Fail2Ban and Firewalld

OS type and version CENTOS Stream 8
Webmin version 19.94
Virtualmin version 7.1 Pro
Related packages FirewallD Fail2Ban

I was checking my server and I can see a couple IPs trying to guess users passwords. Fail2ban list those IPs as blocked already but I can see current connections from those same addresses still trying to guess passwords. Maybe the Webmin configuration is not properly applying the fail2ban actions? How can I really see if fail2ban is adding those addresses to firewalld?

iptables -L INPUT -v -n | grep "x.x.x.x" should do it.

I recently read that Fail2ban only blocks new connections, so an existing connection may keep probing.

Could be that you are running into this issue: fail2ban: configuration bug in 00-firewalld.conf · Issue #1681 · webmin/webmin · GitHub

Updating /etc/fail2ban/jail.d/00-firewalld.conf to:

banaction = firewallcmd-ipset[actiontype="<multiport>"]
banaction_allports = firewallcmd-ipset[actiontype="<allports>"]

Fixed it for me.

These are the actions defined:

banaction = firewallcmd-rich-rules[actiontype=]
banaction_allports = firewallcmd-rich-rules[actiontype=]

In: /etc/fail2ban/jail.d/00-firewalld.conf

If I go to any rule and set the banaction to simply:

I can now see the rules with iptables -L so I guess those actions are not properly defined?

Looks like a different issue because banaction and banaction_allports both use firewalld. Do you get “already banned” warnings in fail2ban.log? Are those ips also visible in the fail2ban.log?

I was only checking with fail2ban-client and did not think to use iptables -L, that is why I did not know that even though fail2ban las logging and banning IPs, it was not applying the rules to firewalld. The moment I modified jail.local and added the “action” directive to each jail it started banning the IPs correctly in Iptables.

It seems that the default configuration that Virtualmin uses is not valid, at least for Centos 8 Stream.

what service are they trying to guess you password?

SSH and Postfix-SASL are the two most are trying to hit.

With SSH you should be using certificate keys login only.
Once you can ssh on with SSH keys you when fail all logs that don’t use that method. Fail2ban shouldn’t be needed.

1 Like

@cursor try to increase ban time to something like 3 months per ban. That’s possible too harsh but in my case after few days I’ve seen only handful new ips blocked each day. I have SSH key login only on my server but still they try, and fail 3 times, fail2ban give them 6 months. SSH key only reduced attacks on my end by 90% and fail to ban is doing rest, however blocking IP for 10 minutes is was not effective at all in my case

There is the ability in Fail2ban to linearly or exponentially increase ban times for repeated offenders. I like this approach for people or (me) that might mistakenly hit the ban. In 10 minutes I can try again but repeated failures can then be an hour, a day then a week and then 6 weeks. You set the schedule like this from my /etc/fail2ban/jail.local Centos 7

I use 17 minutes as the initial ban time here because I report the offending IPs to and that site will only accept repeat reports after 15 minutes. Set ban time to whatever works for you.

Also, max bantime I set to 6 weeks. I find that works well because I set the dbpurge (fail2ban internal database purge) time to 59 days.

bantime = 17m
bantime.increment = true
bantime.factor = 1
bantime.multipliers = 1 10 84 588 4000
port = 0-65535
bantime.maxtime = 6w

I use the recidive jail to ban IPs for a longer time. It monitors the fail2ban log file itself for repeat offenders and blocks them for 60 days.

recidive jail was the original way of dealing with repeat offenders. It was improved with the individual jail ban times and multipliers and factors for each jail. If you want SSH to go quickly to 60d but wp-admin errors to have a shorter bantime then you can customize. I found software like opencart attracts DOS attacks and required a different jail than my other sites. Those IPs attacking get hit with bans very quickly and then repeats get the full 60d and those attacks have basically stopped. Before fail2ban, those attacks required a Linode server reboot.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.