OC with fail2ban behind a reverse proxy


#1

Hello All,

The issue I am having is not caused by OC, but it is related to the security of my server.

Regarding the setup, I have a CentOS 7 server running OC 10 with HTTPS and fail2ban installed. I also have another server acting with CentOS 7 server acting as a (Apache) reverse proxy (once again with HTTPS). On my reverse proxy, I have enabled IP forwarding, so that the client's public IP is visible to the OC server.
If I don't forward the client's public IP, in case of bad password attempts fail2ban will ban the proxy's local IP (as expected), leading to a general "black out", since no one from the outside world will be able to access the OC server.

Here's the tricky part. Even though fail2ban detects the public IP, after a few bad password attempts -and even though the public IP will seem as banned- for some reason it will continue to have access to the OC server so the client will be able to try as many password as he desires...
If I bypass the reverse proxy and port forward the traffic to my OC server, then fail2ban will successfully block any IP that makes several bad password attempts. But if the traffic is routed through the reverse proxy, then fail2ban will not operate as it should.

To sum things up, even though the reverse proxy is forwarding the client's public IP and even though fail2ban detects it, for some reason the IP ban does not work.
Any suggestions on the above?


#2

As far as I understand, it is about fail2ban not ownCloud. You can ask to fail2ban community, it can be better. By the way, we have a security app to block brute force login attempts. You can take a look. https://marketplace.owncloud.com/apps/security


#3

Hello @karakayasemi and thanks for your reply.

Fail2ban does block the public IP, but since the traffic is passed from the reverse proxy to the owncloud server, just blocking the client's public IP is not enough. I will definitely try your app and will revert in case the issue is resolved.


#4

@karakayasemi, I installed your app and it works like a charm! Thank you so much for your work on this!
My understanding is that it locks the user (his/her username) from logging in, correct?


#5

Glad to hear that. It blocks the IP after determined failed login attempts, blocking policy is IP based not user. In the next version, it will block ip+uid combination instead of only ip.