{"id":1974,"date":"2017-08-29T18:37:30","date_gmt":"2017-08-29T23:37:30","guid":{"rendered":"http:\/\/osric.com\/chris\/accidental-developer\/?p=1974"},"modified":"2017-08-30T09:16:49","modified_gmt":"2017-08-30T14:16:49","slug":"using-fail2ban-with-iptables-instead-of-firewalld","status":"publish","type":"post","link":"https:\/\/osric.com\/chris\/accidental-developer\/2017\/08\/using-fail2ban-with-iptables-instead-of-firewalld\/","title":{"rendered":"Using fail2ban with iptables instead of firewalld"},"content":{"rendered":"<p>In the <a href=\"https:\/\/osric.com\/chris\/accidental-developer\/2017\/08\/fail2ban-fails-to-ban-ssh-login-failures\/\">previous post<\/a> I wrote about the minor configuration changes needed to get <code>fail2ban<\/code> to actually do something.<\/p>\n<p>I have been working primarily with CentOS 7 and have been using <code>iptables<\/code> instead of <code>firewalld<\/code>. Normally, <code>fail2ban<\/code> works with <code>iptables<\/code> by default. However, installing <code>fail2ban<\/code> on CentOS 7 also installs <code>fail2ban-firewalld<\/code> &#8212; which changes that default. Even with a properly configured <code>fail2ban<\/code> jail, you will not see the expected results. <code>fail2ban<\/code> will log events as expected, but no traffic will actually be banned.<\/p>\n<p>The <code>fail2ban-firewalld<\/code> package places a file in <code>\/etc\/fail2ban\/jail.d\/00-firewalld.conf<\/code>. It overrides the default <code>banaction<\/code> (iptables) and sets it to <code>firewallcmd-ipset<\/code>.<\/p>\n<p>The top of the <code>00-firewalld.conf<\/code> file says:<\/p>\n<blockquote><p>You can remove this package (along with the empty fail2ban meta-package) if you do not use firewalld<\/p><\/blockquote>\n<p>When I tried removing <code>fail2ban-firewalld<\/code>, it removed <code>fail2ban<\/code> as a dependency. I have a feeling the referenced <code>fail2ban<\/code> meta-package may have something to so with that.<\/p>\n<p>I have not yet investigated the meta-package and de-coupling <code>fail2ban-firewalld<\/code> from <code>fail2ban<\/code> (see <strong>Update<\/strong> below). My solution, for now, has been to move <code>00-firewalld.conf<\/code> and restart <code>fail2ban<\/code>:<\/p>\n<p><code>$ sudo mv \/etc\/fail2ban\/jail.d\/00-firewalld.conf \/etc\/fail2ban\/jail.d\/00-firewalld.disabled<br \/>\n$ sudo systemctl restart fail2ban<\/code><\/p>\n<p>The default <code>banaction<\/code> defined in <code>jail.conf<\/code> is no longer overridden and performs as expected:<br \/>\n<code>banaction = iptables-multiport<\/code><\/p>\n<p><strong>Update<\/strong><br \/>\nAccording to <a href=\"https:\/\/fedoraproject.org\/wiki\/Fail2ban_with_FirewallD\">Fail2ban with FirewallD<\/a>, The <code>fail2ban<\/code> package itself is a meta-package that contains several other packages, including <code>fail2ban-firewalld<\/code> and <code>fail2ban-server<\/code>. Removing the meta-package will not remove <code>fail2ban-server<\/code>.<\/p>\n<p>If you&#8217;ve already moved <code>00-firewalld.conf<\/code> to <code>00-firewalld.disabled<\/code>, you&#8217;ll get a warning:<br \/>\n<code>warning: file \/etc\/fail2ban\/jail.d\/00-firewalld.conf: remove failed: No such file or directory<\/code><\/p>\n<p>You can ignore the warning, or remove <code>00-firewalld.disabled<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the previous post I wrote about the minor configuration changes needed to get fail2ban to actually do something. I have been working primarily with CentOS 7 and have been using iptables instead of firewalld. Normally, fail2ban works with iptables by default. However, installing fail2ban on CentOS 7 also installs fail2ban-firewalld &#8212; which changes that &hellip; <a href=\"https:\/\/osric.com\/chris\/accidental-developer\/2017\/08\/using-fail2ban-with-iptables-instead-of-firewalld\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Using fail2ban with iptables instead of firewalld<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[415,452,453,408],"class_list":["post-1974","post","type-post","status-publish","format-standard","hentry","category-security","tag-centos-7","tag-fail2ban","tag-firewalld","tag-iptables"],"_links":{"self":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/1974","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/comments?post=1974"}],"version-history":[{"count":5,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/1974\/revisions"}],"predecessor-version":[{"id":1991,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/1974\/revisions\/1991"}],"wp:attachment":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/media?parent=1974"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/categories?post=1974"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/tags?post=1974"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}