search

tobychui / zoraxy

A general purpose HTTP reverse proxy and forwarding tool. Now written in Go!
https://zoraxy.arozos.com
GNU Affero General Public License v3.0
2.71k stars 160 forks source link

[ENHANCEMENTS] Fail2ban features #22

Open burjuyz opened 1 year ago

burjuyz commented 1 year ago

Please consider to add fail2ban for security reasons. As for example you could check SWAG solution

ahmedabokandil commented 1 year ago

yes totally agreed we need to integrate with fail2ban

tobychui commented 1 year ago

Hi @ahmedabokandil, I am just wondering, why you need fail2ban in the first place? It doesn't seems like it can stop DDOS, or improve security in web serving. If you need further security features regarding access to the management panel (e.g. 2FA or password-less login), you should be using another business grade reverse proxy before Zoraxy for managing authentication to the management panel.

ahmedabokandil commented 1 year ago

Hi @tobychui , thanks for your reply , but i will tell you why this important when we enable basic authentication to protect an backend servers , if someone tried brute force attack to get password we can block it using fail2ban , what do you think ?

tobychui commented 1 year ago

@ahmedabokandil thanks for your explanation. Fail2ban is an existing project that would alter the firewall rules of the host OS, which is way out of the scope of Zoraxy (as a reverse proxy server). Integrating another huge project into Zoraxy just doesn't make sense on its own.

But if what you mean is something like a maximum retry per preset time period (and the IP get banned if over that retry counts) in the basic auth mechanism, I think it is a valid enhancement request.

ahmedabokandil commented 1 year ago

@tobychui thanks for reply , totally agree , its very great idea to get dynamic ip banned if over retry counts

But if what you mean is something like a maximum retry per preset time period (and the IP get banned if over that retry counts) in the basic auth mechanism, I think it is a valid enhancement request

LaurenceJJones commented 1 year ago

Hey, we @crowdsecurity also would like to add log parser / scenario support. The remediation, however, would purely up to you if you would like to implement we do have golang libraries if not user can use the firewall remediation but would not be effective if they use something like CF.

barto95100 commented 10 months ago

YEs great feature is implemented Crowdsec ;)

Aerics84 commented 4 months ago

Support for crowdsec would be nice.

Valdun commented 3 months ago

I just migrated from NPM to Zoraxy, as now we can have ACL per subdomain, and its awesome.

I agree for crowdsec, it would be so usefull

Thanks again for that amazing project !