Using fail2ban from behind a Rackspace Cloud LoadBalancer

If your fail2ban is on a host behind a Rackspace Cloud LoadBalancer, you’ll want to block the offending IP addresses directly in your LoadBalancer. If your LB is acting as a reverse proxy, you’ll HAVE to block in the LB, but it is also nice to protect all other nodes behind the LB and offload the lifting.

If you’re running WordPress, you might want to read Using fail2ban to block WordPress login attacks first.

I’m assuming you have fail2ban installed and up and running. If not, go fix that first (apt-get install fail2ban on Ubuntu).

Before we start, you need the following, available from your Rackspace control panel:

  • Your Rackspace cloud account ID
  • Your Rackspace username
  • Your Rackspace API key
  • Your Rackspace load balancer ID

Download the API wrapper

At the heart of the operation is the rackban script from Oliver Northam available on GitHub.

This script simply use the Rackspace API to communicate with the LoadBalancer and change the access list. This isn’t instant, but takes a few seconds. That is usually not an issue.

Download the script to a safe place. It will contain confidential information:

Now edit the file, entering the info from your control panel

To test it, issue the following command:

You should now see that the LB is updating in the control panel and within a few seconds, 192.168.1.1 DENY should show up in your access list.

To remove it again, simply issue:

The IP should soon be remove from the access list again.

Set up the fail2ban action

Create the rackspace action by entering the following into /etc/fail2ban/action.d/rackspace.conf:

Now you can use action = rackspace in your jail.

There are no comments

I love comments that bring new insights, shares ideas and experiences, and most of all: corrects my mistakes. For support questions, there are other fora, like Stack Overflow, Server Fault and the WordPress support forum.

Your email address will not be published. Required fields are marked *