Fail2ban on load balancer

IRJ

Anybody using fail2ban on a nginx load balancer? I've been using it on nginx on my personal server, and it's been jailing bots quite well.

I'm thinking about trying it on load balancers in a test environment for aws.

JaredBusch

@IRJ said in Fail2ban on load balancer:

Anybody using fail2ban on a nginx load balancer? I've been using it on nginx on my personal server, and it's been jailing bots quite well.

I'm thinking about trying it on load balancers in a test environment for aws.

no, only because I have never taken the time to learn how to set it up well.

IRJ

@JaredBusch said in Fail2ban on load balancer:

@IRJ said in Fail2ban on load balancer:

Anybody using fail2ban on a nginx load balancer? I've been using it on nginx on my personal server, and it's been jailing bots quite well.

I'm thinking about trying it on load balancers in a test environment for aws.

no, only because I have never taken the time to learn how to set it up well.

This is how I have done it on my web server and it works well. I am constantly banning not only ssh , but also scripting, bots, etc.

https://hostpresto.com/community/tutorials/how-to-secure-nginx-using-fail2ban-on-centos-7/

It seems to work on a single, low traffic web server. I am not sure how well it would handle significant traffic and create a possible bottleneck on a load balancer that is handling many requests.

It looks like it is possible to host behind a load balancer as well.

https://github.com/fail2ban/fail2ban/issues/2258

IRJ

Fail2 ban is pretty powerful. I find these could be useful in addition to the 6 nginx jails above.

Geo-Blocking (I can hear @scottalanmiller moaning)

https://thecustomizewindows.com/2016/11/fail2ban-geoip-action-script-block-ssh-country/

SQL Injection and Shellshock blocking

https://www.booleanworld.com/blocking-bad-bots-fail2ban/

Wordpress specific blocking

https://www.linode.com/docs/security/using-fail2ban-for-security/

wrx7m

@IRJ said in Fail2ban on load balancer:

Geo-Blocking

I get why/how this can be circumvented, but I don't know why you wouldn't just do it. Looking at a new WP site we just setup, I see in wordfence that it has been hit hundreds of times from Russia in the last week.

IRJ

Oh this is really cool. Block IPs based on community reputation using fail2ban. You can also contribute to community as well.

https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/

IRJ

@wrx7m said in Fail2ban on load balancer:

@IRJ said in Fail2ban on load balancer:

Geo-Blocking

I get why/how this can be circumvented, but I don't know why you wouldn't just do it. Looking at a new WP site we just setup, I see in wordfence that it has been hit hundreds of times from Russia in the last week.

Yeah. I have a situation where it is a requirement, but it does seem that a majority of the script kiddies overseas don't change their IPs

DustinB3403

@IRJ said in Fail2ban on load balancer:

Yeah. I have a situation where it is a requirement, but it does seem that a majority of the script kiddies overseas don't change their IPs

The world is running out of IPv4 and IPv6 is a pain in the ass

scottalanmiller

@wrx7m said in Fail2ban on load balancer:

@IRJ said in Fail2ban on load balancer:

Geo-Blocking

I get why/how this can be circumvented, but I don't know why you wouldn't just do it. Looking at a new WP site we just setup, I see in wordfence that it has been hit hundreds of times from Russia in the last week.

Because it blocks lots of legitimate traffic, too. WordFence is a great example, businesses often lose customers who think that their website are down because their geo-blocking blocked them. It can be because your customers are traveling, work from hosted machines, or just get mis-identified. About 50% of the time when I am in Dallas (no VPNs, no remote, just using my local desktop normally) I am identified as being in Alberta, Canada. Thousands of miles away in a different region, in a different country. When I worked in NYC, I was always showing up as Frankfort, Germany to detection devices.

So there are extremely good reasons why you don't want to geo-block by default. You have to remember that "geo-blocking" means "blocking IP ranges", not "blocking people by country." Those IP ranges have tendencies to be associated with certain countries, but nothing more. It's not that people doing nefarious things can easily get around it that is the problem, that's a red herring. The real issue is presenting your services as being down, randomly, to some small subset of your potential or current customers. I've literally mistaken businesses as having gone out of business and switched vendors for this reason before - lots of people probably do all of the time. It's rare that I take the time to understand and look into "outages" and sometimes figure out that it was geo-blocking and not a full outage causing the site to appear as offline undefinitely.

scottalanmiller

@IRJ said in Fail2ban on load balancer:

Oh this is really cool. Block IPs based on community reputation using fail2ban. You can also contribute to community as well.

https://www.howtoforge.com/tutorial/protect-your-server-computer-with-badips-and-fail2ban/

That's pretty cool.

scottalanmiller

@wrx7m So the real question for geo-blocking is...

