Re: [SOLVED] fail2ban firewalld problems with current CentOS 7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Am 17.04.20 um 02:59 schrieb Rob Kampen:
On 13/04/20 1:30 pm, Orion Poplawski wrote:
On 4/9/20 6:31 AM, Andreas Haumer wrote:
...
I'm neither a fail2ban nor a SELinux expert, but it seems the
standard fail2ban SELinux policy as provided by CentOS 7 is not
sufficient anymore and the recent updates did not correctly
update the required SELinux policies.

I could report this as bug, but where does such a bugreport belong to
in the first place?

- andreas



See https://bugzilla.redhat.com/show_bug.cgi?id=1777562
We're a bit stalled at the moment I'm afradi

Finally had some time to look into this. Happy to say fail2ban now appears to be working.

1. I found that reading the CentOS web site about SElinux was helpful and this led me to issue the following:

semanage permissive -a fail2ban_t

this places just fail2ban requests (got the context from the scontext part of the SElinux error message) into permissive mode rather than the entire OS.

2. Then a look into the SElinux troubleshooter gave me the errors that were occurring and following the suggested instructions I created a my-f2bfsshd.pp & my-f2bfsshd.te

3. restarted fail2ban via systemctl restart fail2ban.service

4. monitored via fail2ban-client status <filter_name> and now get

Status for the jail: sshd
|- Filter
|  |- Currently failed:    0
|  |- Total failed:    109
|  `- Journal matches:    _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
    |- Currently banned:    3
    |- Total banned:    6
    `- Banned IP list:    27.78.14.83 116.105.216.179 139.99.71.227

5. set fail2ban back into enforcing with

semanage permissive -d fail2ban_t

All solved for me.

I have now done this on a second machine and it too seems to be functioning again.


Great that there is a solution.
I am just curious; how does your my-f2bfsshd.te looks like?

--
Leon


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux