Skip to content

juitde/traefik-plugin-fail2ban

Repository files navigation

Fail2Ban middleware plugin for traefik reverse proxy

Continuous Integration Status

This plugin is a small but growing implementation of a fail2ban instance as a middleware plugin for traefik. It is inspired by other implementations similar in the goal but is tailored to our needs.

Inspirations taken from:

Installation

Installation instructions are provided via the traefik Plugin Catalog.

CAUTION: Breaking Changes

Version 0.2.0

  • traefik v2.10+ is required due to now having a vendored dependency which results in go routine panics in previous traefik versions.

Configuration

All configuration options may be specified either in config files or as CLI parameters.

Always allowing or blocking certain IPs(/IP-ranges)

There can be configured certain ip addresses or ranges which are either always allowed or always denied access. Blocking always takes precedence before allowing access and allowing access takes precedence before executing other fail2ban rules.

testData:
    alwaysAllowed:
        ip: "::1,127.0.0.1"
    alwaysDenied:
        ip: "192.168.0.0/24"

Restricting logging messages

In order to help managing the use of this plugin the level of logged messages can be adjusted.

testData:
    logLevel: "INFO"

Fail2Ban rules

The ultimate goal is to support any rule matcher fail2ban supports themselves but implementation follows the direct needs of our projects.

Currently the implemented settings consist of:

testData:
    rules:
        banTime: "3h"
        findTime: "10m"
        maxRetries: 4
        response:
            statusCodes: "400,401,403-499"

Processing requests

Prior to executing the defined rules if the Remote IP is in the alwaysDenied-list the request will be immediately denied. This applies for the alwaysAllowed-list accordingly.

In the first request from an unknown IP address they are added to the pool starting the findTime timer:

In every subsequent request (while the findTime is not exceeded) the IP address counter in the pool is incremented and the rules are checked.

How to develop in this project

  • First clean install vendor dependencies: make clean vendor