ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    [How to] Fail2ban on CentOS 7

    IT Discussion
    9
    24
    9.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nadnerBN
      nadnerB
      last edited by

      Well, I've just tried it and I received an error when checking the status using fail2ban-client status sshd
      ERROR NOK: ('sshd',)
      Sorry, but the Jail 'sshd' does not exist

       
      This might just be due to my inexperience but I didn't receive any errors before that.
      Any ideas?

      ? 1 Reply Last reply Reply Quote 0
      • ?
        A Former User @nadnerB
        last edited by

        @nadnerB It means the jail isn't setup. Go back over the text files you made with Vi in step 7 and step 5

        nadnerBN 1 Reply Last reply Reply Quote 1
        • nadnerBN
          nadnerB @A Former User
          last edited by nadnerB

          Thanks @thecreativeone91
          A few quick edits of enable --> enabled and a restart of the service(?) and it's good to go.

          ? 1 Reply Last reply Reply Quote 1
          • ?
            A Former User @nadnerB
            last edited by

            I wrote a script to do this.

            #!/bin/bash
            
            # CentOS7 Fail2Ban Install and Configure Script
            
            yum install -y epel-release fail2ban checkpolicy policycoreutils-python firewalld
            
            cat > /etc/fail2ban/jail.local << EOF
            [sshd]
            enabled = true
            EOF
            
            cat > fail2ban-syslog.te << EOF
            module fail2ban-syslog 1.0;
            
            require {
            type syslogd_var_run_t;
            type fail2ban_t;
            class dir read;
            class file read;
            class file open;
            class file getattr;
            }
            
            #============= fail2ban_t ==============
            allow fail2ban_t syslogd_var_run_t:dir read;
            allow fail2ban_t syslogd_var_run_t:file read;
            allow fail2ban_t syslogd_var_run_t:file open;
            allow fail2ban_t syslogd_var_run_t:file getattr;
            EOF
            
            checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te
            semodule_package -o fail2ban-syslog.pp -m fail2ban-syslog.mod
            semodule -i fail2ban-syslog.pp
            
            systemctl start fail2ban
            
            systemctl enable fail2ban
            
            fail2ban-client status sshd
            
            echo Done!
            

            Anything I missed?

            DanpD 1 Reply Last reply Reply Quote 0
            • DanpD
              Danp @A Former User
              last edited by

              @Aaron-Studer You left out the steps that create the sshd.local file. Was this intentional?

              1 Reply Last reply Reply Quote 0
              • DanpD
                Danp
                last edited by

                Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?

                ? 1 Reply Last reply Reply Quote 0
                • ?
                  A Former User @Danp
                  last edited by

                  @Danp said:

                  Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?

                  I don't think Fail2ban likes log rotate.

                  DanpD 1 Reply Last reply Reply Quote 0
                  • DanpD
                    Danp @A Former User
                    last edited by

                    @thecreativeone91 said:

                    I don't think Fail2ban likes log rotate.

                    Looks that way. I found this, but it's for an older version of both F2B and Centos.

                    1 Reply Last reply Reply Quote 0
                    • DanpD
                      Danp
                      last edited by

                      Added "copytruncate" to the F2B logrotate configuration file and then ran a manual log rotation. Seemed to work ok (system is still logging to fail2ban.log), but I will continue to monitor.

                      1 Reply Last reply Reply Quote 1
                      • S
                        Sparkum
                        last edited by

                        When I do

                        fail2ban-client status sshd

                        I get

                        [root@dc fail2ban]# fail2ban-client status sshd
                        ERROR NOK: ('sshd',)
                        Sorry but the jail 'sshd' does not exist

                        When I check the audit logs I get logs....

                        DanpD 1 Reply Last reply Reply Quote 0
                        • DanpD
                          Danp @Sparkum
                          last edited by

                          @Sparkum What do you get when you enter the following?:

                          fail2ban-client status
                          
                          S 1 Reply Last reply Reply Quote 0
                          • S
                            Sparkum @Danp
                            last edited by Sparkum

                            @Danp

                            [root@dc fail2ban]# fail2ban-client status
                            Status
                            |- Number of jail: 0
                            `- Jail list:

                            1 Reply Last reply Reply Quote 0
                            • DanpD
                              Danp
                              last edited by

                              Did you follow the steps and create the jail.local file?

                              S 1 Reply Last reply Reply Quote 0
                              • S
                                Sparkum @Danp
                                last edited by

                                @Danp

                                Yep

                                fail.PNG

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Sparkum
                                  last edited by

                                  Noticed the problem happened below.

                                  Changed "enabled" to "enable" and looks like it works.

                                  Status for the jail: sshd
                                  |- Filter
                                  | |- Currently failed: 0
                                  | |- Total failed: 0
                                  | - File list: /var/log/secure - Actions
                                  |- Currently banned: 0
                                  |- Total banned: 0
                                  `- Banned IP list:

                                  Much appreciated thanks

                                  DanpD 1 Reply Last reply Reply Quote 0
                                  • DanpD
                                    Danp @Sparkum
                                    last edited by

                                    @Sparkum That's strange, b/c I believe "enabled" is the correct entry.

                                    1 Reply Last reply Reply Quote 0
                                    • 1
                                    • 2
                                    • 1 / 2
                                    • First post
                                      Last post