Fail2ban: installed on fedora 20 - no banning is being performed (firewallD)

rename your jail.customisation into jail.local

and both jail.local and fail2ban.local should be placed in /etc/fail2ban/.

you can check your configuration using fail2ban-client -d or more details by adding once or twice a parameter -v...

fail2ban-client -v -d

ah ok thanks for assisting.

i restarted the server and am seeing this in the fail2ban.log file:

2014-10-18 20:03:49,027 fail2ban.server.transmitter[19470]: WARNING Command ['set', 'sshd', 'addlogpath', '/var/log/secure', 'head'] has failed. Received IOError(21, 'Is a directory')
2014-10-18 20:03:49,029 fail2ban.server.filter[19470]: INFO    Set maxRetry = 5
2014-10-18 20:03:49,031 fail2ban.server.filter[19470]: INFO    Set jail log file encoding to ANSI_X3.4-1968
2014-10-18 20:03:49,032 fail2ban.server.actions[19470]: INFO    Set banTime = 600
2014-10-18 20:03:49,033 fail2ban.server.filter[19470]: INFO    Set findtime = 600
2014-10-18 20:03:49,034 fail2ban.server.filter[19470]: INFO    Set maxlines = 10
2014-10-18 20:03:49,142 fail2ban.server.server[19470]: INFO    Jail sshd is not a JournalFilter instance
2014-10-18 20:03:49,161 fail2ban.server.jail[19470]: INFO    Jail 'sshd' started
2014-10-18 20:03:57,796 fail2ban.server.action[19470]: ERROR   ipset create fail2ban-default hash:ip timeout 600
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-default src -j REJECT --reject-with icmp-port-unreachable -- stdout: "\x1b[91mError: COMMAND_FAILED: '/sbin/iptables -t filter -I INPUT_direct 1 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-default src -j REJECT --reject-with icmp-port-unreachable' failed: iptables v1.4.19.1: Kernel module xt_set is not loaded in.\x1b[00m\n"
2014-10-18 20:03:57,797 fail2ban.server.action[19470]: ERROR   ipset create fail2ban-default hash:ip timeout 600
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-default src -j REJECT --reject-with icmp-port-unreachable -- stderr: 'ipset v6.20.1: Kernel error received: Operation not permitted\n'
2014-10-18 20:03:57,797 fail2ban.server.action[19470]: ERROR   ipset create fail2ban-default hash:ip timeout 600
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-default src -j REJECT --reject-with icmp-port-unreachable -- returned 13
2014-10-18 20:03:57,840 fail2ban.server.actions[19470]: ERROR   Failed to start jail 'sshd' action 'firewallcmd-ipset': Error starting action

i have no idea why the action is not starting.. any tips?

i notice that 'WARNING 'actioncheck' not defined in 'Definition'. Using default one: ''
maybe implies that i need to add this line to a [definition] section? in fail2ban.local?

action = firewallcmd-ipset

Kernel module xt_set is not loaded in

Which version of fail2ban you have used?

Have you tried a allports or multiports?
For version 0.9:

banaction = iptables-allports

port = ssh
banaction = iptables-multiport

PS. You should also check and correct the path for this jail (default for ssh jail in fedora is '/var/log/secure', but for you seems to be a directory?):
You can overwrite it within jail with:

logpath  = /var/log/secure/anything_else.log

i am using a remote VPS, yes.
here's the relevant info from # yum info fail2ban

Name        : fail2ban
Arch        : noarch
Version     : 0.9
Release     : 2.fc20
Size        : 1.2 M

i haven't used allports or multiports and am not sure what those terms refer to presently.

i am not using IPTABLES - only firewallD (as far as i am aware) - so is there a banaction that is specific for firewallD, that i need to assign here? rather than the iptables-multiport one?

i have added the log path config line and now i am not seeing any warnings about that path in the infodump in the terminal.. though there is no log file created yet at the path that i have chosen (after restarting the fail2ban service).

