Apache CloudStack does not have a build-in mechanism to rate-limit failed authentication attemps on the API. This potentially allows an attacker to brute-force credentials and gain access.
The api.allowed.source.cidr.list configuration option in CloudStack can be used to globally or on an account level limit the source IPs where the API allows requests from. This is always good to do (if possible), but it does not cover every use-case.
Sometimes you just want to keep malicious traffic outside the door and fail2ban can help there.
Nginx proxy in front of CloudStack
A common use-case is that the Management server of Apache CloudStack is not directly connected to the network, but placed behind a reverse proxy like Nginx or something similar.
This proxy can then also handle SSL termination.
In this example we’re using Nginx as a proxy.
Using fail2ban we can scan the access logs of Nginx and block IP addresses who are abusing our API. In this case we filter on two HTTP status codes:
This results in that we create the following files:
[nginx-401] enabled = true port = http,https filter = nginx-401 action = iptables-allports logpath = %(nginx_access_log)s bantime = 3600 findtime = 600 maxretry = 25 ignoreip = 127.0.0.1/8
failregex = ^ -."(GET|POST|HEAD).HTTP.*" 401
Change 401 to 531 where needed to also block HTTP codes 531.
The action taken by fail2bain is iptables-allports which causes iptables to block all traffic from the particular source IP when it is being banned.