Fail2ban redirect

Question

I've just finished setting up fail2ban on my Centos reverse proxy server. I was able to get it to block all requests if a certain criteria was met (pretty straight forward).

However, I'd now like to redirect the offending users instead of blocking them. I know it's possible using a custom action file, but I just can't seem to get it to work correctly. I'd like to redirect to either another port on the server (maybe running Apache with a custom webpage saying why they were redirected) or to another website entirely.

Any thoughts? Here's my attempt at redirecting to another port (intentions were to redirect offending users to port 8080 in the same server). The action is called firewall-redirect, and it was derived from firewallcmd-ipset.

# Fail2Ban action file for firewall-cmd/ipset
#
# This requires:
# ipset (package: ipset)
# firewall-cmd (package: firewalld)
#
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
# Use ipset -V to see the protocol and version.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules.

[INCLUDES]

before = iptables-common.conf

[Definition]

actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
              firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-<name> src

actionstop = firewall-cmd --remove-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-<name> src
             ipset flush fail2ban-<name>
             ipset destroy fail2ban-<name>

actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist

actionunban = ipset del fail2ban-<name> <ip> -exist

[Init]

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  [ STRING ]
#
chain = INPUT_direct

# Option: bantime
# Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
# Values:  [ NUM ]  Default: 600

bantime = 600

# DEV NOTES:
#
# Author: Edgar Hoch and Daniel Black
# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness

Also, here's a snippet of the error I'm seeing in the fail2ban.log file. I understand what it's erroring on, I just don't know how to properly fix it. :-)

2015-06-01 09:49:05,548 fail2ban.action         [11334]: ERROR   ipset create fail2ban-apache-gpd_flood hash:ip timeout 3600
firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-apache-gpd_flood src -- stdout: ''
2015-06-01 09:49:05,548 fail2ban.action         [11334]: ERROR   ipset create fail2ban-apache-gpd_flood hash:ip timeout 3600
firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-apache-gpd_flood src -- stderr: 'usage: see firewall-cmd man page\nfirewall-cmd: error: unrecognized arguments: -m set --match-set fail2ban-apache-gpd_flood src\n'
2015-06-01 09:49:05,549 fail2ban.action         [11334]: ERROR   ipset create fail2ban-apache-gpd_flood hash:ip timeout 3600
firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080 -m set --match-set fail2ban-apache-gpd_flood src -- returned 2
2015-06-01 09:49:05,549 fail2ban.actions        [11334]: ERROR   Failed to start jail 'apache-gpd_flood' action 'firewallcmd-redirect': Error starting action

Thanks in advance!

score 2 · Accepted Answer · edited Apr 13 '17 at 12:13

2

I'm not sure, but here are my suggestions:

Here it stays that ipset is not always installed together with fail2ban. Could you please check if you have ipset installed?

The answer at https://serverfault.com/a/671839/118677 suggests to use iptables instead of firewalld. If you do this, you could rewrite actionban as:

iptables -t nat -A PREROUTING -i eth0 -p tcp -s bannedip --dport 443 -j REDIRECT --to-port 8080

and actionunban as:

iptables -t nat -D PREROUTING -i eth0 -p tcp -s bannedip --dport 443 -j REDIRECT --to-port 8080

(see here).

Your bantime (3600) currently does not match the bantime in the Init section of your config. See Dueling fail2ban and ipset timeouts.

edited Apr 13 '17 at 12:13

Community

1

answered Jun 02 '15 at 08:52

Andrey Sapegin

1,191
2
11
27

Thanks @Andrey Sapegin! #2 was what I needed. Here are the final actions I used: actionban = iptables -t nat -A PREROUTING -i eth0 -p tcp -s --dport 443 -j REDIRECT --to-port 8080 actionban = iptables -t nat -A PREROUTING -i eth0 -p tcp -s --dport 443 -j REDIRECT --to-port 8080 Thanks again! – JoeInVT Jun 03 '15 at 13:19
If you have a strict iptables ruleset you have to add a rule in the INPUT chain as well because PRE-routing takes action before INPUT ! I extend the command (2.) as follows:`actionban = [your-PREROUTING-here] + iptables -A INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT` and the `actionunban` accordingly with `iptables -D INPUT...` – Michael P Jun 21 '19 at 19:17

Fail2ban redirect

1 Answers1