Thanks for that! The Wiki article proved very useful.
Essentially it boils down to the fact that I should have an
/etc/fail2ban/jail.d/00-firewalld.conf file containing:
[DEFAULT]
banaction = firewallcmd-ipset
Well it seems that I already had this (I guess this is now included in
the default Fedora27 install (I installed F2b using DNF) but, I had
inadvertently overridden this with a line in each of my jails (which I
copied from my old F18 install).
In these, I had the line:
action = iptables[name=Scriptkiddies]
I have commented this out so that it now uses the (now) default
banaction = firewallcmd-ipset
However, I am concerned that there is still something wrong. restarting
F2B seemed OK, but as soon as the first actual ban came in I got an
email confirming the ban - but this in the logs:
2018-05-22 20:05:47,785 fail2ban.jail [12652]: INFO Creating new
jail 'scriptkiddies'
2018-05-22 20:05:47,786 fail2ban.jail [12652]: INFO Jail
'scriptkiddies' uses poller {}
2018-05-22 20:05:47,786 fail2ban.jail [12652]: INFO Initiated
'polling' backend
2018-05-22 20:05:47,789 fail2ban.filter [12652]: INFO Added logfile:
'/var/log/httpd/access_log' (pos = 69538, hash =
4a5057ee8cc9529ef4ef7388427ac0806c7c71b1)
2018-05-22 20:05:47,789 fail2ban.filter [12652]: INFO encoding:
UTF-8
2018-05-22 20:05:47,790 fail2ban.filter [12652]: INFO maxRetry: 5
2018-05-22 20:05:47,790 fail2ban.filter [12652]: INFO findtime: 600
2018-05-22 20:05:47,790 fail2ban.actions [12652]: INFO banTime: 3600
2018-05-22 20:05:47,805 fail2ban.jail [12652]: INFO Jail
'modsec_Ban' started
2018-05-22 20:05:47,862 fail2ban.jail [12652]: INFO Jail
'scriptkiddies' started
2018-05-22 20:29:35,035 fail2ban.ipdns [12652]: WARNING Determined IP
using DNS Lookup: Execution = ['92.242.132.24']
2018-05-22 20:29:35,035 fail2ban.filter [12652]: INFO [modsec_Ban]
Found 92.242.132.24 - 2018-05-22 20:29:34
2018-05-22 20:29:35,038 fail2ban.ipdns [12652]: WARNING Determined IP
using DNS Lookup: Execution = ['92.242.132.24']
2018-05-22 20:29:35,038 fail2ban.filter [12652]: INFO [modsec_Ban]
Found 92.242.132.24 - 2018-05-22 20:29:34
2018-05-22 20:29:35,826 fail2ban.actions [12652]: NOTICE [modsec_Ban]
Ban 92.242.132.24
2018-05-22 20:29:36,497 fail2ban.utils [12652]: Level 39 7fe4e8f81270
-- exec: ipset create f2b-modsec_Ban hash:ip timeout 172800
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport
--dports http, https -m set --match-set f2b-modsec_Ban src -j REJECT
--reject-with icmp-port-unreachable
2018-05-22 20:29:36,498 fail2ban.utils [12652]: ERROR 7fe4e8f81270
-- stderr: '\x1b[91mError: COMMAND_FAILED\x1b[00m'
2018-05-22 20:29:36,498 fail2ban.utils [12652]: ERROR 7fe4e8f81270
-- returned 13
2018-05-22 20:29:36,498 fail2ban.actions [12652]: ERROR Failed to
execute ban jail 'modsec_Ban' action 'firewallcmd-ipset' info
'ActionInfo({'ip': '92.242.132.24', 'family': 'inet4', 'ip-rev':
'24.132.242.92.', 'ip-host': 'unallocated.barefruit.co.uk', 'fid':
'92.242.132.24', 'failures': 2, 'time': 1527017374, 'matches': 'Message: Rule
558d1e594040 [id "942360"][file
"/etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line
"451"] - Execution error - PCRE limits exceeded (-8): (null).\nApache-Error:
[file "apache2_util.c"] [line 273] [level 3] [client 12.34.567.890]
ModSecurity: Rule 558d1e594040 [id "942360"][file
"/etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line
"451"] - Execution error - PCRE limits exceeded (-8): (null). [hostname
"www.mydomain.com"] [uri "/roundcubemail/"] [unique_id
"WwRvnhHUK0iyz3Hb9Z382gAAAEk"]', 'restored': 0, 'F-*': {'matches': [('Message:
Rule 558d1e594040 [id "942360"][file
"/etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line
"451"] - Execution error - PCRE limits exceeded (-8): (null).', '', ''),
'Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client
12.34.567.890] ModSecurity: Rule 558d1e594040 [id "942360"][file
"/etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line
"451"] - Execution error - PCRE limits exceeded (-8): (null). [hostname
"www.mydomain.com"] [uri "/roundcubemail/"] [unique_id
"WwRvnhHUK0iyz3Hb9Z382gAAAEk"]'], 'failures': 2, 'dns': 'Execution'},
'ipmatches': 'Message: Rule 560021b2d570 [id "942360"][file
"/etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line
"451"] - Execution error - PCRE limits exceeded
...snip (many more similar lines) ...
[unique_id "WwRvnhHUK0iyz3Hb9Z382gAAAEk"]', 'ipfailures': 2946,
'ipjailfailures': 2})': Error starting action
Jail('modsec_Ban')/firewallcmd-ipset
2018-05-22 20:30:35,129 fail2ban.ipdns [12652]: WARNING Determined IP
using DNS Lookup: Execution = ['92.242.132.24']
2018-05-22 20:30:35,129 fail2ban.filter [12652]: INFO [modsec_Ban]
Found 92.242.132.24 - 2018-05-22 20:30:34
2018-05-22 20:30:35,131 fail2ban.ipdns [12652]: WARNING Determined IP
using DNS Lookup: Execution = ['92.242.132.24']
2018-05-22 20:30:35,131 fail2ban.filter [12652]: INFO [modsec_Ban]
Found 92.242.132.24 - 2018-05-22 20:30:34
2018-05-22 20:30:35,494 fail2ban.actions [12652]: WARNING [modsec_Ban]
92.242.132.24 already banned
2018-05-22 20:31:35,223 fail2ban.ipdns [12652]: WARNING Determined IP
using DNS Lookup: Execution = ['92.242.132.24']
2018-05-22 20:31:35,223 fail2ban.filter [12652]: INFO [modsec_Ban]
Found 92.242.132.24 - 2018-05-22 20:31:34
2018-05-22 20:31:35,225 fail2ban.ipdns [12652]: WARNING Determined IP
using DNS Lookup: Execution = ['92.242.132.24']
2018-05-22 20:31:35,225 fail2ban.filter [12652]: INFO [modsec_Ban]
Found 92.242.132.24 - 2018-05-22 20:31:34
2018-05-22 20:31:35,563 fail2ban.actions [12652]: WARNING [modsec_Ban]
92.242.132.24 already banned
... snip (many more similar lines) ...
What's gone wrong?
Thanks for all the help so far!
Mark
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
