This article explains how to add an action on fail2ban to block offender IPs on a netscaler load balancer using the netsclaer NITRO API Fail2ban is a useaful tool for linux server which periodically scan your applications logs and identify brute force attacks (ie. attampts to hack you user/pass). The details of how fail2ban does this is out of the scope of this article, but in a nutshell it uses regex query to identify failed login attempts, if you want to know more how it works please visit the site. Fail2ban is quite modular and has different actions that can be taken when it encounters an attack. The default action on a linux server is to block the attacker IP using iptables, this becomes a problem when your application is behind a reverse proxy appliance such as the Citrix Netscaler since the IP fail2ban will see is that of the reverse proxy appliance and not of the user itself.
"It's important to note the issue only occure when the Netscaler is deployed as one-armed or if it's deployed inline but USIP is disabbled."
This article assumes you already have fail2ban configured on your server and we only looking to change the action on your configuration to block using a Netscaler appliance instead of iptables.
"All Netsclaer actions will be done using the CLI"
The first thing we have to do it create an account on the netscaler, for security reaons we will only grant the permissions to add/remove IPs to our black-list to that account.
<p>add system cmdPolicy f2ban_policy ALLOW "^bind.policy.dataset.*$|^unbind.policy.dataset.*$"</p>
<p>add system user f2ban MySecretPassword</p>
<p>bind system user f2ban f2ban_policy 100</p>
Hellow world again nice isn't it   i'm doing it  
Hello world 1   this is the first