> > my jail.local: >> [DEFAULT] >> bantime = 10800 >> action = %(action_)s >> usedns = no >> mta = sendmail >> backend = auto >> banaction = firewallcmd-ipset >> port = 0-65535 >> bantime.increment = true >> bantime.rndtime = 8m >> [sshd] >> enabled = true >> maxretry = 4 >> filter = sshd[mode=aggressive] >> > > I don't have nearly as complex setup as you do, but I had to switch the > default configuration in fail2ban from ipset to rich rules because ipset > didn't work reliably with nftables which is the default for Fedora 32 and > up (and EPEL 8 for that matter). >
OK so I changed banaction = firewallcmd-rich-rules in DEFAULT. > However, this default is set for you: > > $ cat /etc/fail2ban/jail.d/00-firewalld.conf > # This file is part of the fail2ban-firewalld package to configure the use > of > # the firewalld actions as the default actions. You can remove this > package > # (along with the empty fail2ban meta-package) if you do not use firewalld > [DEFAULT] > port = 0-65535 > banaction = firewallcmd-rich-rules[actiontype=<multiport>] > banaction_allports = firewallcmd-rich-rules[actiontype=<allports>] > > So there's no reason to duplicate the system wide settings. > Sure but I'm still wondering if: 2020-09-21 10:23:29,368 fail2ban.actions [621763]: WARNING [sshd] 107.175.215.101 already banned 2020-09-21 10:23:29,384 fail2ban.observer [621763]: INFO [sshd] Found 107.175.215.101, bad - 2020-09-21 10:19:15, 1 # -> 2.0 2020-09-21 10:23:29,384 fail2ban.observer [621763]: INFO [sshd] Found 107.175.215.101, bad - 2020-09-21 10:19:20, 1 # -> 2.0 How can the subsequent logs show up if the IP is already banned?
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
