Fail2ban and DMZ

Hello, I do have a question implementing fail2ban (or similar) for a vaultwarden server (in GREEN) that serves requests via reverse proxy. That proxy is in ORANGE (my DMZ) and reachable on port 443 only. I did create 2 pinholes to the vaultwarden server. It works quite good. (By the way the ipfire setup for DMZ is quite easy to work with. Thank you very much! )
But here comes the tricky part:
Vaultwarden recommends fail2ban to hinder brute force attacks. The reverse proxy sends the real ip for the connections so fail2ban could act on the right ip. The problem though - I need to block on the firewall or the dmz proxy. Blocking in the LAN does nothing as far as I understand it. So is there a way to report the attempts to ipfire and let it block (mailicious) ips at least temporary? Or am I missing something here?

Hi, blocking on the vaultwarden host at least ensures that malicious requests no longer reach the application software directly. I think my approach would be to log vaultwarden’s status codes (e.g. 403) at the proxy and block with fail2ban there.


Good idea with the proxy there! I haven‘t considered that it knows of the failed login too. Blocking at the vaultwarden instance isn‘t possible as far as I understand it. The connection comes from the proxy so iptables mustn‘t block that.