On 4/26/19 3:50 AM, Gary Stainburn wrote:
I can't remember the other one. I have removed all of the manual amendments so am now basically set up as initially installed.
This is my process for fail2ban:
1: "yum install fail2ban" This installs fail2ban and fail2ban-firewalld.
2: install /etc/fail2ban/jail.local. This file enables the matching rules in /etc/fail2ban/filter.d/sshd.conf, and allows up to 10 failures.
[sshd] enabled = true maxretry = 10
3: install /etc/fail2ban/action.d/firewallcmd-ipset.local. This file overrides the default action defined in /etc/fail2ban/action.d/firewallcmd-ipset.conf and selected in /etc/fail2ban/jail.d/00-firewalld.conf. The new definition blocks the source address from *all* TCP ports rather than just the ports defined for the jail (in /etc/fail2ban/jail.conf). You might also choose to remove the "-p <protocol>" spec to block all access instead of just TCP access.
[Definition]
actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime> firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m set --match-set fail2ban-<name> src -j <blocktype>
actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m set --match-set fail2ban-<name> src -j <blocktype> ipset flush fail2ban-<name> ipset destroy fail2ban-<name>
4: systemctl enable fail2ban
That's one approach. I believe that you could modify fewer files by setting "port = 0:65535" in your definition in "jail.local" and not install firewallcmd-ipset.local.