I have several services running at home. I have a VPS running NGINX Proxy Manager and Tailscale, also some of my services get proxied through Cloudflare Tunnels. Both of these prevent my servers from seeing the actual IP address that is connecting to them.
The situation is:
- My servers can see the failed login attempts. But it can't see the real client IP address.
- The VPS can see the real client IP. But it's unaware of the failed login attempts.
So the idea I had was to have some way of parsing the connection logs on my servers, when there is more than "X" failed login attempts the log entry of each failed login can be sent to the VPS. On the VPS there would be some way to compare the time from the server logs, with the time of the connection logs of the VPS. With this info the VPS could then make a fairly safe guess at which IP the attack is coming from and block that IP at the VPS.
Does anything that can do this already exist?
To add more details:
On the VPS I already have several well known block lists, along with Crowdsec which has significantly reduced the failed login attempts on my servers, but I would like to be able to use more specific Crowdsec bouncers, or Fail2Ban to stop the specific IP's.
The use of Tailscale and Cloudflare was by choice. I previously used a Wireguard tunnel and everything went through the VPS, this setup DID allow my servers to see the actual IP addresses. The reason for the change was that it was simply too much of a pain to manage, and I am too busy lately to properly manage it. By making the changes I did it greatly simplified managing everything, increased the reliability, and using Cloudflare has significantly increased the performance of several services.
Is there any way to configure Cloudflare to send an additional header with the original IP in it? Then you could run fail2ban on that data.