Fail2Ban not working with Fedora-Server Edition

Woti

My problem is that nothing is banned. Maybe no one is attacking my server?
@black3dynamite Yes I have the same setup from Riegers.

It doesn't matter if I try with Nextcloud, ssh and so on. No banning.

Backend uses systemd. That should be right for Fedora / Centos, shouldn't be?

black3dynamite

@Woti said in Fail2Ban not working with Fedora-Server Edition:

My problem is that nothing is banned. Maybe no one is attacking my server?
@black3dynamite Yes I have the same setup from Riegers.

It doesn't matter if I try with Nextcloud, ssh and so on. No banning.

Backend uses systemd. That should be right for Fedora / Centos, shouldn't be?

On Fedora, CentOS, and Red Hat SELinux can sometime cause issue.

Woti

Do you guys have some recommended setup guides based on latest Fedora/Centos or how to check if fail2ban works probably?

JaredBusch

@Woti said in Fail2Ban not working with Fedora-Server Edition:

Do you guys have some recommended setup guides based on latest Fedora/Centos or how to check if fail2ban works probably?

You install it and turn it on

sudo dnf install -y fail2ban
sudo systemctl enable --now fail2ban

You can see things with fail2ban-client

sudo fail2ban-client status

And specifics about a jail

sudo fail2ban-client status sshd

Beyond that, there is not any one "guide"

You have to create jails that understand the application you are protecting.

Woti

I have now activated sshd and it works perfectly. But Nextcloud doesn't.
What other jails do you use? What is recommended?

sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     13
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   77.16.71.32

Nextcloud is missing matching Journal it looks like?

sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

black3dynamite

@Woti said in Fail2Ban not working with Fedora-Server Edition:

I have now activated sshd and it works perfectly. But Nextcloud doesn't.
What other jails do you use? What is recommended?

sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     13
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   77.16.71.32

Nextcloud is missing matching Journal it looks like?

sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Here's mine

black3dynamite

/etc/fail2ban/filter.d/nextcloud.conf

[Definition]
failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
          ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
          ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$

/etc/fail2ban/jail.d/nextcloud.local

[nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
bantime = 36000
findtime = 36000
logpath = /var/nc_data/nextcloud.log

[nginx-http-auth]
enabled = true

Woti

nextcloud.conf is the same as yours. As well as the path.
but I have no nextcloud.local. The same content as yours is in jail.local
I'll try your solution.

Woti

Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
My nextcloud.log file is in /var/log/nextcloud/nextcloud.log

black3dynamite

@Woti said in Fail2Ban not working with Fedora-Server Edition:

Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
My nextcloud.log file is in /var/log/nextcloud/nextcloud.log

Temporary set SELinux to permissive and try again. You might have configure SELinux to allow access.

sudo setenforce permissive

Woti

I used this command to give apache og php-fpm read and write access to the logfile

semanage fcontext -a -t httpd_sys_rw_content_t '/var/log/nextcloud(/.*)?'
restorecon -Rv '/var/log/nextcloud/'

But how to give fail2ban access through SElinux?
Using fail2ban_log_t as descriped here https://linux.die.net/man/8/fail2ban_selinux is not working.
Of course I can remove the above SElinux file context and issuer:

semanage fcontext -a -t fail2ban_log_t '/var/log/nextcloud(/.*)?'
restorecon -Rv '/var/log/nextcloud/'

This way I get read write access to the nextcloud logfile for fail2ban but not til apache php-fpm anymore.
It is confusing.

Woti

Finally I got it to work
I need to use httpd_log_t to get access through SELinux to the logfile for both httpd, php-fpm and fail2ban.
I tried and my test-IPs was banned