Re: help needed preventing bruteforce behind a reverse proxy

[William Taylor <williamt@corp.sonic.net>]

On 7/1/2014 1:03 AM, Francesco Morosinotto wrote:
> Hi guys,
>
> I'm a young "system administrator" that works for a non profit organization.
> I've recently implemented owncloud on a local server running several
> virtual machines.
> Having only a static IP every service (running on different vms) is
> served through a reverse proxy (apache).
>
> I'm trying to secure my cloud installation in order to prevent
> bruteforce attack: I can log the attackers IP (using apache-mod-rpaf
> that reads the original ip from the x-forwarded-for header) and I was
> setting up fail2ban to add these ips to a blacklist and deny the access
> through iptables.
>
> But It seems that iptables is not able to understand where does the
> request come from and always log the internal proxy ip address.
>
> Is there a way to tell iptables to read the x-forwarded-for headers?
>
> can you suggest some other workaround?
>
> thank you guys
>
If you are logging the original source ip's with apache and having
fail2ban add them to a blacklist,
that should be all you need. Iptables should be able to block on those
ips you are feeding it unless
you aren't logging the correct ip. Even if there was an "easy" way for
iptables to reach into the packet
and read the x-forwarded-for address, it wouldn't do any good in this
case because when the packet
hits iptables it hasn't gone through your proxy yet (unless you are
trying to block it on the destination machine
and not the proxy machine). If you need more help post what your
iptables rules look like with an example
of what you are trying to block.

-william