In the previous post I wrote about the minor configuration changes needed to get fail2ban to actually do something.
I have been working primarily with CentOS 7 and have been using iptables instead of firewalld. Normally, fail2ban works with iptables by default. However, installing fail2ban on CentOS 7 also installs fail2ban-firewalld — which changes that default. Even with a properly configured fail2ban jail, you will not see the expected results. fail2ban will log events as expected, but no traffic will actually be banned.
The fail2ban-firewalld package places a file in /etc/fail2ban/jail.d/00-firewalld.conf. It overrides the default banaction (iptables) and sets it to firewallcmd-ipset.
The top of the 00-firewalld.conf file says:
You can remove this package (along with the empty fail2ban meta-package) if you do not use firewalld
When I tried removing fail2ban-firewalld, it removed fail2ban as a dependency. I have a feeling the referenced fail2ban meta-package may have something to so with that.
I have not yet investigated the meta-package and de-coupling fail2ban-firewalld from fail2ban (see Update below). My solution, for now, has been to move 00-firewalld.conf and restart fail2ban:
$ sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.disabled
$ sudo systemctl restart fail2ban
The default banaction defined in jail.conf is no longer overridden and performs as expected:
banaction = iptables-multiport
Update
According to Fail2ban with FirewallD, The fail2ban package itself is a meta-package that contains several other packages, including fail2ban-firewalld and fail2ban-server. Removing the meta-package will not remove fail2ban-server.
If you’ve already moved 00-firewalld.conf to 00-firewalld.disabled, you’ll get a warning:
warning: file /etc/fail2ban/jail.d/00-firewalld.conf: remove failed: No such file or directory
You can ignore the warning, or remove 00-firewalld.disabled.
hello,
thanks for this idea. To watch for ssh attempts I need to install fail2ban-server only. Thanks again!
a.
It’s worth noting that just installing fail2ban-server will result in some missing default fail2ban configs being made, such as /etc/fail2ban/action.d/sendmail-common.conf
thanks a lot work like a charm
Hi !
While I have found a lot of articles on using iptables with failban to achieve banning, there is little or no information on using firewalld with fail2ban and on related configuration issues.
Would be great if you could shed some light on this newer method like what configuration changes are needed to be made in some custom conf file to achieve the correct banning.
Thanks
yum remove –noautoremove fail2ban-firewalld.noarch
Seemed to just remove the firewalld package and the metapackage without touching other installed fail2ban packages.
dnf remove fail2ban-firewalld –noautoremove
And don’t be scared that it will remove “fail2ban” package along, because it is just a dummy package. Main package – “fail2ban-server” – will still stay installed.
Watch out for the above comments saying to use the `noautoremove` switch to `dnf remove` .. this blog shows a single hyphen `-` character but you need two. Also, Kyo posts above with the `–noautoremove` on the end of the command line, but this gives me an error:
No match for argument: –-noautoremove
You need a command line like:
dnf remove –noautoremove fail2ban-firewalld fail2ban
With a double-hyphen before `noautoremove`. This should remove only the two packages named.
It is unwise to simply move the /etc/fail2ban/jail.d/00-firewalld.conf file somewhere else, instead of removing the fail2ban-firewalld package that supplies it, because if your OS maintainer touches the package and your system automatically upgrades to the newer version the file will re-appear on your filesystem, and at some time later when you restart the fail2ban service or reboot the machine it will pick up the config and your fail2ban will stop working again 🙂