[How to] Fail2ban on CentOS 7

A Former User

I wrote a script to do this.

#!/bin/bash

# CentOS7 Fail2Ban Install and Configure Script

yum install -y epel-release fail2ban checkpolicy policycoreutils-python firewalld

cat > /etc/fail2ban/jail.local << EOF
[sshd]
enabled = true
EOF

cat > fail2ban-syslog.te << EOF
module fail2ban-syslog 1.0;

require {
type syslogd_var_run_t;
type fail2ban_t;
class dir read;
class file read;
class file open;
class file getattr;
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:dir read;
allow fail2ban_t syslogd_var_run_t:file read;
allow fail2ban_t syslogd_var_run_t:file open;
allow fail2ban_t syslogd_var_run_t:file getattr;
EOF

checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te
semodule_package -o fail2ban-syslog.pp -m fail2ban-syslog.mod
semodule -i fail2ban-syslog.pp

systemctl start fail2ban

systemctl enable fail2ban

fail2ban-client status sshd

echo Done!

Anything I missed?

Danp

@Aaron-Studer You left out the steps that create the sshd.local file. Was this intentional?

Danp

Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?

A Former User

@Danp said:

Seems like Fail2Ban stops logging after a log rotation. Anyone else run into this?

I don't think Fail2ban likes log rotate.

Danp

@thecreativeone91 said:

I don't think Fail2ban likes log rotate.

Looks that way. I found this, but it's for an older version of both F2B and Centos.

Danp

Added "copytruncate" to the F2B logrotate configuration file and then ran a manual log rotation. Seemed to work ok (system is still logging to fail2ban.log), but I will continue to monitor.

Sparkum

When I do

fail2ban-client status sshd

I get

[root@dc fail2ban]# fail2ban-client status sshd
ERROR NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist

When I check the audit logs I get logs....

Danp

@Sparkum What do you get when you enter the following?:

fail2ban-client status

Sparkum

@Danp

[root@dc fail2ban]# fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:

Danp

Did you follow the steps and create the jail.local file?

Sparkum

@Danp

Yep

Sparkum

Noticed the problem happened below.

Changed "enabled" to "enable" and looks like it works.

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/secure - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

Much appreciated thanks

Danp

@Sparkum That's strange, b/c I believe "enabled" is the correct entry.