Active22 days ago
I'm running CentOS 7, all fully updated, and am trying to get Fail2Ban to work, but I'm running into problems.
Specifically, I'm trying to block brute force SSH attacks. I'm pretty sure I've set up everything right – enabled the sshd jail in
jail.local
, using firewallcmd-ipset
as the ban action, definitely using Firewalld, not using SELinux.Fail2ban on centos 7 does not add rule to firewall. Firewall-cmd used on system. Ask Question Asked 4 years, 7 months ago. Active 2 months ago. Viewed 1k times 2. I installed the latest fail2ban from centos/epel I have added the ssh enabled option in jail.local. I have tried with action and banaction = firewallcmd-ipset neither made any difference.
But when I start Fail2Ban, here's what's in
/var/log/fail2ban.log
:As you'll note, everything runs smoothly until
firewall-cmd
is tried. The commands it's trying to run are:ipset create fail2ban-sshd hash:ip timeout 86400
followed by
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport --dports 44 -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
If I try to run those myself, the
ipset
command works fine, but the firewall-cmd
one returns with Error: COMMAND_FAILED
. So, I'm guessing it's a problem with the command that Fail2Ban is trying to send to firewall-cmd
– but I don't know enough about Firewalld to fix it.(Oh, SSH is on port 44 because I've found that it massively reduces drive-by attacks, so let's not get into the pros and cons of that!
Also,
systemctl status fail2ban
shows everything to be running smoothly, no problems reported there. I only noticed this when I logged in and saw that there'd been a bunch of failed login attempts, which is rare what with the port change and all.Finally,
uname -r
returns 3.10.0-229.14.1.el7.centos.plus.x86_64
so I'm fairly sure it's not the OpenVZ problem which I've seen as a cause of this elsewhere.)JoLoCoJoLoCo
1 Answer
From faqforge.com: https://www.faqforge.com/linux/how-to-use-iptables-on-centos-7/
Centos 7 replaced the traditional IPTables Linux Kernel Firewall with the Firewalld service. There are still a lot of scripts available that require the use of IPTables. A common example is the software Fail2ban.
So try stopping firewalld (
systemctl stop firewalld
) and install iptables (yum install iptables-services
) and systemctl start iptables
.Then, set like this the banaction in the
jail.local
:and then restart.
Luis DíazLuis Díaz