How to install Fail2Ban on CentOS. How to install Fail2Ban on CentOS. Fail2Ban is an alternative for CSF firewall software, this will continuously monitor log files and blocks the IPs that show the malicious signs, means too many login errors, seeking for exploits, etc.
Active3 years, 8 months ago
![Fail2ban Fail2ban](/uploads/1/2/5/5/125598823/426406132.jpg)
I have CentOS 7 with firewalld. I installed fail2ban and using the firewallcmd-new action. I am seeing bans in the fail2ban logs, and I want to check in firewallcmd if they are blocked. How can I do it?
giorgio79
giorgio79giorgio79![Cmd Cmd](/uploads/1/2/5/5/125598823/560576684.png)
89788 gold badges1818 silver badges3333 bronze badges
2 Answers
First, I strongly recommend that you use
banaction = firewallcmd-ipset
as this will provide much better performance when the ban list starts getting large.Now, with any of fail2ban's firewalld actions, it will add a direct rule, which you can inspect with
firewall-cmd --direct --get-all-rules
:As you can see, I am using
Michael Hampton♦Michael Hamptonfirewallcmd-ipset
, so the actual banned IP addresses are not listed here. Instead, I find them with ipset list
:187k2929 gold badges351351 silver badges686686 bronze badges
Details here: https://fedoraproject.org/wiki/FirewallD#Which_zones_are_available.3F
- List all zones with the enabled features.
firewall-cmd --list-all-zones
- Print zone with the enabled features. If zone is omitted, the default zone will be used.
firewall-cmd [--zone=<zone>] --list-all
If the above command is not displaying enough info, you can try
- iptables Direct Interface (Quoted from:Introduction to FirewallD on CentOS)
For the most advanced usage, or for iptables experts, FirewallD provides a direct interface that allows you to pass raw iptables commands to it. Direct Interface rules are not persistent unless the --permanent is used.
To see all custom chains or rules added to FirewallD:
firewall-cmd --direct --get-all-chains
firewall-cmd --direct --get-all-rules
7,69633 gold badges1717 silver badges3333 bronze badges
Not the answer you're looking for? Browse other questions tagged fail2banfirewalld or ask your own question.
Active22 days ago
I'm running CentOS 7, all fully updated, and am trying to get Fail2Ban to work, but I'm running into problems.
Specifically, I'm trying to block brute force SSH attacks. I'm pretty sure I've set up everything right – enabled the sshd jail in
jail.local
, using firewallcmd-ipset
as the ban action, definitely using Firewalld, not using SELinux.But when I start Fail2Ban, here's what's in
/var/log/fail2ban.log
:As you'll note, everything runs smoothly until
firewall-cmd
is tried. The commands it's trying to run are:ipset create fail2ban-sshd hash:ip timeout 86400
followed by
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport --dports 44 -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
If I try to run those myself, the
ipset
command works fine, but the firewall-cmd
one returns with Error: COMMAND_FAILED
. So, I'm guessing it's a problem with the command that Fail2Ban is trying to send to firewall-cmd
– but I don't know enough about Firewalld to fix it.(Oh, SSH is on port 44 because I've found that it massively reduces drive-by attacks, so let's not get into the pros and cons of that!
Also,
systemctl status fail2ban
shows everything to be running smoothly, no problems reported there. I only noticed this when I logged in and saw that there'd been a bunch of failed login attempts, which is rare what with the port change and all.Finally,
uname -r
returns 3.10.0-229.14.1.el7.centos.plus.x86_64
so I'm fairly sure it's not the OpenVZ problem which I've seen as a cause of this elsewhere.)JoLoCoJoLoCo
1 Answer
From faqforge.com: https://www.faqforge.com/linux/how-to-use-iptables-on-centos-7/
Centos 7 replaced the traditional IPTables Linux Kernel Firewall with the Firewalld service. There are still a lot of scripts available that require the use of IPTables. A common example is the software Fail2ban.
So try stopping firewalld (
systemctl stop firewalld
) and install iptables (yum install iptables-services
) and systemctl start iptables
.Then, set like this the banaction in the
jail.local
:and then restart.
Luis DíazLuis Díaz