Hi folks,
anyone could explain to me why fail2ban does not seem to understand what to do with remoteip ?
I mean : if you activate fail2ban while using Cloudflare, you’re going to ban Cloudflare’s rotating IPs… so after a while nobody will be able to visit your website.
So, in order to get correct urls in my logs and ban theme, you can activate apache’s mod : remoteip
BUT : fail2ban does not work anymore.
Why ? While your log are still ok (only difference is the IP which are private this time) =
123.123.123.123 - - [28/Mar/2022:17:56:27 +0200] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 3699 “https://site.com/wp-admin/” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0”
… the iptables rules generated are not, cause instead of =
123.123.123.123 - -
you get those things like =
123-123-123-123.provider.tld - -
It changes the . in - and it adds the domains ! How could it ban acting like this ?
While the attacker 123.123.123.123 has been banned using 123.123.123.123.someblsh1t.com, he’s still attacking with 123.123.123.123 till the end of times.
I checked fail2ban action.d/iptables.conf , and nothing seems able to do that magically.
So if someone uses remoteip and fail2ban successfully, please help. I still want to do this like that, not using Cloudflare’s API and interact with the WAF
thx so much