Configure fail2ban in Fedora 20 to use firewall-cmd and ipset

Note (October 20 2014): This post is outdated, please, refer to the post fail2ban 0.9 for more up to date information.

fail2ban is a handy daemon that monitors the log files to identify connection attempts and other kind of attacks and ban those IPs for a certain period of time.

Currently, fail2ban upstream is adding support to firewalld and the use of ipset, so some modifications are needed at the stock config.

First of all, install the needed packages, I add rsyslog because it’s not included in the default Fedora 20 installation and it’s needed to generate /var/log/secure. I hope fail2ban will support some day querying the journal directly.

# yum install ipset fail2ban rsyslog
# systemctl start rsyslog

We need to download the file firewallcmd-ipset.conf and firewallcmd-new.conf from upstream and add them to /etc/fail2ban/action.d

Next, we configure the service, enabling for example sshd. We create the file /etc/fail2ban/jail.local like:

[sshd]
enabled = true
action = firewallcmd-ipset

There is a problem with the SELinux policy that blocks the execution of ipset by fail2ban (bug #1069640), so we fix it manually:

# semanage fcontext -a -t iptables_exec_t '/usr/sbin/ipset'
# restorecon -F -v /usr/sbin/ipset

Lastly, enable and run the service:

# systemctl enable fail2ban
# systemctl start fail2ban

We can monitor how it is working:

# journalctl -a -f -n1000 -u fail2ban

feb 27 11:24:47 localhost systemd[1]: Starting Fail2ban Service...
feb 27 11:24:47 localhost fail2ban-client[15797]: WARNING 'actioncheck' not defined in 'Definition'. Using default one: ''
feb 27 11:24:48 localhost fail2ban-client[15797]: 2014-02-27 11:24:48,076 fail2ban.server.server: INFO   Starting Fail2ban v0.9.0a1
feb 27 11:24:48 localhost fail2ban-client[15797]: 2014-02-27 11:24:48,076 fail2ban.server.server: INFO   Starting in daemon mode
feb 27 11:24:48 localhost fail2ban.server.server[15800]: INFO   Changed logging target to SYSLOG for Fail2ban v0.9.0a1
feb 27 11:24:48 localhost fail2ban.server.jail[15800]: INFO   Creating new jail 'sshd'
feb 27 11:24:48 localhost fail2ban.server.jail[15800]: INFO   Jail 'sshd' uses pyinotify
feb 27 11:24:48 localhost fail2ban.server.filter[15800]: INFO   Set jail log file encoding to UTF-8
feb 27 11:24:48 localhost fail2ban.server.jail[15800]: INFO   Initiated 'pyinotify' backend
feb 27 11:24:48 localhost fail2ban.server.filter[15800]: INFO   Added logfile = /var/log/secure
feb 27 11:24:48 localhost fail2ban.server.filter[15800]: INFO   Set maxRetry = 5
feb 27 11:24:48 localhost fail2ban.server.filter[15800]: INFO   Set jail log file encoding to UTF-8
feb 27 11:24:48 localhost fail2ban.server.actions[15800]: INFO   Set banTime = 600
feb 27 11:24:48 localhost fail2ban.server.filter[15800]: INFO   Set findtime = 600
feb 27 11:24:48 localhost fail2ban.server.filter[15800]: INFO   Set maxlines = 10
feb 27 11:24:48 localhost fail2ban.server.server[15800]: INFO   Jail sshd is not a JournalFilter instance
feb 27 11:24:48 localhost fail2ban.server.jail[15800]: INFO   Jail 'sshd' started
feb 27 11:24:48 localhost systemd[1]: Started Fail2ban Service.
feb 27 11:51:49 localhost fail2ban.server.actions[15800]: WARNING [sshd] Ban 133.242.12.50
feb 27 12:01:50 localhost fail2ban.server.actions[15800]: WARNING [sshd] Unban 133.242.12.50
feb 27 12:17:10 localhost fail2ban.server.actions[15800]: WARNING [sshd] Ban 222.186.62.66
feb 27 12:27:11 localhost fail2ban.server.actions[15800]: WARNING [sshd] Unban 222.186.62.66
feb 27 13:14:59 localhost fail2ban.server.actions[15800]: WARNING [sshd] Ban 133.242.12.50
Advertisements

2 thoughts on “Configure fail2ban in Fedora 20 to use firewall-cmd and ipset”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s