Note (October 20 2014): This post is outdated, please, refer to the post fail2ban 0.9 for more up to date information.
fail2ban is a handy daemon that monitors the log files to identify connection attempts and other kind of attacks and ban those IPs for a certain period of time.
Currently, fail2ban upstream is adding support to firewalld and the use of ipset, so some modifications are needed at the stock config.
First of all, install the needed packages, I add rsyslog because it’s not included in the default Fedora 20 installation and it’s needed to generate /var/log/secure. I hope fail2ban will support some day querying the journal directly.
# yum install ipset fail2ban rsyslog # systemctl start rsyslog
We need to download the file firewallcmd-ipset.conf and firewallcmd-new.conf from upstream and add them to /etc/fail2ban/action.d
Next, we configure the service, enabling for example sshd. We create the file /etc/fail2ban/jail.local like:
[sshd]
enabled = true
action = firewallcmd-ipset
There is a problem with the SELinux policy that blocks the execution of ipset by fail2ban (bug #1069640), so we fix it manually:
# semanage fcontext -a -t iptables_exec_t '/usr/sbin/ipset' # restorecon -F -v /usr/sbin/ipset
Lastly, enable and run the service:
# systemctl enable fail2ban # systemctl start fail2ban
We can monitor how it is working:
# journalctl -a -f -n1000 -u fail2ban
feb 27 11:24:47 localhost systemd[1]: Starting Fail2ban Service...
feb 27 11:24:47 localhost fail2ban-client[15797]: WARNING 'actioncheck' not defined in 'Definition'. Using default one: ''
feb 27 11:24:48 localhost fail2ban-client[15797]: 2014-02-27 11:24:48,076 fail2ban.server.server: INFO Starting Fail2ban v0.9.0a1
feb 27 11:24:48 localhost fail2ban-client[15797]: 2014-02-27 11:24:48,076 fail2ban.server.server: INFO Starting in daemon mode
feb 27 11:24:48 localhost fail2ban.server.server[15800]: INFO Changed logging target to SYSLOG for Fail2ban v0.9.0a1
feb 27 11:24:48 localhost fail2ban.server.jail[15800]: INFO Creating new jail 'sshd'
feb 27 11:24:48 localhost fail2ban.server.jail[15800]: INFO Jail 'sshd' uses pyinotify
feb 27 11:24:48 localhost fail2ban.server.filter[15800]: INFO Set jail log file encoding to UTF-8
feb 27 11:24:48 localhost fail2ban.server.jail[15800]: INFO Initiated 'pyinotify' backend
feb 27 11:24:48 localhost fail2ban.server.filter[15800]: INFO Added logfile = /var/log/secure
feb 27 11:24:48 localhost fail2ban.server.filter[15800]: INFO Set maxRetry = 5
feb 27 11:24:48 localhost fail2ban.server.filter[15800]: INFO Set jail log file encoding to UTF-8
feb 27 11:24:48 localhost fail2ban.server.actions[15800]: INFO Set banTime = 600
feb 27 11:24:48 localhost fail2ban.server.filter[15800]: INFO Set findtime = 600
feb 27 11:24:48 localhost fail2ban.server.filter[15800]: INFO Set maxlines = 10
feb 27 11:24:48 localhost fail2ban.server.server[15800]: INFO Jail sshd is not a JournalFilter instance
feb 27 11:24:48 localhost fail2ban.server.jail[15800]: INFO Jail 'sshd' started
feb 27 11:24:48 localhost systemd[1]: Started Fail2ban Service.
feb 27 11:51:49 localhost fail2ban.server.actions[15800]: WARNING [sshd] Ban 133.242.12.50
feb 27 12:01:50 localhost fail2ban.server.actions[15800]: WARNING [sshd] Unban 133.242.12.50
feb 27 12:17:10 localhost fail2ban.server.actions[15800]: WARNING [sshd] Ban 222.186.62.66
feb 27 12:27:11 localhost fail2ban.server.actions[15800]: WARNING [sshd] Unban 222.186.62.66
feb 27 13:14:59 localhost fail2ban.server.actions[15800]: WARNING [sshd] Ban 133.242.12.50