Pro: Blocks attacks from script kiddies and other annoying but essentially non-threatening entities.
Con: Blocks a small number of potential customers, likely causing them to not do business with you (because they don't know that they can.)

So put a dollar value on each, or ask your CFO/CEO to do so. How much is the value of the annoyance versus how much is the value of the lost revenue?

Both numbers are small. For me, I can't even imagine the second number, it's got to be tiny, but I can't estimate it. The first number I can estimate, approaching zero. Script kiddie attacks, those that can't change their IPs and aren't targeted, don't pose a real threat. They use a trivial amount of bandwidth, fill up some logs, but that's it. They don't impact me. So while I can't put a number of the "con", I know that there is one even if it is $5. But I can put a value on the "pro", and it is essentially zero. So for me, that's a crystal clear "don't take this risk without another factor" answer.

wirestyle22

@wrx7m False positives too. If I blocked all Canada traffic as an example, LogMeIn will intermittently not work because they have data centers in Canada. There is essentially no benefit to it and a few, mostly small downsides. It just aids sale because it sounds cool.

IRJ

@wirestyle22 said in Fail2ban on load balancer:

@wrx7m False positives too. If I blocked all Canada traffic as an example, LogMeIn will intermittently not work because they have data centers in Canada. There is essentially no benefit to it and a few, mostly small downsides. It just aids sale because it sounds cool.

That's not what's being talked about here. We are talking about doing in on a load balancer for a specific service. In this case https traffic to a specific application.

wirestyle22

@IRJ said in Fail2ban on load balancer:

@wirestyle22 said in Fail2ban on load balancer:

@wrx7m False positives too. If I blocked all Canada traffic as an example, LogMeIn will intermittently not work because they have data centers in Canada. There is essentially no benefit to it and a few, mostly small downsides. It just aids sale because it sounds cool.

That's not what's being talked about here. We are talking about doing in on a load balancer for a specific service. In this case https traffic to a specific application.

I was talking specifically about potential problems with geo-location. I understand what is being discussed

IRJ

@wirestyle22 said in Fail2ban on load balancer:

@IRJ said in Fail2ban on load balancer:

@wirestyle22 said in Fail2ban on load balancer:

@wrx7m False positives too. If I blocked all Canada traffic as an example, LogMeIn will intermittently not work because they have data centers in Canada. There is essentially no benefit to it and a few, mostly small downsides. It just aids sale because it sounds cool.

That's not what's being talked about here. We are talking about doing in on a load balancer for a specific service. In this case https traffic to a specific application.

I was talking specifically about potential problems with geo-location. I understand what is being discussed

If you do geo-blocking then it becomes part of the process of installing new software and services to add a whitelist of IPs for that service. Any cloud hosting provider has something similar to this.

https://help.logmein.com/articles/en_US/FAQ/Whitelisting-and-LogMeIn

IRJ

@scottalanmiller said in Fail2ban on load balancer:

@wrx7m So the real question for geo-blocking is...

Pro: Blocks attacks from script kiddies and other annoying but essentially non-threatening entities.
Con: Blocks a small number of potential customers, likely causing them to not do business with you (because they don't know that they can.)

So put a dollar value on each, or ask your CFO/CEO to do so. How much is the value of the annoyance versus how much is the value of the lost revenue?

Both numbers are small. For me, I can't even imagine the second number, it's got to be tiny, but I can't estimate it. The first number I can estimate, approaching zero. Script kiddie attacks, those that can't change their IPs and aren't targeted, don't pose a real threat. They use a trivial amount of bandwidth, fill up some logs, but that's it. They don't impact me. So while I can't put a number of the "con", I know that there is one even if it is $5. But I can put a value on the "pro", and it is essentially zero. So for me, that's a crystal clear "don't take this risk without another factor" answer.

