Fail2Ban not working with Fedora-Server Edition



  • Re: [How to] Fail2ban on CentOS 7
    Is there any solutions to get fail2ban working successfully in Fedora-Server Edition?
    I mean I followed tutorials especially for Nextcloud but my fail2ban is not blocking at all.
    The last one I tried https://riegers.in/nextcloud-installation-guide-apache2/ is not working either.

    Did you guys have some solutions?



  • Fail2ban works for us by default. But NextCloud needs custom configuration. Are you having issues with Fail2ban on Fedora?



  • I've also have nextcloud based on riegers how to guide and it works. I'm using this guide from him that is using Nginx instead of Apache.
    https://riegers.in/nextcloud-installation-guide-ubuntu-20-04/



  • My problem is that nothing is banned. Maybe no one is attacking my server? 😃
    @black3dynamite Yes I have the same setup from Riegers.

    It doesn't matter if I try with Nextcloud, ssh and so on. No banning.

    Backend uses systemd. That should be right for Fedora / Centos, shouldn't be?



  • @Woti said in Fail2Ban not working with Fedora-Server Edition:

    My problem is that nothing is banned. Maybe no one is attacking my server? 😃
    @black3dynamite Yes I have the same setup from Riegers.

    It doesn't matter if I try with Nextcloud, ssh and so on. No banning.

    Backend uses systemd. That should be right for Fedora / Centos, shouldn't be?

    On Fedora, CentOS, and Red Hat SELinux can sometime cause issue.



  • Do you guys have some recommended setup guides based on latest Fedora/Centos or how to check if fail2ban works probably?



  • @Woti said in Fail2Ban not working with Fedora-Server Edition:

    Do you guys have some recommended setup guides based on latest Fedora/Centos or how to check if fail2ban works probably?

    You install it and turn it on

    sudo dnf install -y fail2ban
    sudo systemctl enable --now fail2ban
    

    You can see things with fail2ban-client

    sudo fail2ban-client status
    

    And specifics about a jail

    sudo fail2ban-client status sshd
    

    Beyond that, there is not any one "guide"

    You have to create jails that understand the application you are protecting.



  • I have now activated sshd and it works perfectly. But Nextcloud doesn't.
    What other jails do you use? What is recommended?

    sudo fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed: 1
    |  |- Total failed:     13
    |  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   77.16.71.32
    

    Nextcloud is missing matching Journal it looks like?

    sudo fail2ban-client status nextcloud
    Status for the jail: nextcloud
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- Journal matches:
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    


  • @Woti said in Fail2Ban not working with Fedora-Server Edition:

    I have now activated sshd and it works perfectly. But Nextcloud doesn't.
    What other jails do you use? What is recommended?

    sudo fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed: 1
    |  |- Total failed:     13
    |  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   77.16.71.32
    

    Nextcloud is missing matching Journal it looks like?

    sudo fail2ban-client status nextcloud
    Status for the jail: nextcloud
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- Journal matches:
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    

    Here's mine
    c4651f60-1bba-4a2a-9905-e9585c6685ce-image.png



  • /etc/fail2ban/filter.d/nextcloud.conf

    [Definition]
    failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
              ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
              ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$
    

    /etc/fail2ban/jail.d/nextcloud.local

    [nextcloud]
    backend = auto
    enabled = true
    port = 80,443
    protocol = tcp
    filter = nextcloud
    maxretry = 5
    bantime = 36000
    findtime = 36000
    logpath = /var/nc_data/nextcloud.log
    
    [nginx-http-auth]
    enabled = true
    


  • nextcloud.conf is the same as yours. As well as the path.
    but I have no nextcloud.local. The same content as yours is in jail.local
    I'll try your solution.



  • Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
    My nextcloud.log file is in /var/log/nextcloud/nextcloud.log



  • @Woti said in Fail2Ban not working with Fedora-Server Edition:

    Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
    My nextcloud.log file is in /var/log/nextcloud/nextcloud.log

    Temporary set SELinux to permissive and try again. You might have configure SELinux to allow access.

    sudo setenforce permissive
    


  • I used this command to give apache og php-fpm read and write access to the logfile

    semanage fcontext -a -t httpd_sys_rw_content_t '/var/log/nextcloud(/.*)?'
    restorecon -Rv '/var/log/nextcloud/'
    

    But how to give fail2ban access through SElinux?
    Using fail2ban_log_t as descriped here https://linux.die.net/man/8/fail2ban_selinux is not working.
    Of course I can remove the above SElinux file context and issuer:

    semanage fcontext -a -t fail2ban_log_t '/var/log/nextcloud(/.*)?'
    restorecon -Rv '/var/log/nextcloud/'
    

    This way I get read write access to the nextcloud logfile for fail2ban but not til apache php-fpm anymore.
    It is confusing.



  • Finally I got it to work 🙂
    I need to use httpd_log_t to get access through SELinux to the logfile for both httpd, php-fpm and fail2ban.
    I tried and my test-IPs was banned 🙂


Log in to reply