Fail2Ban not working with Fedora-Server Edition
-
@Woti said in Fail2Ban not working with Fedora-Server Edition:
My problem is that nothing is banned. Maybe no one is attacking my server?
@black3dynamite Yes I have the same setup from Riegers.It doesn't matter if I try with Nextcloud, ssh and so on. No banning.
Backend uses systemd. That should be right for Fedora / Centos, shouldn't be?
On Fedora, CentOS, and Red Hat SELinux can sometime cause issue.
-
Do you guys have some recommended setup guides based on latest Fedora/Centos or how to check if fail2ban works probably?
-
@Woti said in Fail2Ban not working with Fedora-Server Edition:
Do you guys have some recommended setup guides based on latest Fedora/Centos or how to check if fail2ban works probably?
You install it and turn it on
sudo dnf install -y fail2ban sudo systemctl enable --now fail2ban
You can see things with
fail2ban-client
sudo fail2ban-client status
And specifics about a jail
sudo fail2ban-client status sshd
Beyond that, there is not any one "guide"
You have to create jails that understand the application you are protecting.
-
I have now activated sshd and it works perfectly. But Nextcloud doesn't.
What other jails do you use? What is recommended?sudo fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 13 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 77.16.71.32
Nextcloud is missing matching Journal it looks like?
sudo fail2ban-client status nextcloud Status for the jail: nextcloud |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
-
@Woti said in Fail2Ban not working with Fedora-Server Edition:
I have now activated sshd and it works perfectly. But Nextcloud doesn't.
What other jails do you use? What is recommended?sudo fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 13 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 77.16.71.32
Nextcloud is missing matching Journal it looks like?
sudo fail2ban-client status nextcloud Status for the jail: nextcloud |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
Here's mine
-
/etc/fail2ban/filter.d/nextcloud.conf
[Definition] failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$ ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$ ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$
/etc/fail2ban/jail.d/nextcloud.local
[nextcloud] backend = auto enabled = true port = 80,443 protocol = tcp filter = nextcloud maxretry = 5 bantime = 36000 findtime = 36000 logpath = /var/nc_data/nextcloud.log [nginx-http-auth] enabled = true
-
nextcloud.conf is the same as yours. As well as the path.
but I have no nextcloud.local. The same content as yours is in jail.local
I'll try your solution. -
Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
My nextcloud.log file is in /var/log/nextcloud/nextcloud.log -
@Woti said in Fail2Ban not working with Fedora-Server Edition:
Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
My nextcloud.log file is in /var/log/nextcloud/nextcloud.logTemporary set SELinux to permissive and try again. You might have configure SELinux to allow access.
sudo setenforce permissive
-
I used this command to give apache og php-fpm read and write access to the logfile
semanage fcontext -a -t httpd_sys_rw_content_t '/var/log/nextcloud(/.*)?' restorecon -Rv '/var/log/nextcloud/'
But how to give fail2ban access through SElinux?
Using fail2ban_log_t as descriped here https://linux.die.net/man/8/fail2ban_selinux is not working.
Of course I can remove the above SElinux file context and issuer:semanage fcontext -a -t fail2ban_log_t '/var/log/nextcloud(/.*)?' restorecon -Rv '/var/log/nextcloud/'
This way I get read write access to the nextcloud logfile for fail2ban but not til apache php-fpm anymore.
It is confusing. -
Finally I got it to work
I need to usehttpd_log_t
to get access through SELinux to the logfile for both httpd, php-fpm and fail2ban.
I tried and my test-IPs was banned