ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Fail2Ban not working with Fedora-Server Edition

    IT Discussion
    4
    15
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • black3dynamiteB
      black3dynamite @Woti
      last edited by

      @Woti said in Fail2Ban not working with Fedora-Server Edition:

      My problem is that nothing is banned. Maybe no one is attacking my server? 😄
      @black3dynamite Yes I have the same setup from Riegers.

      It doesn't matter if I try with Nextcloud, ssh and so on. No banning.

      Backend uses systemd. That should be right for Fedora / Centos, shouldn't be?

      On Fedora, CentOS, and Red Hat SELinux can sometime cause issue.

      1 Reply Last reply Reply Quote 0
      • W
        Woti
        last edited by

        Do you guys have some recommended setup guides based on latest Fedora/Centos or how to check if fail2ban works probably?

        JaredBuschJ 1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch @Woti
          last edited by

          @Woti said in Fail2Ban not working with Fedora-Server Edition:

          Do you guys have some recommended setup guides based on latest Fedora/Centos or how to check if fail2ban works probably?

          You install it and turn it on

          sudo dnf install -y fail2ban
sudo systemctl enable --now fail2ban

          You can see things with fail2ban-client

          sudo fail2ban-client status

          And specifics about a jail

          sudo fail2ban-client status sshd

          Beyond that, there is not any one "guide"

          You have to create jails that understand the application you are protecting.

          1 Reply Last reply Reply Quote 0
          • W
            Woti
            last edited by

            I have now activated sshd and it works perfectly. But Nextcloud doesn't.
            What other jails do you use? What is recommended?

            sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     13
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   77.16.71.32

            Nextcloud is missing matching Journal it looks like?

            sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:
            black3dynamiteB 1 Reply Last reply Reply Quote 0
            • black3dynamiteB
              black3dynamite @Woti
              last edited by

              @Woti said in Fail2Ban not working with Fedora-Server Edition:

              I have now activated sshd and it works perfectly. But Nextcloud doesn't.
              What other jails do you use? What is recommended?

              sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     13
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   77.16.71.32

              Nextcloud is missing matching Journal it looks like?

              sudo fail2ban-client status nextcloud
Status for the jail: nextcloud
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

              Here's mine
              c4651f60-1bba-4a2a-9905-e9585c6685ce-image.png

              1 Reply Last reply Reply Quote 0
              • black3dynamiteB
                black3dynamite
                last edited by

                /etc/fail2ban/filter.d/nextcloud.conf

                [Definition]
failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
          ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
          ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$

                /etc/fail2ban/jail.d/nextcloud.local

                [nextcloud]
backend = auto
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 5
bantime = 36000
findtime = 36000
logpath = /var/nc_data/nextcloud.log

[nginx-http-auth]
enabled = true
                1 Reply Last reply Reply Quote 1
                • W
                  Woti
                  last edited by

                  nextcloud.conf is the same as yours. As well as the path.
                  but I have no nextcloud.local. The same content as yours is in jail.local
                  I'll try your solution.

                  1 Reply Last reply Reply Quote 0
                  • W
                    Woti
                    last edited by

                    Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
                    My nextcloud.log file is in /var/log/nextcloud/nextcloud.log

                    black3dynamiteB 1 Reply Last reply Reply Quote 0
                    • black3dynamiteB
                      black3dynamite @Woti
                      last edited by

                      @Woti said in Fail2Ban not working with Fedora-Server Edition:

                      Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
                      My nextcloud.log file is in /var/log/nextcloud/nextcloud.log

                      Temporary set SELinux to permissive and try again. You might have configure SELinux to allow access.

                      sudo setenforce permissive
                      1 Reply Last reply Reply Quote 2
                      • W
                        Woti
                        last edited by

                        I used this command to give apache og php-fpm read and write access to the logfile

                        semanage fcontext -a -t httpd_sys_rw_content_t '/var/log/nextcloud(/.*)?'
restorecon -Rv '/var/log/nextcloud/'

                        But how to give fail2ban access through SElinux?
                        Using fail2ban_log_t as descriped here https://linux.die.net/man/8/fail2ban_selinux is not working.
                        Of course I can remove the above SElinux file context and issuer:

                        semanage fcontext -a -t fail2ban_log_t '/var/log/nextcloud(/.*)?'
restorecon -Rv '/var/log/nextcloud/'

                        This way I get read write access to the nextcloud logfile for fail2ban but not til apache php-fpm anymore.
                        It is confusing.

                        1 Reply Last reply Reply Quote 0
                        • W
                          Woti
                          last edited by

                          Finally I got it to work 🙂
                          I need to use httpd_log_t to get access through SELinux to the logfile for both httpd, php-fpm and fail2ban.
                          I tried and my test-IPs was banned 🙂

                          1 Reply Last reply Reply Quote 1
                          • 1 / 1
                          • First post
                            Last post