Fail2ban Sidecar in Kubernetes

I’m trying to get fail2ban to work with bitwarden_rs as a sidecar in Kubernetes. I have been able to get fail2ban to see the bitwarden logs and successfully ‘bans’ an IP, but nothing actually happens. I don’t actually get banned and can still connect to the site.

I’m using k3s with Traefik 1.X as a reverse proxy for bitwarden_rs.

I’m not sure on how this should work.
Do you have fail2ban running in the Traefik container? Or in an other separate container? Because fail2ban will probably run the iptables command within it’s own container which will not block.

But i have no idea how Traefik and fail2ban communicate with each other.

Because fail2ban is a sidecar for bitwarden_rs, they share the same network space. I would think that if properly configured, fail2ban could block the incoming connections on the port that bitwarden_rs is using. I’m just not sure how to do that.

Well, i think here there is an issue with the proxing. Because the proxy receives the actual client ip, but bitwarden and the sidecar will probably receive only the IP from the proxy, and thus can and will not block the original source/client IP.

Yeah, it’s definitely doing that. I imagine there is a way to configure it to pass the original IP. However, why wouldn’t it be able to block the proxies IP?

At this point it’s just easier to have 2fa (and better anyway) configured. Now it’s just me wondering how to solve this problem.

You need to make fail2ban a sidecar of the reverse proxy, and share the volume where the bitwarden logs are written.

That should solve it