In the previous post I wrote about the minor configuration changes needed to get fail2ban
to actually do something.
I have been working primarily with CentOS 7 and have been using iptables
instead of firewalld
. Normally, fail2ban
works with iptables
by default. However, installing fail2ban
on CentOS 7 also installs fail2ban-firewalld
— which changes that default. Even with a properly configured fail2ban
jail, you will not see the expected results. fail2ban
will log events as expected, but no traffic will actually be banned.
The fail2ban-firewalld
package places a file in /etc/fail2ban/jail.d/00-firewalld.conf
. It overrides the default banaction
(iptables) and sets it to firewallcmd-ipset
.
The top of the 00-firewalld.conf
file says:
You can remove this package (along with the empty fail2ban meta-package) if you do not use firewalld
When I tried removing fail2ban-firewalld
, it removed fail2ban
as a dependency. I have a feeling the referenced fail2ban
meta-package may have something to so with that.
I have not yet investigated the meta-package and de-coupling fail2ban-firewalld
from fail2ban
(see Update below). My solution, for now, has been to move 00-firewalld.conf
and restart fail2ban
:
$ sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.disabled
$ sudo systemctl restart fail2ban
The default banaction
defined in jail.conf
is no longer overridden and performs as expected:
banaction = iptables-multiport
Update
According to Fail2ban with FirewallD, The fail2ban
package itself is a meta-package that contains several other packages, including fail2ban-firewalld
and fail2ban-server
. Removing the meta-package will not remove fail2ban-server
.
If you’ve already moved 00-firewalld.conf
to 00-firewalld.disabled
, you’ll get a warning:
warning: file /etc/fail2ban/jail.d/00-firewalld.conf: remove failed: No such file or directory
You can ignore the warning, or remove 00-firewalld.disabled
.
hello,
thanks for this idea. To watch for ssh attempts I need to install fail2ban-server only. Thanks again!
a.
It’s worth noting that just installing fail2ban-server will result in some missing default fail2ban configs being made, such as /etc/fail2ban/action.d/sendmail-common.conf
thanks a lot work like a charm
Hi !
While I have found a lot of articles on using iptables with failban to achieve banning, there is little or no information on using firewalld with fail2ban and on related configuration issues.
Would be great if you could shed some light on this newer method like what configuration changes are needed to be made in some custom conf file to achieve the correct banning.
Thanks
yum remove –noautoremove fail2ban-firewalld.noarch
Seemed to just remove the firewalld package and the metapackage without touching other installed fail2ban packages.
dnf remove fail2ban-firewalld –noautoremove
And don’t be scared that it will remove “fail2ban” package along, because it is just a dummy package. Main package – “fail2ban-server” – will still stay installed.