[CentOS] Fail2Ban Centos 7 is there a trick to making it work?

Tue Mar 10 13:43:36 UTC 2015
Andrea Dell'Amico <adellam-lists at sevenseas.org>

> On 10 Mar 2015, at 14:30, James B. Byrne <byrnejb at harte-lyne.ca> wrote:
> 
> 
> On Mon, March 9, 2015 13:11, John Plemons wrote:
>> Been working on fail2ban, and trying to make it work with plain Jane
>> install of Centos 7
>> 
>> Machine is a HP running 2 Quad core Xeons, 16 gig or ram and 1 plus TB
>> of disk space. Very generic and vanilla.
>> 
>> Current available epel repo version is fail2ban-0.9.1
>> 
>> Looking at the log file, fail2ban starts and stops fine, there isn't
>> output though showing any login attempts being restricted.
>> 
>> 2015-03-09 12:54:37,930 fail2ban.server         [14805]: INFO
>> Stopping all jails
>> 2015-03-09 12:54:37,931 fail2ban.server         [14805]: INFO
>> Exiting Fail2ban
>> 2015-03-09 12:54:38,338 fail2ban.server         [16678]: INFO
>> Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
>> 2015-03-09 12:54:38,341 fail2ban.database       [16678]: INFO
>> Connected to fail2ban persistent database
>> '/var/lib/fail2ban/fail2ban.sqlite3'
>> 
>> I copied jail.conf and added the edited jail.local to the directory
>> /etc/fail2ban/
>> 
>> This is about as far as I have gotten with searches on how to
>> configure
>> with Centos 7.
>> 
>> Any help would be welcome. What am I missing?
>> 
>> john
>> 
> 
> This is what I have for ssh in jail.conf
> 
> [ssh-iptables]
> 
> enabled  = true
> filter   = sshd
> action = iptables[name=SSH, port=ssh, protocol=tcp]
>        sendmail-whois[name=SSH, dest=x at harte-lyne.ca,
> sender=x at harte-lyne.ca, sendername=Fail2Ban]
> logpath  = /var/log/secure
> maxretry = 5
> 

I’m using fail2ban with the -firewalld and -systemd modules, and I had to setup some SELinux rules to make it working right. This is the policy I add to the CentOS 7 machines:

module fail2ban-journal-sepol-new 1.0;

require {
        type fail2ban_client_exec_t;
        type logrotate_t;
        type fail2ban_t;
        type syslogd_var_run_t;
        class dir read;
        class file { ioctl read execute execute_no_trans open getattr };
}

#============= fail2ban_t ==============

#!!!! This avc is allowed in the current policy
allow fail2ban_t syslogd_var_run_t:dir read;

#!!!! This avc is allowed in the current policy
allow fail2ban_t syslogd_var_run_t:file { read getattr open };

#============= logrotate_t ==============
allow logrotate_t fail2ban_client_exec_t:file { ioctl read execute execute_no_trans open };


What’s the best way to report the selinux problems in EPEL packages, btw?

> HTH
> 
> --
> ***          E-Mail is NOT a SECURE channel          ***
> James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3

Ciao,
andrea
--
Andrea Dell'Amico
http://adellam.sevenseas.org/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.centos.org/pipermail/centos/attachments/20150310/1c95a6dc/attachment-0004.sig>