Page 3 of 3
Re: HowTo test EFAv5
Posted: 08 Jun 2024 16:17
by shawniverson
iptables is disabled on EL9 derivatives by default...
My firewalld is showing things getting blocked by fail2ban. Keep in mind that just because there is an entry in the sqlite3 database it may not be active in the firewall ruleset because the entries do expire. I have a long list of IPs in the jail but only two at the moment that are actively being rejected.
Code: Select all
rich rules:
rule family="ipv4" source address="47.236.91.134" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="183.81.169.238" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
Re: HowTo test EFAv5
Posted: 08 Jun 2024 17:57
by tesme33
Hi
thanks for the hint.
As your "firewall-cmd --list-all" shows rich-rules and mine not i would assume something is wrong on my side.
Can you check the following ?
Code: Select all
[root@derb ~]# fail2ban-client get sshd actions
The jail sshd has the following actions:
firewallcmd-rich-rules
and perhaps
Code: Select all
[root@derb log]# firewall-cmd --get-active-zones
public
interfaces: eth0
Looks like something is strange here.
eth0 is my only interface but i see the following.
Code: Select all
[root@derb log]# more firewalld
2024-05-30 14:33:32 WARNING: ALREADY_ENABLED: ssh
2024-05-30 14:48:36 WARNING: ALREADY_ENABLED: 443:tcp
2024-05-30 14:50:02 WARNING: NOT_ENABLED: 'rule family="ipv4" source address="3.87.125.17" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"' not in 'public'
2024-05-30 17:31:32 WARNING: NOT_ENABLED: 'rule family="ipv4" source address="183.81.169.238" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"' not in 'public'
Re: HowTo test EFAv5
Posted: 08 Jun 2024 22:02
by shawniverson
Mine shows the same. I have a few of the warnings in my log as well but they are old.
Do you have a client you can connect to ssh from that you don't mind getting blocked that you can test your fail2ban?
Re: HowTo test EFAv5
Posted: 09 Jul 2024 15:46
by tesme33
Hi
i believe i found the issue.
I had under /etc/fail2ban/jail.d
2 .local files. And in the efa.local didnt have any maxretry,findtime,bantime in.
By adding these and renaming jail.local to jail.local.tmp it started working.
Now my question is which files should be in the directory and what would be the correct content.
Can anybody help and look in his/her installation.
Many thanks !
Content of directory
Code: Select all
[root@derb jail.d]# pwd
/etc/fail2ban/jail.d
[root@derb jail.d]# ls
00-firewalld.conf efa.local jail.local
[root@derb jail.d]#
Original file:
Code: Select all
[root@derb jail.d]# more efa.local
[sshd]
enabled = true
[postfix-sasl]
enabled = true
filter = postfix[mode=auth]
[mailwatch]
enabled = true
port = http,https
logpath = /var/log/php-fpm/www-error.log
Re: HowTo test EFAv5
Posted: 11 Jul 2024 20:17
by shawniverson
Can you share your config that is working? I believe the jail.local and efa.local are indeed duplicates with one that needs removed.
Re: HowTo test EFAv5
Posted: 12 Jul 2024 14:34
by tesme33
Hi
below the information requested.
I currently assum that adding a .tmp to the jail.local prevents loading, but im not sure.
[root@derb ~]# fail2ban-client get sshd banned
['157.245.76.66', '82.197.58.234', '5.196.224.183', '43.154.162.100', '42.176.205.222', '80.94.95.81', '118.31.51.38']
[root@derb jail.d]# fail2ban-client get postfix-sasl banned
['80.94.95.242']
[root@derb jail.d]# fail2ban-client get mailwatch banned
[]
[root@derb ~]# cd /etc/fail2ban/jail.d/
[root@derb jail.d]# ls -l
insgesamt 12
-rw-r--r--. 1 root root 319 23. Feb 21:51 00-firewalld.conf
-rw-r--r--. 1 root root 215 9. Jul 18:01 efa.local
-rw-r--r--. 1 root root 183 31. Mai 16:53 jail.local.tmp
[root@derb jail.d]# more efa.local
[sshd]
enabled = true
maxretry = 4
findtime = 300
bantime = 3600
[postfix-sasl]
enabled = true
filter = postfix[mode=auth]
[mailwatch]
enabled = true
port = http,https
logpath = /var/log/php-fpm/www-error.log
[root@derb jail.d]#
Re: HowTo test EFAv5
Posted: 25 Jul 2024 20:09
by tesme33
HI
as im now running this config for some weeks i would like to confirm that this seems to solve the issue.
Code: Select all
[root@derb ~]# fail2ban-client get sshd banned
['1.64.15.64', '167.71.205.80', '183.81.169.238']
Yours
Re: HowTo test EFAv5
Posted: 27 Jul 2024 12:09
by shawniverson
tesme33 wrote: 25 Jul 2024 20:09
HI
as im now running this config for some weeks i would like to confirm that this seems to solve the issue.
I pushed out an update to get rid of the duplicate configurations. Thanks for the help!