Iptables
Fail2ban 重定向
我剛剛在我的 Centos 反向代理伺服器上設置了 fail2ban。如果滿足某個標準(非常簡單),我能夠讓它阻止所有請求。
但是,我現在想重定向違規使用者而不是阻止他們。我知道可以使用自定義操作文件,但我似乎無法讓它正常工作。我想重定向到伺服器上的另一個埠(可能執行帶有自定義網頁的 Apache,說明它們被重定向的原因)或完全重定向到另一個網站。
有什麼想法嗎?這是我重定向到另一個埠的嘗試(目的是將違規使用者重定向到同一伺服器中的埠 8080)。該操作稱為 firewall-redirect,它是從 firewallcmd-ipset 派生的。
# Fail2Ban action file for firewall-cmd/ipset # # This requires: # ipset (package: ipset) # firewall-cmd (package: firewalld) # # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). # Use ipset -V to see the protocol and version. # # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. # # If you are running on an older kernel you make need to patch in external # modules. [INCLUDES] before = iptables-common.conf [Definition] actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime> firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-<name> src actionstop = firewall-cmd --remove-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-<name> src ipset flush fail2ban-<name> ipset destroy fail2ban-<name> actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist actionunban = ipset del fail2ban-<name> <ip> -exist [Init] # Option: chain # Notes specifies the iptables chain to which the fail2ban rules should be # added # Values: [ STRING ] # chain = INPUT_direct # Option: bantime # Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) # Values: [ NUM ] Default: 600 bantime = 600 # DEV NOTES: # # Author: Edgar Hoch and Daniel Black # firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness
此外,這是我在 fail2ban.log 文件中看到的錯誤片段。我了解它的錯誤之處,我只是不知道如何正確修復它。:-)
2015-06-01 09:49:05,548 fail2ban.action [11334]: ERROR ipset create fail2ban-apache-gpd_flood hash:ip timeout 3600 firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-apache-gpd_flood src -- stdout: '' 2015-06-01 09:49:05,548 fail2ban.action [11334]: ERROR ipset create fail2ban-apache-gpd_flood hash:ip timeout 3600 firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-apache-gpd_flood src -- stderr: 'usage: see firewall-cmd man page\nfirewall-cmd: error: unrecognized arguments: -m set --match-set fail2ban-apache-gpd_flood src\n' 2015-06-01 09:49:05,549 fail2ban.action [11334]: ERROR ipset create fail2ban-apache-gpd_flood hash:ip timeout 3600 firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-apache-gpd_flood src -- returned 2 2015-06-01 09:49:05,549 fail2ban.actions [11334]: ERROR Failed to start jail 'apache-gpd_flood' action 'firewallcmd-redirect': Error starting action
提前致謝!
我不確定,但這裡是我的建議:
- 在這裡,ipset 並不總是與fail2ban 一起安裝。你能檢查一下你是否安裝了ipset嗎?
- https://serverfault.com/a/671839/118677的答案建議使用 iptables 而不是 firewalld。如果你這樣做,你可以重寫
actionban
為:iptables -t nat -A PREROUTING -i eth0 -p tcp -s bannedip --dport 443 -j REDIRECT --to-port 8080
並且
actionunban
作為:iptables -t nat -D PREROUTING -i eth0 -p tcp -s bannedip --dport 443 -j REDIRECT --to-port 8080
(見這裡)。 3. 您的 bantime (3600) 目前與配置的 Init 部分中的 bantime 不匹配。請參閱決鬥 fail2ban 和 ipset 超時。