• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Fail2ban not correctly banning IPs from users passing through Cloudflare even if real visitor's IPs are blocked by Fail2ban.

raykai

Basic Pleskian
Hi,
I'm having a problem where Fail2ban is banning IPs of real bad visitors but as the bad users are coming in by Cloudflare proxy they can still hit my server on ports 80 and 443 even if I have Fail2ban blocking the IPs for all ports.

I restore the IPs from real visitors following this guide: https://support.plesk.com/hc/en-us/...behind-load-balancer-or-reverse-forward-proxy
I used the Server-wide solution with Nginx enabled option.

So in my logs do show the real IPs and not the IPs of Cloudflare. Fail2ban is listing and blocking the real visitor IPs but they can still connect to my server when I have Cloudflare proxy on.

I tested with having Cloudflare proxy off and it is blocking IPs correctly. But if I turn the Cloudflare proxy on I can hit my server even if the IP I'm using (VPN) is banned in Fail2ban.

Here is my Fail2Ban Filter:
Snipaste_2021-10-16_07-56-44.png

This is my Fail2Ban Jail:
Snipaste_2021-10-16_07-57-18.png
(note the max retry # is low just for testing.)

How can I get Fail2Ban to work correctly with Cloudflare?
 
You cannot. Fail2ban IP/port bans operate at a network level, and use iptables to drop incoming connections. The incoming connection still comes from a Cloudflare IP and is simply rewritten to a different IP by Apache at an application level. You cannot rewrite the TCP SRC IP to the real IP like you can with Apache, so you cannot properly block users.

You can consider blocking them with a 403 access code or at Cloudflare.
 
You cannot. Fail2ban IP/port bans operate at a network level, and use iptables to drop incoming connections. The incoming connection still comes from a Cloudflare IP and is simply rewritten to a different IP by Apache at an application level. You cannot rewrite the TCP SRC IP to the real IP like you can with Apache, so you cannot properly block users.

You can consider blocking them with a 403 access code or at Cloudflare.
how would I make it block from Cloudflare?
 
Back
Top