[CentOS] faI2ban detecting and banning but nothing happens
Gordon Messmer
gordon.messmer at gmail.com
Mon Apr 29 01:21:05 UTC 2019
On 4/26/19 3:50 AM, Gary Stainburn wrote:
> I can't remember the other one. I have removed all of the manual amendments so am now basically set up as initially installed.
This is my process for fail2ban:
1: "yum install fail2ban" This installs fail2ban and fail2ban-firewalld.
2: install /etc/fail2ban/jail.local. This file enables the matching
rules in /etc/fail2ban/filter.d/sshd.conf, and allows up to 10 failures.
[sshd]
enabled = true
maxretry = 10
3: install /etc/fail2ban/action.d/firewallcmd-ipset.local. This file
overrides the default action defined in
/etc/fail2ban/action.d/firewallcmd-ipset.conf and selected in
/etc/fail2ban/jail.d/00-firewalld.conf. The new definition blocks the
source address from *all* TCP ports rather than just the ports defined
for the jail (in /etc/fail2ban/jail.conf). You might also choose to
remove the "-p <protocol>" spec to block all access instead of just TCP
access.
[Definition]
actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p
<protocol> -m set --match-set fail2ban-<name> src -j <blocktype>
actionstop = firewall-cmd --direct --remove-rule ipv4 filter
<chain> 0 -p <protocol> -m set --match-set fail2ban-<name> src -j
<blocktype>
ipset flush fail2ban-<name>
ipset destroy fail2ban-<name>
4: systemctl enable fail2ban
That's one approach. I believe that you could modify fewer files by
setting "port = 0:65535" in your definition in "jail.local" and not
install firewallcmd-ipset.local.
More information about the CentOS
mailing list