fail2ban with firewallcmd-ipset does not work on 7.3 1611
Posted: 2016/12/18 01:02:17
Hello,
This is both a public service announcement, and a request for help:
After upgrading to 7.3 1611 this week, after all of my initial checks and looks, it seemed like everything was A-OK. But then, after logging into my internet facing server a couple of days later, I found that there had been over 5000 failed ssh login attempts.
Since I use fail2ban to block these, that was really weird. Its not unusual for me to find that 100 or so attempts had been made, but since fail2ban blocks the ip addresses after 3 failed attempts, I usually don't get more than that.
It turns out that somehow the upgrade to 7.3 has broken the fail2ban action that I had been using: "firewallcmd-ipset"
Looking at the output of firewall-cmd, everything appeared correct:
- firewall-cmd --direct --get-all-rules showed what I would expect as the set of jail rules
- ipset list showed what I would expect as the correct list of banned IP addresses in the above rules
Everything seemed correct: fail2ban was running the correct commands, the required ip rules and ip addresses were in the right place.
Sure enough, I tried it from a remote machine I have access to, and after 10 failed attempts, I was still able to reach my machine on the ssh port. The firewall rules were not taking effect.
To work around the problem in the short term, I switched my default action from "firewallcmd-ipset" to "iptables-allports"
This still seems to work -- but to me the results are much more messy. My iptables are now filled with individually blocked ip addresses.
Has anyone else hit this, or found a solution to get the "firewallcmd-ipset" action type working again?
Cheers,
Greg
This is both a public service announcement, and a request for help:
After upgrading to 7.3 1611 this week, after all of my initial checks and looks, it seemed like everything was A-OK. But then, after logging into my internet facing server a couple of days later, I found that there had been over 5000 failed ssh login attempts.
Since I use fail2ban to block these, that was really weird. Its not unusual for me to find that 100 or so attempts had been made, but since fail2ban blocks the ip addresses after 3 failed attempts, I usually don't get more than that.
It turns out that somehow the upgrade to 7.3 has broken the fail2ban action that I had been using: "firewallcmd-ipset"
Looking at the output of firewall-cmd, everything appeared correct:
- firewall-cmd --direct --get-all-rules showed what I would expect as the set of jail rules
- ipset list showed what I would expect as the correct list of banned IP addresses in the above rules
Everything seemed correct: fail2ban was running the correct commands, the required ip rules and ip addresses were in the right place.
Sure enough, I tried it from a remote machine I have access to, and after 10 failed attempts, I was still able to reach my machine on the ssh port. The firewall rules were not taking effect.
To work around the problem in the short term, I switched my default action from "firewallcmd-ipset" to "iptables-allports"
This still seems to work -- but to me the results are much more messy. My iptables are now filled with individually blocked ip addresses.
Has anyone else hit this, or found a solution to get the "firewallcmd-ipset" action type working again?
Cheers,
Greg