On Mon, Sep 21, 2020 at 12:28 PM Mike <[email protected]> wrote: > I fixed my problem by adding: > > banaction = firewallcmd-ipset > > in the [DEFAULT] section of jail.local > > I have to assume that versions prior to fail2ban 0.11.1-9.el7.2 > > would interpret the command: > > banaction = iptables-multiport > > differently. Earlier versions used ipset, but as of the new patch, > it doesn't invoke ipset if that's the banaction. > > Unless there's something missing somewhere in the config, but I > searched across all files on my regular servers that weren't patched > and they were all using: > > banaction = iptables-multiport > > and it invoked ipset before. > > Thoughts? >
Glad you got it sorted. I only package fail2ban and don't consider myself an expert on it's internals. I mainly use it to ban SSH attempts to my only open port. My jail.local is literally 3 lines long :) I always read the emails though to see if there's anything actionable by me but unless it's very simple I have to defer to the experts on the list. Long story short (for anyone else that finds this thread later), for Fedora 31 / EL 7 or older, ipset seems to work best. For Fedora 32 and EL 8 and higher, you need to use rich rules as both releases switched to nftables by default. Also, if the package supplied defaults are correct, don't repeat them in your local configuration so when things change, you'll get the updated config automatically, or more likely, detect the problem sooner so I can fix the packaging. Thanks, Richard
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
