Fail2Ban setup

Hi there.
I have just installed Fail2Ban on my CentOS 7 box running the latest version of Webmin and VirtualMin.

Obviously by default, all of the individual options are disabled, although I think SSH is enabled by default (but I couldn’t even see this in the list??)

I want to enable dovecot and postfix initially.
If I access the setting for each module, I can enable it, but then it asks the filter to search log for. I choose postfix/dovecot appropriately.

Is that right?

Also, do i need to add any actions to apply?

Thanks in advance,

No rules are enabled in a default install, as far as I know.

You need to add “enabled = true” to each jail you want to enable; this will cause either the default banaction, or the one you’ve specified in the config section for the jail to be applied.

Your banaction needs to match whatever firewall you have running (probably iptables or firewalld). For iptables the action would be iptables-multiport, or for firewalld you’d want firewallcmd-ipset.

You can find the DEFAULT banaction in /etc/fail2ban/jail.conf, or in /etc/fail2ban/jail.d/*.conf, or in jail.local (if you have one). The parser goes in that order and the last directive it sees is the one that applies.

You can see the current fail2ban config with fail2ban-client -d

So, to be clear:

A jail (a section in the fail2ban config file) must have enabled = true, and it must have an action associated with it that will block traffic on your system. Usually this is just the DEFAULT banaction. That banaction needs to be one that’ll work on your system (an iptables rule won’t work if you have a firewalld firewall running, and vice versa).

I went and dug up what we’re putting into the /etc/fail2ban/jail.local on new installs going forward in Virtualmin 6 (this isn’t in the alpha installer that’s available, but will be very soon, maybe tonight):


enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s


enabled = true
port = ssh,sftp
filter = sshd-ddos
log_path = %{sshd_log}s


enabled = true
port = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s


enabled = true
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s


enabled = true
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s


enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s


enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = %(postfix_log)s
backend = %(postfix_backend)s

And, on CentOS 7, where we’ll be setting up a firewalld firewall, we install the fail2ban-firewalld module, which created this file in /etc/fail2ban/jail.d/00-firewalld.conf:

[DEFAULT] banaction = firewallcmd-ipset

So, if you just want a set it and forget it set of files, that’ll do it, assuming you’re using firewalld. (There is no default firewall in Virtualmin installations prior to VM6, but if you had any of the supported firewalls running when it was installed, it would have configured it for use with Virtualmin.)