HowTo test EFAv5

General eFa discussion
User avatar
shawniverson
Posts: 3733
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: HowTo test EFAv5

Post by shawniverson »

iptables is disabled on EL9 derivatives by default...

My firewalld is showing things getting blocked by fail2ban. Keep in mind that just because there is an entry in the sqlite3 database it may not be active in the firewall ruleset because the entries do expire. I have a long list of IPs in the jail but only two at the moment that are actively being rejected.

Code: Select all

  rich rules: 
        rule family="ipv4" source address="47.236.91.134" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="183.81.169.238" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
tesme33
Posts: 75
Joined: 22 Mar 2015 10:57
Location: Germany/Munich area

Re: HowTo test EFAv5

Post by tesme33 »

Hi
thanks for the hint.

As your "firewall-cmd --list-all" shows rich-rules and mine not i would assume something is wrong on my side.

Can you check the following ?

Code: Select all

[root@derb ~]# fail2ban-client get sshd actions
The jail sshd has the following actions:
firewallcmd-rich-rules
and perhaps

Code: Select all

[root@derb log]#  firewall-cmd --get-active-zones
public
  interfaces: eth0
Looks like something is strange here.

eth0 is my only interface but i see the following.

Code: Select all

[root@derb log]# more firewalld
2024-05-30 14:33:32 WARNING: ALREADY_ENABLED: ssh
2024-05-30 14:48:36 WARNING: ALREADY_ENABLED: 443:tcp
2024-05-30 14:50:02 WARNING: NOT_ENABLED: 'rule family="ipv4" source address="3.87.125.17" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"' not in 'public'
2024-05-30 17:31:32 WARNING: NOT_ENABLED: 'rule family="ipv4" source address="183.81.169.238" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"' not in 'public'
User avatar
shawniverson
Posts: 3733
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: HowTo test EFAv5

Post by shawniverson »

Mine shows the same. I have a few of the warnings in my log as well but they are old.

Do you have a client you can connect to ssh from that you don't mind getting blocked that you can test your fail2ban?
tesme33
Posts: 75
Joined: 22 Mar 2015 10:57
Location: Germany/Munich area

Re: HowTo test EFAv5

Post by tesme33 »

Hi
i believe i found the issue.
I had under /etc/fail2ban/jail.d
2 .local files. And in the efa.local didnt have any maxretry,findtime,bantime in.
By adding these and renaming jail.local to jail.local.tmp it started working.

Now my question is which files should be in the directory and what would be the correct content.
Can anybody help and look in his/her installation.

Many thanks !

Content of directory

Code: Select all

[root@derb jail.d]# pwd
/etc/fail2ban/jail.d
[root@derb jail.d]# ls
00-firewalld.conf  efa.local  jail.local
[root@derb jail.d]#    
Original file:

Code: Select all

[root@derb jail.d]# more efa.local
[sshd]
enabled = true

[postfix-sasl]
enabled = true
filter = postfix[mode=auth]

[mailwatch]
enabled = true
port    = http,https
logpath = /var/log/php-fpm/www-error.log
User avatar
shawniverson
Posts: 3733
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: HowTo test EFAv5

Post by shawniverson »

Can you share your config that is working? I believe the jail.local and efa.local are indeed duplicates with one that needs removed.
tesme33
Posts: 75
Joined: 22 Mar 2015 10:57
Location: Germany/Munich area

Re: HowTo test EFAv5

Post by tesme33 »

Hi
below the information requested.
I currently assum that adding a .tmp to the jail.local prevents loading, but im not sure.


[root@derb ~]# fail2ban-client get sshd banned
['157.245.76.66', '82.197.58.234', '5.196.224.183', '43.154.162.100', '42.176.205.222', '80.94.95.81', '118.31.51.38']
[root@derb jail.d]# fail2ban-client get postfix-sasl banned
['80.94.95.242']
[root@derb jail.d]# fail2ban-client get mailwatch banned
[]


[root@derb ~]# cd /etc/fail2ban/jail.d/
[root@derb jail.d]# ls -l
insgesamt 12
-rw-r--r--. 1 root root 319 23. Feb 21:51 00-firewalld.conf
-rw-r--r--. 1 root root 215 9. Jul 18:01 efa.local
-rw-r--r--. 1 root root 183 31. Mai 16:53 jail.local.tmp

[root@derb jail.d]# more efa.local
[sshd]
enabled = true
maxretry = 4
findtime = 300
bantime = 3600

[postfix-sasl]
enabled = true
filter = postfix[mode=auth]


[mailwatch]
enabled = true
port = http,https
logpath = /var/log/php-fpm/www-error.log
[root@derb jail.d]#
Post Reply