Linux – fail2ban doesn’t add IPs to ipset (firewalld)

centos7fail2banfirewalldlinuxssh

For some reason I cannot figure out, Fail2Ban refuses to add IP addresses to ipset/firewalld.

I'm being bruteforced by a chinese IP address, Fail2Ban does seem to actually attempt to ban it (at least it shows up in the fail2ban-client status sshd command), but it doesn't actually stop bruteforcing the server, and it doesn't show up in ipset/iptables/firewalld.

fail2ban-client status sshd:

[root@GITserver alex]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 2
|  |- Total failed: 93613
|  `- File list:    /var/log/secure
`- Actions
   |- Currently banned: 2
   |- Total banned: 1003
   `- Banned IP list:   61.177.172.17 95.103.88.106

ipset/firewalld:

[root@GITserver alex]# ipset list
[root@GITserver alex]# firewall-cmd --direct --get-all-rules
[root@GITserver alex]#

Any ideas? more logs can be added on request

Edit, still no solution, still being bruteforced and DDoS'd, here's the complete /var/log/fail2ban.log if it may help https://paste.fedoraproject.org/paste/Y5aPF8~WY~fpuhaZBDo7Ml5M1UNdIGYhyRLivL9gydE=/raw (warning: 11mb)

ANY SUGGESTION WOULD BE VERY MUCH APPRECIATED. Still under attack.

Edit2: Looking at the logs it still seemed to use iptables, even though /etc/fail2ban/jail.d/00-firewalld.conf defined banaction=firewallcmd-ipset. I edited the main jail.conf to fix this, but it changed nothing. You can see the output after the reload in the log above.

Best Answer

I have spent an absolute age trying to get this working today on a VPS (CentOS Linux 7.6.1810) with fail2ban installed through VirtualMin.

In my situation Fail2Ban was working correctly from its logs 

tail -f /var/log/fail2ban.log

And correctly recording decisions to ban, however these were not being processed into firewalll rules. Having read through all of the comments in the answer posted by Moshe and trying three of the solutions there without success, I found that the solution by Geraden07 on a GitHub discussion linked from that forum post worked on Centos.

1. Create a new action rule (/etc/fail2ban/action.d/custom-firewalld.conf)

[INCLUDES]
before  =

[Definition]
actionstart =
actionstop =
actioncheck =

actionflush = sed -i '/<source address=/d' /etc/firewalld/zones/drop.xml
actionban = firewall-cmd --change-source=<ip> --zone=drop && firewall-cmd --change-source=<ip> --zone=drop --permanent
actionunban = firewall-cmd --remove-source=<ip> --zone=drop && firewall-cmd --remove-source=<ip> --zone=drop --permanent || echo 0

[Init]

2. Create/update jail config to use this new rule as the default (/etc/fail2ban/jail.local)

[DEFAULT]
banaction = custom-firewalld

3. Update any jails that override the default to use the new rule if needed

I have tested this for banning and unbanning and it is the only thing that has worked for me.

Related Topic