Fail2ban: Redirecting banned HTTP users to another webserver

Python httpserver module.
On 11 Jul 2015 8:26 pm, "Viktor Szépe" [email protected] wrote:

Would you merge a Friendly WAF PR?

actionban = iptables -t nat -D PREROUTING -i -p tcp -s --dport -j REDIRECT --to-port
interface = eth0webport = 80wafport = 8080

And _banned_ users will see only one HTML page with external
(dependencies on an external host/CDN).

Could you suggest a light webserver for 1 static HTML page?

—
Reply to this email directly or view it on GitHub
https://github.com/fail2ban/fail2ban/issues/1113.

I don't like the idea of fail2ban being exposed directly to external users, especially seeing as it runs as root.

Having fail2ban manage an iptables rule to REDIRECT makes sense though, is that what you're asking about?

If you're just asking about a webserver recommendation, this isn't the place. Feel free to reopen if you have a question regarding fail2ban (or better yet, ask the mailing list).

Where does fail2ban get exposed here? It will not provide webserver, just a new action to redirect. IMHO worthwhile addition

On July 12, 2015 8:30:47 AM EDT, Lee Clemens [email protected] wrote:

I don't like the idea of fail2ban being exposed directly to external
users, especially seeing as it runs as root.

Having fail2ban manage an iptables rule to REDIRECT makes sense though,
is that what you're asking about?

If you're just asking about a webserver recommendation, this isn't the
place. Feel free to reopen if you have a question regarding fail2ban
(or better yet, ask the mailing list).

---

Reply to this email directly or view it on GitHub:
https://github.com/fail2ban/fail2ban/issues/1113#issuecomment-120717949

Sent from a phone which beats iPhone.

Having fail2ban manage an iptables rule to REDIRECT makes sense though, is that what you're asking about?

Having fail2ban act as that webserver in any way would expose it. I read the initial post as being related to fail2ban, beyond having fail2ban create the REDIRECT in iptables (see above).

I understood that Viktor was asking for a way to REDIRECT web users to
another port, (action), and was also asking for a suggestion on a very
low-resource-usage http server. I think 'friendly waf' is useful to have in
f2b, and think like Yaroslav on this one.

On Sun, Jul 12, 2015 at 11:52 AM, Lee Clemens [email protected]
wrote:

Having fail2ban manage an iptables rule to REDIRECT makes sense though, is
that what you're asking about?

Having fail2ban act as that webserver in any way would expose it. I read
the initial post as being related to fail2ban, beyond having fail2ban
create the REDIRECT in iptables (see above).

—
Reply to this email directly or view it on GitHub
https://github.com/fail2ban/fail2ban/issues/1113#issuecomment-120726422.

Maybe the three of you can help me understand the term "Friendly WAF". I don't think general questions for web server recommendations are directly appropriate as a fail2ban Issue, and I'd hate to see fail2ban try to become one in any way (read: exposing fail2ban).

@yarikoptic To explain further and without trying it out myself, I think there are enough variables already to accomplish the REDIRECT approach (between <chain> and <blocktype>) but we'd probably have to add -t nat (as a variable, obviously). Then it would fit in nicely without sprawl. Why create a new specific action for one case?

@buanzo I too agree with fail2ban having the ability to REDIRECT...so I think we're all on the same page.

A friendly WAF tells you that you are banned. See CloudFlare's "blocked" page.
Now a banned HTTP user gets a connection failed browser message, or something like that.

ok, I stand by my initial response that fail2ban should not serve a "friendly waf" page, as that would require fail2ban to accept and respond to http requests from external sources.

I am sorry for writing a so short issue. Of course fail2ban should only REDIRECT.
I am experimenting with lighttpd2 as the webserver on <wafport>, it must be able to server many virtual hosts and TLS also.

Could you suggest a light webserver for 1 static HTML page?

This question is there only because I don't know any lightweight webserver.
I am sorry to mislead you.

I think you could accomplish the same goal using Apache, or whatever http server you use, and that the discussion of a webserver recommendation isn't really relevant to fail2ban's Issue forum (I used "direct" before intentionally). That being said...it seems you just want fail2ban to create the REDIRECT iptables rule, right? If so, seems we can circle back to https://github.com/fail2ban/fail2ban/issues/1113#issuecomment-120730933

Yes. I'd like to make fail2ban + lighttpd2 a friendly WAF displaying a "banned" message to users.

@leeclemens Please suggest a name for the new action.
I don't dare to call it [friendly-waf] as it is not technical and not at all descriptive.
Maybe [ban-page]?

But I would be glad if you all agree on the name [friendly-waf].

@szepeviktor As I mentioned, I don't think this needs a new action, as it should be able to be accomplished using the existing iptables-multiport action with the addition of -t <table>. Sprawl is bad.

