fail2ban on Pexip Reverse Reverse Proxy

Inspired by: Ben Hockley

It is really cool how Pexip can provide a way to offer browser based video conferencing to users that are located outside of an organisation. A common way to architect this functionality is to install a reverse proxy and TURN server at the organisations network edge.

One of the risks in providing this service is that the reverse proxy is exposed to the big bad Internet, making it more susceptible to individuals with malicious intent aiming brute force attacks at the platform to try to crack conference pins.

To mitigate this risk, it may be wise to implement a feature called fail2ban. fail2ban is a method to ban the source IP address from further communications with the system when it fails to enter the correct conference pin more than x times over a period of y time. It provides a way to stall or deter these brute force attacks intending to hack conference pins.

Here are some instructions to help you implement this fail2ban feature on the Pexip reverse proxy:

Installing fail2ban

If you don’t already have it, you can download the Pexip RP/TURN server here: and follow the documentation on the Pexip docs site (

I would highly recommend that you follow Andreas’ instructions to bring the RP up to scratch with OS versions, security patches and config modifications. Here it is:

ssh into the RP and run the following:

sudo bash
apt-get update
apt-get install fail2ban

Install some custom fail2ban rules and config:

sudo touch /etc/fail2ban/filter.d/pexiprp.conf
sudo touch /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/filter.d/pexiprp.conf

Now paste in the below config:

# Block PIN brute forcing attempts
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

# To test this file do:
# fail2ban-regex /var/log/nginx/pexapp.access.log /etc/fail2ban/filter.d/pexiprppinbruteforce.conf
# Need a fail2ban rule that follows /var/log/nginx/pexapp.access.log  and matches:
# - - [24/Apr/2016:12:39:32 +0000]  "POST /api/client/v2/conferences/pextestpin/request_token HTTP/1.1" 403 56 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.13.0-83-generic" "" "403" "4.016"
failregex = ^ - - .*  "POST /api/client/v2/conferences/.*/request_token HTTP/.*" 403 .* "-" ".*" ".*" "403" ".*"$
ignoreregex =


Open the jail config file:

sudo nano /etc/fail2ban/jail.local

Paste in the below config:

# Fail2Ban configuration file.
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
# Comments: use '#' for comment lines and ';' for inline comments

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.


# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip =

# "bantime" is the number of seconds that a host is banned.
bantime  = 300

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 300
maxretry = 5

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#            If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#            If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# auto:      will try to use the following backends, in order:
#            pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
# yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
# warn:  if a hostname is encountered, a reverse DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn

# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Name of the sender for mta actions
sendername = Fail2Ban


# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_mwl)s

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
# enabled = true
# in /etc/fail2ban/jail.local.
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

enabled  = false
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 2

enabled  = true
filter   = pexiprp
logpath  = /var/log/nginx/pexapp.access.log
maxretry = 3
protocol = tcp
# and enable the new protection
/etc/init.d/fail2ban restart

# Now check the status:
fail2ban-client status pexiprp


What does it do?

This fail2ban config works on the RP logs – and can detect failed PIN entry attempts by scanning the nginx access logs for suspicious activity – and blocking the source IP responsible for that activity.

By default, it will block access for 300 (bantime) seconds if more than 5 (maxretry) attempts occur from the same host in 300 (findtime) seconds.
The blocking occurs at the iptables level – so the attacker is unable to connect to the RP server from the banned host IP for the duration of the ban.

Tuning behaviour

If you want to change the lock-out behaviour to make it more or less strict, you can simply edit jail.local and modify the “bantime = 300”, “maxretry = 5” or “findtime = 300” lines as appropriate (and restart fail2ban to pick up the changes).
I found this to be a good source to learn more:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s