Fail2Ban or different DDOS protection?

warp-tech / warpgate

Smart SSH, HTTPS and MySQL bastion that requires no additional client-side software

Apache License 2.0

3.57k stars 110 forks source link

Fail2Ban or different DDOS protection? #877

Open nsauter opened 10 months ago

nsauter commented 10 months ago

Hi!

Thanks for this awesone piece of code. I tried some of the features and i really liked the way warpgate works. But i have one question: Since the Idea is to have Warpgate exposed in the public network (internet) in im a security paranoid i would like to have something like fail2ban or other 'ddos and brute force' protection already included. What do you think about this? Are there any best practices for that?

Thanks Nico

Eugeny commented 10 months ago

Fail2ban should theoretically work fine since it acts on iptables level and can read any logs. You'd just need to design regexes to filter out the client IP from the Warpgate log.

WG also supports sending JSON logs to a socket (logs.send_to config option) so you could couple that with Vector for actual resilient parsing instead of regexes

sandroshu commented 4 months ago

I have added it like this to my fail2ban filters. It's not great, but works for now:

[Definition]

logtype = file
failregex = ^.*warpgate.*\{.*client_ip=<HOST>\}.*Target.*not authorized for.*$
            ^.*warpgate.*\{.*client_ip=<HOST>.*\}.*Selected user not found.*$

ignoreregex =