On 4/26/19 3:50 AM, Gary Stainburn wrote: > I can't remember the other one. I have removed all of the manual amendments so am now basically set up as initially installed. This is my process for fail2ban: 1: "yum install fail2ban" This installs fail2ban and fail2ban-firewalld. 2: install /etc/fail2ban/jail.local. This file enables the matching rules in /etc/fail2ban/filter.d/sshd.conf, and allows up to 10 failures. [sshd] enabled = true maxretry = 10 3: install /etc/fail2ban/action.d/firewallcmd-ipset.local. This file overrides the default action defined in /etc/fail2ban/action.d/firewallcmd-ipset.conf and selected in /etc/fail2ban/jail.d/00-firewalld.conf. The new definition blocks the source address from *all* TCP ports rather than just the ports defined for the jail (in /etc/fail2ban/jail.conf). You might also choose to remove the "-p <protocol>" spec to block all access instead of just TCP access. [Definition] actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime> firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m set --match-set fail2ban-<name> src -j <blocktype> actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m set --match-set fail2ban-<name> src -j <blocktype> ipset flush fail2ban-<name> ipset destroy fail2ban-<name> 4: systemctl enable fail2ban That's one approach. I believe that you could modify fewer files by setting "port = 0:65535" in your definition in "jail.local" and not install firewallcmd-ipset.local.