Had fail2ban working perfectly on one of my AlmaLinux boxes which had been running AL8. On said box, I recently did the 8 → 9 in-place upgrade via “leapp”. Everything seems to work – except fail2ban. All the fail2ban .conf and .local files were the same, but danged if I can get fail2ban to ban anything.
So, tried the Draconian approach of erasing fail2ban, and starting from scratch. Here is what I did (after erasing fail2ban, nuking all the previous .conf and .local files, and confirming firewalld running):
sudo dnf install fail2ban fail2ban-firewalld
Then, started and enabled:
sudo systemctl start fail2ban
sudo systemctl enable --now fail2ban
Confirmed everything running
sudo systemctl status fail2ban
No errrors.
Copied jail.conf → jail.local. Tweaked defaults in jail.local to
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime = 1h
findtime = 48h
maxretry = 3
I used a big findtime as a way to make sure that fail2ban found something in /var/log/secure. Manual inspection of secure showed a fair number of bad actors that should be banned. In fact
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
returns
Failregex = 39056 total
In jail.d, tweaked sshd.local to the following (on this machine, I map sshd to an alternate port, which I’ll call 1234 here)
[sshd]
enabled = true
port = 1234,ssh
maxretry = 3
logpath = /var/log/secure
actions=iptables-multiport
Restarted fail2ban
sudo systemctl restart fail2ban
But - nada banned.
sudo fail2ban-client status sshd
shows nothing banned. At all.
So, back into jail.local. Following settings may be ‘involved’ in the problem:
backend = systemd
In jail.d/sshd./local
banaction = iptables-multiport
where I also tried
banaction = firewallcmd-rich-rules[actiontype=<multiport>]
but that made no difference. Tried
[DEFAULT]
banaction = iptables-multiport
banaction_allports = iptables-allports
and in jail.d/sshd.local, tried
[sshd]
enabled = true
filter = sshd
port = 1234,ssh,sftp
bantime = 3d
maxretry = 3
logpath = /var/log/secure
action = iptables-allports[name=SSH, protocol=tcp]
But, still nothing banned.
So, am hoping someone can suggest something I should try from my end.
Thanks in advance…