where a fail2ban client runs on a container, decides which ip addresses to block, and sends those ip addresses to the host for blocking (via a fail2ban server)?