I agree with @scottalanmiller that it is hard to take someone as a serious threat when they don't even bother to change their IP address. On the flip side, it is something that IT management generally expects for whatever reason. I think a big part of comes down to the due diligence factor. It is easy for a CEO to say yeah we block China and Russia as part of our security. It sounds good on a high level which is where IT management lives.

I can see the requirement from their point of view, though. If you are breached and by chance it happens to be from a Russian IP, what is the first thing any security firm is going to ask. Why weren't you blocking IPs from high risk locations? In this case, I think for IT management it is has value. Losing .001% of sales will likely never be noticed and definitely not something where the IT team will receive credit.

pmoncho

@IRJ said in Fail2ban on load balancer:

@scottalanmiller said in Fail2ban on load balancer:

@wrx7m So the real question for geo-blocking is...

Pro: Blocks attacks from script kiddies and other annoying but essentially non-threatening entities.
Con: Blocks a small number of potential customers, likely causing them to not do business with you (because they don't know that they can.)

So put a dollar value on each, or ask your CFO/CEO to do so. How much is the value of the annoyance versus how much is the value of the lost revenue?

Both numbers are small. For me, I can't even imagine the second number, it's got to be tiny, but I can't estimate it. The first number I can estimate, approaching zero. Script kiddie attacks, those that can't change their IPs and aren't targeted, don't pose a real threat. They use a trivial amount of bandwidth, fill up some logs, but that's it. They don't impact me. So while I can't put a number of the "con", I know that there is one even if it is $5. But I can put a value on the "pro", and it is essentially zero. So for me, that's a crystal clear "don't take this risk without another factor" answer.

I can see the requirement from their point of view, though. If you are breached and by chance it happens to be from a Russian IP, what is the first thing any security firm is going to ask. Why weren't you blocking IPs from high risk locations?

Its become a CYA product and that's about it.

wirestyle22

@IRJ said in Fail2ban on load balancer:

@wirestyle22 said in Fail2ban on load balancer:

@IRJ said in Fail2ban on load balancer:

@wirestyle22 said in Fail2ban on load balancer:

@wrx7m False positives too. If I blocked all Canada traffic as an example, LogMeIn will intermittently not work because they have data centers in Canada. There is essentially no benefit to it and a few, mostly small downsides. It just aids sale because it sounds cool.

That's not what's being talked about here. We are talking about doing in on a load balancer for a specific service. In this case https traffic to a specific application.

I was talking specifically about potential problems with geo-location. I understand what is being discussed

If you do geo-blocking then it becomes part of the process of installing new software and services to add a whitelist of IPs for that service. Any cloud hosting provider has something similar to this.

https://help.logmein.com/articles/en_US/FAQ/Whitelisting-and-LogMeIn

For what real benefit though? That is kind of my point. It's a PITA but also doesn't benefit you really

scottalanmiller

@wirestyle22 said in Fail2ban on load balancer:

@wrx7m False positives too. If I blocked all Canada traffic as an example, LogMeIn will intermittently not work because they have data centers in Canada. There is essentially no benefit to it and a few, mostly small downsides. It just aids sale because it sounds cool.

That's not false positive, that's intentionally blocking those services. If they are really in Canada, geo-blocking Canada is because you don't want those services, no matter how "legit" they are.

scottalanmiller

@IRJ said in Fail2ban on load balancer:

@wirestyle22 said in Fail2ban on load balancer:

@IRJ said in Fail2ban on load balancer:

@wirestyle22 said in Fail2ban on load balancer:

@wrx7m False positives too. If I blocked all Canada traffic as an example, LogMeIn will intermittently not work because they have data centers in Canada. There is essentially no benefit to it and a few, mostly small downsides. It just aids sale because it sounds cool.

That's not what's being talked about here. We are talking about doing in on a load balancer for a specific service. In this case https traffic to a specific application.

I was talking specifically about potential problems with geo-location. I understand what is being discussed

If you do geo-blocking then it becomes part of the process of installing new software and services to add a whitelist of IPs for that service. Any cloud hosting provider has something similar to this.

https://help.logmein.com/articles/en_US/FAQ/Whitelisting-and-LogMeIn

In that case, and I know there are places where the middle ground could make sense, does it make sense to geo-block but leave the main attack networks open? Rather than just block universally, and whitelist only what is wanted?