search

tomMoulard / fail2ban

Traefik plugin on fail2ban middleware
MIT License
200 stars 11 forks source link

Install Fail2Ban in Traefik K8S #129

Closed gioturmanidze closed 3 months ago

gioturmanidze commented 3 months ago

Hello. I try to install Fail2Ban plugin to my Traefik installation in K8S. I'm sorry, this is my first ever created issue whatsoever.

Traefik is installed via helm chart from traefik/traefik. Here is cli arguments it's installed with

  - "--accesslog.fields.headers.defaultmode=keep"
  - "--providers.file.filename=/data/files/config.yml"
  - "--entryPoints.websecure.forwardedHeaders.trustedIPs="
  - "--entryPoints.web.forwardedHeaders.trustedIPs="
  - "--accesslog.bufferingsize=10"
  - "--experimental.plugins.fail2ban.modulename=github.com/tomMoulard/fail2ban"
  - "--experimental.plugins.fail2ban.version=v0.8.1"

This is my traefik configuration in /data/files/config.yml

http:
    routers:
        default-router:
            priority: 1
            rule: 'HostRegexp(`{host:.*}`)'
            service: default-service
            entryPoints:
                - web
            middlewares:
                - redirect-https
        default-router-tls:
            priority: 2
            rule: 'HostRegexp(`{host:.*}`)'
            service: default-service
            entryPoints:
                - websecure
            tls:
                certResolver: myresolver
    services:
        default-service:
            loadBalancer:
                passHostHeader: true
                servers:
                    - { url: 'http://server:8000' }
    middlewares:
        redirect-https:
            redirectScheme:
                scheme: https
                permanent: 'true'
        disable-host-forwarding:
            headers:
                customRequestHeaders:
                    X-Forwarded-Host: ''

This is my middleware configuration


apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: fail2ban
  namespace: server
spec:
  plugin:
    fail2ban:
      logLevel: DEBUG
      allowlist:
        ip:
          - "ip"
      denylist:
        ip:
          - "::1"
          - "127.0.0.1"
      findtime: "60s"
      maxretry: 4
      bantime: "2h"
      statuscode:
        - "400"
        - "403"
        - "401"
        - "405"
        - "499"

My ingressroutes configuration

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: server-https
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`${INGRESS_DOMAIN}`) || Host(`${INGRESS_DOMAIN_DEFAULT}`)
      kind: Rule
      middlewares:
        - name: fail2ban
      services:
        - name: server
          port: 8000
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: server-http
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`${INGRESS_DOMAIN}`) || Host(`${INGRESS_DOMAIN_DEFAULT}`)
      kind: Rule
      middlewares:
        - name: https-permanent
        - name: fail2ban
      services:
        - name: server
          port: 8000

and then i try to connect to my traefik with incorrect token to generate 401 Unauthenticated error more than 4 times in 60 seconds. But nothing happens, no ban.

My questions:

  1. How to ensure correct installation?
  2. What should i see in the traefik logs, when fail2ban bans ip?
  3. How to look for banned ips list?
  4. Is it true that Fail2Ban looks for listed statuscodes, and if there is more than 4 401,403 error in 60 second from one ip, it bans that ip?