Install Fail2Ban in Traefik K8S #130

gioturmanidze · 2024-06-19T08:43:00Z

gioturmanidze
Jun 19, 2024

Hello. I try to install Fail2Ban plugin to my Traefik installation in K8S. I'm sorry, this is my first ever created issue whatsoever.

Traefik is installed via helm chart from traefik/traefik. Here is cli arguments it's installed with

  - "--accesslog.fields.headers.defaultmode=keep"
  - "--providers.file.filename=/data/files/config.yml"
  - "--entryPoints.websecure.forwardedHeaders.trustedIPs="
  - "--entryPoints.web.forwardedHeaders.trustedIPs="
  - "--accesslog.bufferingsize=10"
  - "--experimental.plugins.fail2ban.modulename=github.com/tomMoulard/fail2ban"
  - "--experimental.plugins.fail2ban.version=v0.8.1"

This is my traefik configuration in /data/files/config.yml

http:
    routers:
        default-router:
            priority: 1
            rule: 'HostRegexp(`{host:.*}`)'
            service: default-service
            entryPoints:
                - web
            middlewares:
                - redirect-https
        default-router-tls:
            priority: 2
            rule: 'HostRegexp(`{host:.*}`)'
            service: default-service
            entryPoints:
                - websecure
            tls:
                certResolver: myresolver
    services:
        default-service:
            loadBalancer:
                passHostHeader: true
                servers:
                    - { url: 'http://server:8000' }
    middlewares:
        redirect-https:
            redirectScheme:
                scheme: https
                permanent: 'true'
        disable-host-forwarding:
            headers:
                customRequestHeaders:
                    X-Forwarded-Host: ''

This is my middleware configuration

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: fail2ban
  namespace: server
spec:
  plugin:
    fail2ban:
      logLevel: DEBUG
      allowlist:
        ip:
          - "ip"
      denylist:
        ip:
          - "::1"
          - "127.0.0.1"
      findtime: "60s"
      maxretry: 4
      bantime: "2h"
      statuscode:
        - "400"
        - "403"
        - "401"
        - "405"
        - "499"

My ingressroutes configuration

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: server-https
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`${INGRESS_DOMAIN}`) || Host(`${INGRESS_DOMAIN_DEFAULT}`)
      kind: Rule
      middlewares:
        - name: fail2ban
      services:
        - name: server
          port: 8000
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: server-http
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`${INGRESS_DOMAIN}`) || Host(`${INGRESS_DOMAIN_DEFAULT}`)
      kind: Rule
      middlewares:
        - name: https-permanent
        - name: fail2ban
      services:
        - name: server
          port: 8000

and then i try to connect to my traefik with incorrect token to generate 401 Unauthenticated error more than 4 times in 60 seconds. But nothing happens, no ban.

My questions:

How to ensure correct installation?
What should i see in the traefik logs, when fail2ban bans ip?
How to look for banned ips list?
Is it true that Fail2Ban looks for listed statuscodes, and if there is more than 4 401,403 error in 60 second from one ip, it bans that ip?

Answered by tomMoulard

Jun 23, 2024

Hello @gioturmanidze,

Thanks for your interest in this traefik plugin !

To answer your questions:

There should be a log in traefik that contains 2024/06/23 12:00:00 Plugin: FailToBan is up and running
The plugin does not show logs of its usage. The plugin logs are currently only for the configuration part.
Currently, there is no mechanism to export the banned IP list.
Indeed, it looks for status codes in the response. If the algorithm detects a bad behavior, the user will not have the response, and will get ad 403.

FYI, here is a very small example on how to use the plugin on the traefik dashboard

# Makefile
all: stop start def traefik

start:
	k3d cluster create mycluster \
		-p 80:80…

View full answer

tomMoulard · 2024-06-23T12:48:29Z

tomMoulard
Jun 23, 2024
Maintainer

Hello @gioturmanidze,

Thanks for your interest in this traefik plugin !

To answer your questions:

There should be a log in traefik that contains 2024/06/23 12:00:00 Plugin: FailToBan is up and running
The plugin does not show logs of its usage. The plugin logs are currently only for the configuration part.
Currently, there is no mechanism to export the banned IP list.
Indeed, it looks for status codes in the response. If the algorithm detects a bad behavior, the user will not have the response, and will get ad 403.

FYI, here is a very small example on how to use the plugin on the traefik dashboard

# Makefile
all: stop start def traefik

start:
	k3d cluster create mycluster \
		-p 80:80@loadbalancer \
		--k3s-arg '--no-deploy=traefik@server:0' \
		-i rancher/k3s:v1.21.7-k3s1
	k3d image import traefik:v3.0 -c mycluster

def:
	kubectl apply \
		-f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml \
		-f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

traefik:
	kubectl apply -f ./traefik.yml

stop:
	k3d cluster delete mycluster

# traefik.yml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: default

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik
  namespace: default
  labels:
    app: traefik

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: traefik:v3.0
          imagePullPolicy: IfNotPresent
          args:
            - --api.dashboard
            - --entrypoints.web.Address=:80
            - --global.checknewversion=false
            - --global.sendanonymoususage=false
            - --log.level=DEBUG
            - --providers.kubernetescrd
            - --experimental.plugins.fail2ban.modulename=github.com/tomMoulard/fail2ban
            - --experimental.plugins.fail2ban.version=v0.8.1
            - --entrypoints.web.http.middlewares=default-fail2ban@kubernetescrd
          ports:
            - name: web
              containerPort: 80
          tty: true

---
apiVersion: v1
kind: Service
metadata:
  name: traefik
  namespace: default

spec:
  type: LoadBalancer
  ports:
    - protocol: TCP
      name: web
      port: 80
  selector:
    app: traefik

---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: fail2ban
spec:
  plugin:
    fail2ban:
      findtime: "60s"
      maxretry: 400
      bantime: "2h"
      statuscode:
        - "400-500"
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
spec:
  routes:
  - match: Host(`traefik.localhost`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
    kind: Rule
    services:
      - name: api@internal
        kind: TraefikService
    middlewares:
      - name: fail2ban

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Install Fail2Ban in Traefik K8S #130

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

Install Fail2Ban in Traefik K8S #130

gioturmanidze Jun 19, 2024

Replies: 1 comment

tomMoulard Jun 23, 2024 Maintainer

gioturmanidze
Jun 19, 2024

tomMoulard
Jun 23, 2024
Maintainer