I fixed my problem by adding:
banaction = firewallcmd-ipset
in the [DEFAULT] section of jail.local
I have to assume that versions prior to fail2ban 0.11.1-9.el7.2
would interpret the command:
banaction = iptables-multiport
differently. Earlier versions used ipset, but as of the new patch,
it doesn't invoke ipset if that's the banaction.
Unless there's something missing somewhere in the config, but I
searched across all files on my regular servers that weren't patched
and they were all using:
banaction = iptables-multiport
and it invoked ipset before.
Thoughts?
I don't think you get any firewall rules or ipset sets until you
have a ban. Try using fail2ban-client to manually ban an IP and see
if the corresponding firewall items then appear.
I thought of that.
# fail2ban-client set sshd banip 91.127.18.79
1
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 91.127.18.79
# ipset list | grep Name
# iptables -L INPUT_direct
Chain INPUT_direct (1 references)
target prot opt source destination
# tail /var/log/fail2ban.log
2020-09-21 11:19:49,972 fail2ban.jail [978]: INFO Jail
'postfix' started
2020-09-21 11:19:49,974 fail2ban.jail [978]: INFO Jail
'dovecot' started
2020-09-21 11:19:49,974 fail2ban.filtersystemd [978]: NOTICE Jail
started without 'journalmatch' set. Jail regexs will be checked
against all journal entries, which is not advised for performance reasons.
2020-09-21 11:19:50,012 fail2ban.jail [978]: INFO Jail
'pam-generic' started
2020-09-21 11:19:50,053 fail2ban.jail [978]: INFO Jail
'icorp-dovecot' started
2020-09-21 11:19:50,067 fail2ban.jail [978]: INFO Jail
'manban' started
2020-09-21 11:19:50,393 fail2ban.actions [978]:
NOTICE [manban] Restore Ban 184.95.34.146
2020-09-21 11:19:56,064 fail2ban.actions [978]:
NOTICE [manban] Restore Ban 83.97.20.35
2020-09-21 11:33:38,959 fail2ban.actions [978]:
NOTICE [vsftpd] Ban 184.95.34.146
2020-09-21 12:05:51,477 fail2ban.actions [978]: NOTICE [sshd]
Ban 91.127.18.79
fail2ban reports it as being banned, but there is no ipset list,
there is no iptables ipset rule either.
However, there are new entries in the raw iptables:
0 0
REJECT tcp -- any any adsl-dyn79.91-127-18.t-com.sk
anywhere tcp dpt:ftp ctstate NEW,UNTRACKED reject-with
icmp-port-unreachable
0 0
REJECT tcp -- any any adsl-dyn79.91-127-18.t-com.sk
anywhere tcp dpt:ftp-data ctstate NEW,UNTRACKED
reject-with icmp-port-unreachable
0 0
REJECT tcp -- any any adsl-dyn79.91-127-18.t-com.sk
anywhere tcp dpt:ftps ctstate NEW,UNTRACKED reject-with
icmp-port-unreachable
0 0
REJECT tcp -- any any adsl-dyn79.91-127-18.t-com.sk
anywhere tcp dpt:ftps-data ctstate NEW,UNTRACKED
reject-with icmp-port-unreachable
0 0
REJECT tcp -- any any adsl-dyn79.91-127-18.t-com.sk
anywhere tcp dpt:http ctstate NEW,UNTRACKED reject-with
icmp-port-unreachable
0 0
REJECT tcp -- any any adsl-dyn79.91-127-18.t-com.sk
anywhere tcp dpt:https ctstate NEW,UNTRACKED reject-with
icmp-port-unreachable
0 0
REJECT tcp -- any any adsl-dyn79.91-127-18.t-com.sk
anywhere tcp dpt:saft ctstate NEW,UNTRACKED reject-with
icmp-port-unreachable
This appears to correspond with the ip I banned and the ports I
specified for that ban in jail.local, but why isn't it using ipset?
Have they changed how the default banaction value designations behave
in the new version?
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
