[CentOS] faI2ban detecting and banning but nothing happens

Mon Apr 29 01:21:05 UTC 2019
Gordon Messmer <gordon.messmer at gmail.com>

On 4/26/19 3:50 AM, Gary Stainburn wrote:
> I can't remember the other one. I have removed all of the manual amendments so am now basically set up as initially installed.

This is my process for fail2ban:

1: "yum install fail2ban"  This installs fail2ban and fail2ban-firewalld.

2: install /etc/fail2ban/jail.local.  This file enables the matching 
rules in /etc/fail2ban/filter.d/sshd.conf, and allows up to 10 failures.

     enabled = true
     maxretry = 10

3: install /etc/fail2ban/action.d/firewallcmd-ipset.local.  This file 
overrides the default action defined in 
/etc/fail2ban/action.d/firewallcmd-ipset.conf and selected in 
/etc/fail2ban/jail.d/00-firewalld.conf.  The new definition blocks the 
source address from *all* TCP ports rather than just the ports defined 
for the jail (in /etc/fail2ban/jail.conf).  You might also choose to 
remove the "-p <protocol>" spec to block all access instead of just TCP 


     actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
               firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p 
<protocol> -m set --match-set fail2ban-<name> src -j <blocktype>

     actionstop = firewall-cmd --direct --remove-rule ipv4 filter 
<chain> 0 -p <protocol> -m set --match-set fail2ban-<name> src -j 
              ipset flush fail2ban-<name>
              ipset destroy fail2ban-<name>

4: systemctl enable fail2ban

That's one approach.  I believe that you could modify fewer files by 
setting "port = 0:65535" in your definition in "jail.local" and not 
install firewallcmd-ipset.local.