It is beyond my capabilities to get this
iptables -t nat -I <chain> -i <interface> -p <protocol> -s <ip> --dport <webport> -j REDIRECT --to-port <wafport>
from the existing action:
start: iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
ban: iptables -I f2b-<name> 1 -s <ip> -j <blocktype>

My diff is -t nat, -i <interface>, --to-port <wafport>.

I think nobody suggested that, Lee.
On 12 Jul 2015 1:31 pm, "Lee Clemens" [email protected] wrote:

ok, I stand by my initial response that fail2ban should not serve a
"friendly waf" page, as that would require fail2ban to accept and respond
to http requests from external sources.

—
Reply to this email directly or view it on GitHub
https://github.com/fail2ban/fail2ban/issues/1113#issuecomment-120739019.

@buanzo thanks...please check the definition of "addition". If you disagree with my statement that it shouldn't be a new action, please respond. If not, I'm not sure what value you think your last comment has.

@szepeviktor If that's the case, fine. You initially asked

Would you merge [...]

All of my responses are consistent with that. Moving on, to use iptables-multiport for this new application shouldn't be too difficult. You already have a PR making changes to iptables actions and adding the variable <returntype>. I think we just need another -t <tablename> default to filter, so you can change it to nat. <blocktype> is already a variable...you'd just need to override it to -j REDIRECT --to-port 8080 for your custom application/whatever. Maybe a variable for redirectport for icing on the cake. You've already made changes to iptables configs, I'm just trying to point you in the right direction in order to implement this new enhancement

You are very kind.

I did not comment on this thread.
On 12 Jul 2015 3:13 pm, "Lee Clemens" [email protected] wrote:

@buanzo https://github.com/buanzo thanks...please check the definition
of "addition". If you disagree with my statement that it shouldn't be a new
action, please response. If not, I'm not sure what value you think your
last comment has.

@szepeviktor https://github.com/szepeviktor If that's the case, fine.
You initially asked

Would you merge [...]

All of my responses are consistent with that. Moving on, to use
iptables-multiport for this new application shouldn't be too difficult. You
already have a PR making changes to iptables actions and adding the
variable . I think we just need another -t
default to filter, so you can change it to nat. is already a
variable...you'd just need to override it to -j REDIRECT --to-port 8080
for your custom application/whatever. Maybe a variable for redirectport
for icing on the cake. You've already made changes to iptables configs, I'm
just trying to point you in the right direction in order to implement this
new enhancement

—
Reply to this email directly or view it on GitHub
https://github.com/fail2ban/fail2ban/issues/1113#issuecomment-120751691.

https://github.com/fail2ban/fail2ban/issues/1113#issuecomment-120751135 ?

@buanzo Please elaborate on what you meant by "that" in https://github.com/fail2ban/fail2ban/issues/1113#issuecomment-120751135?

Indeed! May be it could already be achieved by modifying blocktype variable and adding to it -t nat ? Then we would just need a jail spec for this feature

On July 12, 2015 11:34:22 AM EDT, Lee Clemens [email protected] wrote:

Maybe the three of you can help me understand the term "Friendly WAF". I don't think
general questions for web server recommendations are directly
appropriate as a fail2ban Issue, and I'd hate to see fail2ban try to
become one in any way (read: exposing fail2ban).

@yarikoptic To explain further and without trying it out myself, I
think there are enough variables already to accomplish the REDIRECT
approach (between <chain> and <blocktype>) but we'd probably have
to add -t nat (as a variable, obviously). Then it would fit in nicely
without sprawl. Why create a new specific action for one case?

---

Reply to this email directly or view it on GitHub:
https://github.com/fail2ban/fail2ban/issues/1113#issuecomment-120730933

Need to add -t whatever to iptables-multport, defaults to filter, not nat, as we need it for the REDIRECT. I've probably spent more time discussing how to implement this better (imho) than it would have taken to implement it myself :(

Technical discussions polish the end product! :-)

On July 12, 2015 3:36:04 PM EDT, Lee Clemens [email protected] wrote:

Need to add -t whatever to iptables-multport, defaults to filter,
not nat, as we need it for the REDIRECT. I've probably spent more
time discussing how to implement this better (imho) than it would have
taken to implement it myself :(

---

Reply to this email directly or view it on GitHub:
https://github.com/fail2ban/fail2ban/issues/1113#issuecomment-120755891

Agreed..."Update iptables-multport to specify table" or something and implemented hours ago :) Also "Would you merge" implies a forthcoming PR, not a feature request (and Issue to stay open until a PR is created).

this appears merged in https://github.com/fail2ban/fail2ban/pull/1112, should be closed.

this appears merged in #1112, should be closed.

Excuse me! This is also an issue opened by me.
But there is no -j REDIRECT in #1112.
Please reopen this. I'll send the PR later.

rright -- sorry, my bad... we are yet to cook up the full solution for this one.

Please reopen this. I'll send the PR later.

Still interested?

I was planning to mimic CloudFlare where suspicious traffic gets a "You are blocked!" page and the chance to unblock itself.
Or at least some info about what to do now, whom to contact etc.