On 10/04/2016 07:53 AM, Alex wrote: > Hi, > > On Mon, Oct 3, 2016 at 11:15 PM, Orion Poplawski <[email protected]> wrote: >> On 10/02/2016 06:46 PM, Alex wrote: >>> >>> Hi, >>> I'm using fail2ban-0.9.3 on fedora22 and have configured it with >>> firewalld and ipset. I'm more familiar with iptables, not this new >>> firewalld layout, so I'm really not sure how to tell if it's working >>> properly. >>> >>> I have a postfix-sasl jail configured as such: >>> >>> [postfix-sasl] >>> #port = smtp,465,submission >>> port = smtp,587,submission >>> logpath = %(postfix_log)s >>> enabled = true >>> logencoding=utf-8 >>> >>> /var/log/fail2ban.log shows these entries: >>> >>> fail2ban.filter [19398]: INFO [postfix-sasl] Found 12.234.0.173 >>> fail2ban.actions [19398]: NOTICE [postfix-sasl] Ban 12.234.0.173 >>> >>> ipset list shows me: >>> >>> Name: fail2ban-postfix-sasl >>> Type: hash:ip >>> Revision: 4 >>> Header: family inet hashsize 1024 maxelem 65536 timeout 5200 >>> Size in memory: 1856 >>> References: 1 >>> Members: >>> 12.234.0.173 timeout 4068 >>> 179.189.205.12 timeout 152 >>> 184.2.47.206 timeout 390 >>> 113.69.178.121 timeout 1522 >>> >>> Does this say that 12.234.0.173 is indeed currently blocked on port >>> 589 for the next 4068 seconds? >>> >>> firewalld is running, but I don't know how to produce a list of all >>> IPs that are currently being blocked. "iptables -nL", as I usually >>> would run, shows there are no entries for any of the chains that are >>> listed (except for 192.168.122.0/24 as part of virbr0). Does that mean >>> the rules aren't being added properly by fail2ban? >> >> >> I suspect something isn't setting up the ipset rule properly in the first >> place. Check /var/log/fail2ban.log around the time of fail2ban startup. > > There isn't anything relating to firewalld or ipset, but I suspect > this is the problem. > > Is ipset what actually adds the netfilter rules, instead of iptables these > days? > >> Also, are you sure you're using a firewalld action? What does >> 'fail2ban-client get postfix-sasl action' show? > > Is it even possible to operate fail2ban without firewalld anymore? It > was my understanding that it requires firewalld. If not, I'd like to > configure it without, because I don't like the abstraction and lack of > ability to configure source access easily. > > # fail2ban-client get postfix-sasl action > WARNING 'pidfile' not defined in 'Definition'. Using default one: > '/var/run/fail2ban/fail2ban.pid' > ERROR NOK: ('list index out of range',) > Sorry but the command is invalid
oops, I guess it's 'fail2ban-client get postfix-sasl actions' > # cat /etc/fail2ban/jail.d/00-firewalld.conf |grep -v ^# > [DEFAULT] > banaction = firewallcmd-ipset So that seems correct. > # rpm -qva|egrep 'ipset|firewall|fail2ban' > ipset-6.27-1.fc22.x86_64 > firewalld-filesystem-0.3.14.2-4.fc22.noarch > fail2ban-firewalld-0.9.3-1.fc22.noarch > fail2ban-0.9.3-1.fc22.noarch > python-firewall-0.3.14.2-4.fc22.noarch > firewalld-0.3.14.2-4.fc22.noarch > fail2ban-server-0.9.3-1.fc22.noarch > fail2ban-sendmail-0.9.3-1.fc22.noarch > ipset-libs-6.27-1.fc22.x86_64 If you don't want to use firewalld you can remove fail2ban-firewalld (and the dummy "fail2ban" package, and firewalld itself) and the configure your actions to use iptables. Also install iptables-services to get the old iptables startup scripts. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane [email protected] Boulder, CO 80301 http://www.nwra.com ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