Ok, I found this one for fedora... it can be because of banaction not action (in 0.9 we have multiple actions):

banaction = firewallcmd-ipset

aha, ok, thanks. :)
i've tested this config overnight and am seeing IPs being blocked and i am notified by email. thanks so much for your assistance.

oh, looks like i spoke too soon. there are errors relating to the banning action in the log and the bans are not actually being performed:

494 fail2ban.server.action[20300]: ERROR   ipset add fail2ban-sshd xx.xx.xx.xx timeout 600 -exist -- stdout: ''
494 fail2ban.server.action[20300]: ERROR   ipset add fail2ban-sshd xx.xx.xx.xx timeout 600 -exist -- stderr: 'ipset v6.20.1: Kernel error received: Operation not permitted\n'
494 fail2ban.server.action[20300]: ERROR   ipset add fail2ban-sshd 142.0.41.59 timeout 600 -exist -- returned 1
495 fail2ban.server.actions[20300]: ERROR   Failed to execute ban jail 'sshd' action 'firewallcmd-ipset': Error banning xx.xx.xx.xx

ipset v6.20.1: Kernel error received: Operation not permitted

Possible reasons:

• user running fail2ban service not allowed to use ipset (start with root or as daemon);
• your kernel in VM does basically not allow this operation (some provider with OpenVZ);
• we have in fact an error here :smile: (I have not a fedora to test it now)

Have you tested ipset (or firewalld) manually?
If it does not permitted from your provider - use iptables instead (or I've heard about a wrapper to firewalld).

fail2ban is listed as being run by root in the system monitor.
i am using an openVZ node, yes.. do you know of a url i can read to learn about the problem here? so that i can be more informed when i speak with the server host agent?
thanks so much for assisting.

do you know of a url i can read to learn about the problem here?

well, the host operator says that other users are using fail2ban fine with the same server environment as me.. so.. i continue.

• see this discussion, resp. this bug:
  kernel-2.6.32-28-pve - ipset works fine inside OpenVZ containers;
  kernel-2.6.32-33-pve - NOT;
• have you tried your firewall at last manually?
  because as per ipset man the command ipset add fail2ban-sshd <IP> timeout 600 -exist is perfect legal. I see at the moment only one reason - you kernel prohibit it execution (possible because in your kernel ipset is not or not completely virtualized).
  So try this one over ssh with root / sudo:

setn=test-fb; ip=1.2.3.4

ipset create $setn hash:ip timeout 300
ipset add $setn $ip timeout 60 -exist

ipset list $setn

ipset del $setn $ip -exist
ipset flush $setn 
ipset destroy $setn

after running the 2nd line in that set of commands, i see the same kernel error received: operation not permitted - message.

i looked at the kernel version and it is shown as: 2.6.32-042stab093.4
so... hmm.. i will forward this to the server admin, thanks.

You can try also a firewallcmd-new ban action - it works with firewall-cmd only, without directly call of ipset, but I don't know your environment, possible it will be wrapped internally to ipset, or even to iptables, or something else)... To try this one:

banaction = firewallcmd-new

ok so, the server operator pointed me to the bug where ipset was blocked by the kernel..
so i changed the banaction to firewallcmd-new - as advised..
i removed one of the IPs from the firewall's manual block list, just to ensure that 'someone' could get through to test fail2ban..
very shortly after that i received several email notifications that fail2ban had blocked some new IPs.
when i looked in the fail2ban log though, there are no new entries for this activity at all. no records exist in the log for the ips that i was notified about via email.
so presently, i am not sure if the banning was successful or not.

Hi,
I have also big problems to run fail2ban in a OpenVZ VE. Maybe someone can help me.
The VE run with CentOS 7. fail2ban is 0.9.2. All possible IPTable modules are availibe in the VE. The banaction with ipset are not possible because of restrictions with the Kernel. So I tried the other methods you wrote here like firewallcmd-new.
In this case I got the message:
Kernel module xt_set is not loaded in.
Any ideas what I can do? I cannot load this module into the VE. On the Host it is available. Thanks and regards

@TB1234 can you provide your configs? You are commenting on an issue almost a year old that you had not participated in.

What action are you using? What errors are in fail2ban's log? If your VE is restricting you from executing things, fail2ban isn't going to magically circumvent those restrictions. Fail2ban should be logging (set it to DEBUG as OP did) the commands it attempts to execute. This should help point to exactly what is failing for your specific environment - and possibly provide alternatives (iptables instead of firewalld). fail2ban-client -v -d could also prove useful.

I fixed it five minutes ago. The problem was on my side. :-/
I copied the jail.conf to jail.local (I didn't this before) and switched to firewallcmd-new. Now it is working...
Thanks for your help :)

Glad to hear it! I strongly suggest only overriding things in jail.local (not copying the entire config)...since jail.conf can change in the future, but you'll permanently override those settings in your jail.local.

Fyi for others who run into this on OpenVZ. OpenVZ does NOT support ipset inside a container. That is why the firewallcmd-ipset banaction does not work. Use firewallcmd-new or iptables instead.
https://bugs.openvz.org/browse/OVZ-5736