-1

My server live behind the reverse proxy nginx, but the ip of the client access shows in the apache log like this, looks normal, there is no x-forward things in the log.

103.221.234.206 - - [28/Feb/2024:14:37:29 +0800] "GET /styles/pke/?mejiku=zeus138 HTTP/1.1" 404 3888 "https://x.y.z.a/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Vivaldi/5.3.2679.68"
65.109.34.52 - - [28/Feb/2024:14:37:29 +0800] "GET /index.php/index/user/register HTTP/1.1" 200 9568 "https://x.y.z.a/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/22.7.0 Yowser/2.5 Safari/537.36"
103.221.234.206 - - [28/Feb/2024:14:37:31 +0800] "GET / HTTP/1.1" 200 8561 "https://x.y.z.a" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Vivaldi/5.3.2679.68"
194.32.229.95 - - [28/Feb/2024:14:37:32 +0800] "GET /index.php/index/user/register HTTP/1.1" 200 9487 "https://x.y.z.a/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/22.7.0 Yowser/2.5 Safari/537.36"

Next.. the config fail2ban is good but iptables cannot block ip from the ip public. my iptables shown bellow. It only works when ban local ip.

Chain INPUT (policy DROP 22909 packets, 8800K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 691K   72M f2b-apache-noscript  tcp  --  any    any     anywhere             anywhere             multiport dports http,https
 690K   85M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
   76  4560 ACCEPT     all  --  lo     any     anywhere             anywhere            
    1    60 ACCEPT     icmp --  any    any     anywhere             anywhere            
    1    64 ACCEPT     tcp  --  any    any     10.0.0.0/8           anywhere             tcp dpt:ssh
  807 42768 ACCEPT     tcp  --  any    any     10.0.0.0/8           anywhere             tcp dpt:webmin
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
34019 2040K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 720K packets, 2306M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain f2b-apache-noscript (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     77.111.244.49        anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     103.151.140.101      anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     20.125.101.243       anywhere             reject-with icmp-port-unreachable

My iptables can not catch up the traffic from that specific ip blocked.

What should I do to make my fail2ban works without changing the network topology where my server is behind the reverse proxy.

Network topology

Improve this question
6
  • You haven't described your network topology.
    – AlexD
    Commented Feb 28 at 11:12
  • Network topology, I only have full access in the webserver where the fail2ban installed and no access to configure the reverse proxy.
    – Riska K A
    Commented Feb 28 at 12:57
  • 2
    If you have a reverse proxy then the packets originate from the reverse proxy. That proxy adds a header telling who originally sent the packet, which your web server use. iptables however doesn't inspect HTTP headers, and doesn't match. You have to re-think your approach.
    – vidarlo
    Commented Feb 28 at 13:58
  • what would you suggest if the topology cannot change?? should used another apps?
    – Riska K A
    Commented Mar 8 at 8:35
  • 1
    ServerFault is a not a forum and changing the question to include solved or similar statements is not how things are done. Please post an answer and accept that. In that answer include that link and preferably a short summary in case that link dies
    – HBruijn
    Commented Mar 8 at 9:49

1 Answer 1

Reset to default
0

Similar case and perferctly solved here: link

Improve this answer
2
  • 1
    Please include the gist of the solution into your answer. The answer becomes useless when that link dies.
    – Gerald Schneider
    Commented Mar 8 at 16:29
  • Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
    – djdomi
    Commented Mar 13 at 9:30

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .