If your fail2ban is on a host behind a Rackspace Cloud LoadBalancer, you’ll want to block the offending IP addresses directly in your LoadBalancer. If your LB is acting as a reverse proxy, you’ll HAVE to block in the LB, but it is also nice to protect all other nodes behind the LB and offload the lifting.
If you’re running WordPress, you might want to read Using fail2ban to block WordPress login attacks first.
I’m assuming you have fail2ban installed and up and running. If not, go fix that first ( apt-get install fail2ban on Ubuntu).
[bjornad]
Before we start, you need the following, available from your Rackspace control panel:
- Your Rackspace cloud account ID
- Your Rackspace username
- Your Rackspace API key
- Your Rackspace load balancer ID
Download the API wrapper
At the heart of the operation is the rackban script from Oliver Northam available on GitHub.
This script simply use the Rackspace API to communicate with the LoadBalancer and change the access list. This isn’t instant, but takes a few seconds. That is usually not an issue.
Download the script to a safe place. It will contain confidential information:
$ mkdir /root/bin
$ cd /root/bin
$ wget https://raw.githubusercontent.com/sidgtl/rackban/master/scripts/rackban.php
Now edit the file, entering the info from your control panel
To test it, issue the following command:
$ php -f /root/bin/rackban.php ban 192.168.1.1
You should now see that the LB is updating in the control panel and within a few seconds, 192.168.1.1 DENY should show up in your access list.
To remove it again, simply issue:
$ php -f /root/bin/rackban.php unban 192.168.1.1
The IP should soon be remove from the access list again.
Set up the fail2ban action
Create the rackspace action by entering the following into /etc/fail2ban/action.d/rackspace.conf:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = php -f /root/bin/rackban.php ban <ip>
actionunban = php -f /root/bin/rackban.php unban <ip>
Now you can use action = rackspace in your jail.