Silently dropping with Fail2Ban and Almalinux 10 with email notification

xpert-servers · September 30, 2025, 11:25am

After much struggle to get Fail2Ban to properly create direct rules with DROP I wanted to share how I did this.

First, you will need to run:

sudo dnf install -y iptables-nft ipset
sudo systemctl restart firewalld fail2ban

Then in /etc/fail2ban/jail.local

You want

[DEFAULT]
banaction = firewallcmd-ipset[actiontype="", blocktype=DROP]

These two together will create the old grouping of direct firewall rules as alma 10 seems to be very picky on how this functions, out of the box on alma 10 it does not without these changes.

Below is a more complete .local file with the email system setup.

# /etc/fail2ban/jail.local

[DEFAULT]
# Where to email ban notifications
destemail = youremail@domain.com

# Envelope-from / From:
sender     = fail2ban@domain.net
sendername = Fail2Ban

# What to send (ban + whois + matching log lines)
action = %(action_mwl)s

# Use firewalld backend on Alma family (entirely drop the IP)
banaction = firewallcmd-ipset[actiontype="", blocktype=DROP]

Normal jail configuration would follow after the above section.

Also combined with this guide you will not get emails regarding jails stopping/starting - Email notification for fail2ban events

tagging @Ilia as there might be some useful defaults for alma here for others.

xpert-servers · October 5, 2025, 4:44pm

I have gone ahead and adjusted the proftp settings that virtualmin ships with in the jai.local.

Reason for doing all this, the default config works out the box however, no log lines are emailed with the action %(action_mwl)s[]
Also, i notice with the default virtualmin config the jail status counters do not increase with each failed attempt, you only get the IP blocked when it reaches the max number of attempts. This might be something weird with my configuration but wanted to share this in case someone else wanted a known working config.

Chatgpt also rewrote the regex as it seemed to think it was limited to detecting IPv4 only?

I’ve gone ahead and stuck the new regex under fail2ban/log filters/proftpd.

^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted\.?
^Maximum login attempts \(\d+\) exceeded
^USER <F-USER>\S+|.*?</F-USER>: no such user found: %(__suffix_failed_login)s
^USER <F-USER>\S+|.*?</F-USER> \(Login failed\): %(__suffix_failed_login)s
^Maximum login attempts \(\d+\) exceeded, connection refused(?:.*)?$

I have also adjusted the FTP server configuration to Log errors to file to /var/log/proftpd/proftpd.log

My jail.local for proftp now looks like:

[proftpd]
enabled = true
logpath = /var/log/proftpd/proftpd.log
action = %(action_mwl)s[]
		%(action_abuseipdb)s[abuseipdb_category="5,18,20"]

Would be nice if someone could fully review the setup for fail2ban / proftp as regex really does not live in the jail.conf and it trips a lot of the log detection up it seems and only banning and not really reporting the log lines properly in emails etc.

Ilia · October 6, 2025, 8:40am

Yeah, I see that @Joe is adding custom regexes in Virtualmin-Config for ProFTPD in the Fail2ban config—I will review it, thanks!

At first though, I’d like to hear Joe’s comments to understand why he added those regexes.

xpert-servers · October 6, 2025, 10:13am

Just to confirm, the changes I have made are producing proper log tracking within Fail2Ban and emails contain actual lines from proFTP whereas they did not before.

You will also be pleased to know the FTP feed is now working in this setup with AbuseIPDB as it’s getting the log lines etc now - https://www.abuseipdb.com/user/240539

dimitrist · October 6, 2025, 10:43am

you dont necessarily need the log lines in order to submit to abuseipdb..

xpert-servers · October 6, 2025, 11:14am

I know, but I do like to see the log lines in the emails when I check them, and it was blank before.