HowTo test EFAv5

[shawniverson]

iptables is disabled on EL9 derivatives by default...

My firewalld is showing things getting blocked by fail2ban. Keep in mind that just because there is an entry in the sqlite3 database it may not be active in the firewall ruleset because the entries do expire. I have a long list of IPs in the jail but only two at the moment that are actively being rejected.

Code: Select all

  rich rules: 
        rule family="ipv4" source address="47.236.91.134" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
        rule family="ipv4" source address="183.81.169.238" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"

[tesme33]

Hi
thanks for the hint.

As your "firewall-cmd --list-all" shows rich-rules and mine not i would assume something is wrong on my side.

Can you check the following ?

Code: Select all

[root@derb ~]# fail2ban-client get sshd actions
The jail sshd has the following actions:
firewallcmd-rich-rules

and perhaps

Code: Select all

[root@derb log]#  firewall-cmd --get-active-zones
public
  interfaces: eth0

Looks like something is strange here.

eth0 is my only interface but i see the following.

Code: Select all

[root@derb log]# more firewalld
2024-05-30 14:33:32 WARNING: ALREADY_ENABLED: ssh
2024-05-30 14:48:36 WARNING: ALREADY_ENABLED: 443:tcp
2024-05-30 14:50:02 WARNING: NOT_ENABLED: 'rule family="ipv4" source address="3.87.125.17" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"' not in 'public'
2024-05-30 17:31:32 WARNING: NOT_ENABLED: 'rule family="ipv4" source address="183.81.169.238" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"' not in 'public'

[shawniverson]

Mine shows the same. I have a few of the warnings in my log as well but they are old.

Do you have a client you can connect to ssh from that you don't mind getting blocked that you can test your fail2ban?

[tesme33]

Hi
i believe i found the issue.
I had under /etc/fail2ban/jail.d
2 .local files. And in the efa.local didnt have any maxretry,findtime,bantime in.
By adding these and renaming jail.local to jail.local.tmp it started working.

Now my question is which files should be in the directory and what would be the correct content.
Can anybody help and look in his/her installation.

Many thanks !

Content of directory

Code: Select all

[root@derb jail.d]# pwd
/etc/fail2ban/jail.d
[root@derb jail.d]# ls
00-firewalld.conf  efa.local  jail.local
[root@derb jail.d]#    

Original file:

Code: Select all

[root@derb jail.d]# more efa.local
[sshd]
enabled = true

[postfix-sasl]
enabled = true
filter = postfix[mode=auth]

[mailwatch]
enabled = true
port    = http,https
logpath = /var/log/php-fpm/www-error.log

[shawniverson]

Can you share your config that is working? I believe the jail.local and efa.local are indeed duplicates with one that needs removed.

[tesme33]

Hi
below the information requested.
I currently assum that adding a .tmp to the jail.local prevents loading, but im not sure.

[root@derb ~]# fail2ban-client get sshd banned
['157.245.76.66', '82.197.58.234', '5.196.224.183', '43.154.162.100', '42.176.205.222', '80.94.95.81', '118.31.51.38']
[root@derb jail.d]# fail2ban-client get postfix-sasl banned
['80.94.95.242']
[root@derb jail.d]# fail2ban-client get mailwatch banned
[]


[root@derb ~]# cd /etc/fail2ban/jail.d/
[root@derb jail.d]# ls -l
insgesamt 12
-rw-r--r--. 1 root root 319 23. Feb 21:51 00-firewalld.conf
-rw-r--r--. 1 root root 215 9. Jul 18:01 efa.local
-rw-r--r--. 1 root root 183 31. Mai 16:53 jail.local.tmp

[root@derb jail.d]# more efa.local
[sshd]
enabled = true
maxretry = 4
findtime = 300
bantime = 3600

[postfix-sasl]
enabled = true
filter = postfix[mode=auth]


[mailwatch]
enabled = true
port = http,https
logpath = /var/log/php-fpm/www-error.log
[root@derb jail.d]#

[tesme33]

HI
as im now running this config for some weeks i would like to confirm that this seems to solve the issue.

Code: Select all

[root@derb ~]# fail2ban-client  get sshd banned
['1.64.15.64', '167.71.205.80', '183.81.169.238']

Yours

[shawniverson]

HI
as im now running this config for some weeks i would like to confirm that this seems to solve the issue.

I pushed out an update to get rid of the duplicate configurations. Thanks for the help!