fail2ban cloud loadbalancers

Cloud Load Balancers (LBaaS) can be used for numerous reasons, the most commonly that is for distrobuting traffic between multiple servers instead of using HAProxy or a dedicated Load Balancer, there are possitives and negatives to this however in my view load balancing as a service is a fantastic service, with some draw backs which I am sure I will detail in future posts.

Anywho on to the actural reason you are reading this


When using any form of Load Balancing you cannot simply block the IP address of the requests as this will be the Load Balancers IP address, all hope is not lost however as the stand is to send along an additional header such as X-Forwarded-For or X-Real-IP, I am not sure where the latter came from but the former is the most likely to be seen, using this additional header we can get the users IP address, this can be used within system logging or your application, in the situation that we are going to discuss we are relying on the system logging the IP address correctly.

Please be aware that I am not the author of this script so use with caution I do however plan to create a Python version

Required software

[ ] Fail2Ban

[ ] PHP

[ ] PHP Script

yum install php-cli fail2ban
wget -o $HOME/rackban.php
apt-get install php-cli fail2ban
wget -o $HOME/rackban.php
pacman -S php fail2ban
wget -o $HOME/rackban.php

Configure and Test it

Before continuing we need to update the script with your Rackspace Cloud details, I would also suggest testing the script to ensure that it working.

Update Config

private $accountId = "12345678";

// Your Rackspace username
private $username = "exampleuser";

// Your Rackspace API key
private $apiKey = "kh45kh345k34k345h3k45h";

// Your Rackspace load balancer ID
private $loadBalancer = "123456";

// Your Racspace region (ord, dfw, iad, lon, syd, hkg)
private $region = "lon";

Test script

php -f $HOME/rackban.php ban
php -f $HOME/rackban.php unban

Configure Fail2Ban

After you have tested that the script is working you can proceed to create the custom action for Fail2Ban, the configuration file /etc/fail2ban/action.d/rackban.conf

Replace {PATH_TO_PHP} with the full path to PHP e.g. /usr/bin/php

Replace {PATH} with the path to rackban.php e.g. /home/trozz

actionstart =
actionstop =
actioncheck =
actionban = {PATH_TO_PHP} -f {PATH}/rackban.php ban <ip>
actionunban = {PATH_TO_PHP} -f {PATH}/rackban.php unban <ip>

Finally you would need to update the action that is performed for your Fail2Ban jail.

enabled = true
port     = http,https
logpath  = %(apache_error_log)s
action = rackban

And there you have it with this setup you will now automatically ban people that connect through your Cloud Load Balancer