Iptables

Fail2ban 重定向

  • August 14, 2016

我剛剛在我的 Centos 反向代理伺服器上設置了 fail2ban。如果滿足某個標準(非常簡單),我能夠讓它阻止所有請求。

但是,我現在想重定向違規使用者而不是阻止他們。我知道可以使用自定義操作文件,但我似乎無法讓它正常工作。我想重定向到伺服器上的另一個埠(可能執行帶有自定義網頁的 Apache,說明它們被重定向的原因)或完全重定向到另一個網站。

有什麼想法嗎?這是我重定向到另一個埠的嘗試(目的是將違規使用者重定向到同一伺服器中的埠 8080)。該操作稱為 firewall-redirect,它是從 firewallcmd-ipset 派生的。

# Fail2Ban action file for firewall-cmd/ipset
#
# This requires:
# ipset (package: ipset)
# firewall-cmd (package: firewalld)
#
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
# Use ipset -V to see the protocol and version.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules.

[INCLUDES]

before = iptables-common.conf

[Definition]

actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
             firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-<name> src

actionstop = firewall-cmd --remove-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-<name> src
            ipset flush fail2ban-<name>
            ipset destroy fail2ban-<name>

actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist

actionunban = ipset del fail2ban-<name> <ip> -exist

[Init]

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  [ STRING ]
#
chain = INPUT_direct

# Option: bantime
# Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
# Values:  [ NUM ]  Default: 600

bantime = 600

# DEV NOTES:
#
# Author: Edgar Hoch and Daniel Black
# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness

此外,這是我在 fail2ban.log 文件中看到的錯誤片段。我了解它的錯誤之處,我只是不知道如何正確修復它。:-)

2015-06-01 09:49:05,548 fail2ban.action         [11334]: ERROR   ipset create fail2ban-apache-gpd_flood hash:ip timeout 3600
firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-apache-gpd_flood src -- stdout: ''
2015-06-01 09:49:05,548 fail2ban.action         [11334]: ERROR   ipset create fail2ban-apache-gpd_flood hash:ip timeout 3600
firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-apache-gpd_flood src -- stderr: 'usage: see firewall-cmd man page\nfirewall-cmd: error: unrecognized arguments: -m set --match-set fail2ban-apache-gpd_flood src\n'
2015-06-01 09:49:05,549 fail2ban.action         [11334]: ERROR   ipset create fail2ban-apache-gpd_flood hash:ip timeout 3600
firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-apache-gpd_flood src -- returned 2
2015-06-01 09:49:05,549 fail2ban.actions        [11334]: ERROR   Failed to start jail 'apache-gpd_flood' action 'firewallcmd-redirect': Error starting action

提前致謝!

我不確定,但這裡是我的建議:

  1. 在這裡,ipset 並不總是與fail2ban 一起安裝。你能檢查一下你是否安裝了ipset嗎?
  2. https://serverfault.com/a/671839/118677的答案建議使用 iptables 而不是 firewalld。如果你這樣做,你可以重寫actionban為:
iptables -t nat -A PREROUTING -i eth0 -p tcp -s bannedip --dport 443 -j REDIRECT --to-port 8080 

並且actionunban作為:

iptables -t nat -D PREROUTING -i eth0 -p tcp -s bannedip --dport 443 -j REDIRECT --to-port 8080 

(見這裡)。 3. 您的 bantime (3600) 目前與配置的 Init 部分中的 bantime 不匹配。請參閱決鬥 fail2ban 和 ipset 超時

引用自:https://serverfault.com/questions/695850