Using fail2ban from behind a Rackspace Cloud LoadBalancer

If your fail2ban is on a host behind a Rackspace Cloud LoadBalancer, you’ll want to block the offending IP addresses directly in your LoadBalancer. If your LB is acting as a reverse proxy, you’ll HAVE to block in the LB, but it is also nice to protect all other nodes behind the LB and offload the lifting.

If you’re running WordPress, you might want to read Using fail2ban to block WordPress login attacks first.

I’m assuming you have fail2ban installed and up and running. If not, go fix that first (apt-get install fail2ban on Ubuntu).

Before we start, you need the following, available from your Rackspace control panel:

  • Your Rackspace cloud account ID
  • Your Rackspace username
  • Your Rackspace API key
  • Your Rackspace load balancer ID

Download the API wrapper

At the heart of the operation is the rackban script from Oliver Northam available on GitHub.

This script simply use the Rackspace API to communicate with the LoadBalancer and change the access list. This isn’t instant, but takes a few seconds. That is usually not an issue.

Download the script to a safe place. It will contain confidential information:

$ mkdir /root/bin
$ cd /root/bin
$ wget https://raw.githubusercontent.com/sidgtl/rackban/master/scripts/rackban.php

Now edit the file, entering the info from your control panel

To test it, issue the following command:

$ php -f /root/bin/rackban.php ban 192.168.1.1

You should now see that the LB is updating in the control panel and within a few seconds, 192.168.1.1 DENY should show up in your access list.

To remove it again, simply issue:

$ php -f /root/bin/rackban.php unban 192.168.1.1

The IP should soon be remove from the access list again.

Set up the fail2ban action

Create the rackspace action by entering the following into /etc/fail2ban/action.d/rackspace.conf:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = php -f /root/bin/rackban.php ban <ip>
actionunban = php -f /root/bin/rackban.php unban <ip>

Now you can use action = rackspace in your jail.

4 Comments

  1. Hi Bjorn,
    I realize this post is a couple years old, but I haven’t seen better implementations for fail2ban at the load balancer level. It’s worked well for us at Rackspace.
    However, I notice that the load balancers access rules are maxed out at 100. So with our servers getting slammed at times trying to hit WordPress logins, I see the access rules get up to 100, and eventually stay there since there’s not time to unban them. I wonder if you have any thoughts about that limitation?
    Also, I notice that when it bans/unbans, in the Rackspace control panel, it shows the LB is “updating” for a few seconds each time. I wonder if that causes any connection issues when a LB is being updated? (maybe a question for Rackspace).
    Thanks for this contribution.

    1. Thanks for your comment, Rich.

      I can’t recall that I’ve ever reached 100 bans in Rackspace. But considering how easy it is to reach that number, I think we (i.e. you 😉) should make a Request for Rackspace to increase the number.

      I’ve never seen any connectivity issues while the server is applying the IP blacklist and has the “Updating” status.

  2. Thanks for the quick reply. I did check with RS and of course, they can’t simply up the amount of access rules. They pointed me to a more comprehensive firewall solution (Rackconnect) which would be a massive migration effort on the servers and even pointing IPs. So no thanks.
    Still I think it’s a good solution when we’re not getting slammed by attempts on our servers. And for the most part it stays under 100.

Comments are closed.