Question ModSecurity & Fail2Ban w/ Plesk Subscription behind proxy server

[rowingpeter_s]

ModSecurity and Fail2Ban are working well, however, we have one plesk subscription that sits behind a separate proxy server so the Real-IP that is recorded in modsec_audit.log is the IP address of the proxy server. As a result, it is the proxy server [rather than requesting client] that is being banned when ModSecurity rules are triggered.

The ModSecurity log contains both

X-Real-IP: 31.3.246.xxx
X-Forwarded-For: 41.13.216.yyy

We really want to configure so requests are blocked when the "X-Forwarded-For: 41.13.216.yyy" header is present.

It looks as though this could be quite a simple adjustment to the default filters/jails that are provided with Plesk Onyx. Looking for help with how to achieve this.

 

[rowingpeter_s]

This explains a generic approach very well but it would be great to know if there is a simpler / tried and tested way to apply within Plesk.

Fail2Ban Behind A Proxy/Load Balancer – Centos.Tips

I had thought that it wouldn't be possible as IPTables would only ban the IP address of the proxy. The CentOS article suggests with Packet Inspection we can look for an X-Forwarded-For header and the relevant IP address in the packet and then drop it.