CentOS - Mar 2015 - Fail2Ban Centos 7 is there a trick to making it work?

On Mon, March 9, 2015 13:11, John Plemons wrote:
> Been working on fail2ban, and trying to make it work with plain Jane
> install of Centos 7
>
> Machine is a HP running 2 Quad core Xeons, 16 gig or ram and 1 plus TB
> of disk space. Very generic and vanilla.
>
> Current available epel repo version is fail2ban-0.9.1
>
> Looking at the log file, fail2ban starts and stops fine, there isn't
> output though showing any login attempts being restricted.
>
> 2015-03-09 12:54:37,930 fail2ban.server         [14805]: INFO
> Stopping all jails
> 2015-03-09 12:54:37,931 fail2ban.server         [14805]: INFO
> Exiting Fail2ban
> 2015-03-09 12:54:38,338 fail2ban.server         [16678]: INFO
> Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
> 2015-03-09 12:54:38,341 fail2ban.database       [16678]: INFO
> Connected to fail2ban persistent database
> '/var/lib/fail2ban/fail2ban.sqlite3'
>
> I copied jail.conf and added the edited jail.local to the directory
> /etc/fail2ban/
>
> This is about as far as I have gotten with searches on how to
> configure
> with Centos 7.
>
> Any help would be welcome. What am I missing?
>
> john
>
This is what I have for ssh in jail.conf

[ssh-iptables]

enabled  = true
filter   = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
        sendmail-whois[name=SSH, dest=x at harte-lyne.ca,
sender=x at harte-lyne.ca, sendername=Fail2Ban]
logpath  = /var/log/secure
maxretry = 5


And this (among many others) is what we have in /etc/fail2ban/action.d

cat /etc/fail2ban/action.d/iptables.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#

[INCLUDES]

before = iptables-blocktype.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> --dport <port>
-j
fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> --dport <port>
-j
fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[
\t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j
<blocktype>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j
<blocktype>

[Init]

# Default name of the chain
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules
should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT


HTH

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

> On 10 Mar 2015, at 14:30, James B. Byrne <byrnejb at harte-lyne.ca>
wrote:
> 
> 
> On Mon, March 9, 2015 13:11, John Plemons wrote:
>> Been working on fail2ban, and trying to make it work with plain Jane
>> install of Centos 7
>> 
>> Machine is a HP running 2 Quad core Xeons, 16 gig or ram and 1 plus TB
>> of disk space. Very generic and vanilla.
>> 
>> Current available epel repo version is fail2ban-0.9.1
>> 
>> Looking at the log file, fail2ban starts and stops fine, there
isn't
>> output though showing any login attempts being restricted.
>> 
>> 2015-03-09 12:54:37,930 fail2ban.server         [14805]: INFO
>> Stopping all jails
>> 2015-03-09 12:54:37,931 fail2ban.server         [14805]: INFO
>> Exiting Fail2ban
>> 2015-03-09 12:54:38,338 fail2ban.server         [16678]: INFO
>> Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.1
>> 2015-03-09 12:54:38,341 fail2ban.database       [16678]: INFO
>> Connected to fail2ban persistent database
>> '/var/lib/fail2ban/fail2ban.sqlite3'
>> 
>> I copied jail.conf and added the edited jail.local to the directory
>> /etc/fail2ban/
>> 
>> This is about as far as I have gotten with searches on how to
>> configure
>> with Centos 7.
>> 
>> Any help would be welcome. What am I missing?
>> 
>> john
>> 
> 
> This is what I have for ssh in jail.conf
> 
> [ssh-iptables]
> 
> enabled  = true
> filter   = sshd
> action = iptables[name=SSH, port=ssh, protocol=tcp]
>        sendmail-whois[name=SSH, dest=x at harte-lyne.ca,
> sender=x at harte-lyne.ca, sendername=Fail2Ban]
> logpath  = /var/log/secure
> maxretry = 5
> 
I?m using fail2ban with the -firewalld and -systemd modules, and I had to setup
some SELinux rules to make it working right. This is the policy I add to the
CentOS 7 machines:

module fail2ban-journal-sepol-new 1.0;

require {
        type fail2ban_client_exec_t;
        type logrotate_t;
        type fail2ban_t;
        type syslogd_var_run_t;
        class dir read;
        class file { ioctl read execute execute_no_trans open getattr };
}

#============= fail2ban_t =============
#!!!! This avc is allowed in the current policy
allow fail2ban_t syslogd_var_run_t:dir read;

#!!!! This avc is allowed in the current policy
allow fail2ban_t syslogd_var_run_t:file { read getattr open };

#============= logrotate_t =============allow logrotate_t
fail2ban_client_exec_t:file { ioctl read execute execute_no_trans open };


What?s the best way to report the selinux problems in EPEL packages, btw?
> HTH
> 
> --
> ***          E-Mail is NOT a SECURE channel          ***
> James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
Ciao,
andrea
--
Andrea Dell'Amico
http://adellam.sevenseas.org/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.centos.org/pipermail/centos/attachments/20150310/1c95a6dc/attachment-0001.sig>

On Tue, 2015-03-10 at 14:43 +0100, Andrea Dell'Amico
wrote:
>
> #============= logrotate_t =============> allow logrotate_t
fail2ban_client_exec_t:file { ioctl read execute
> execute_no_trans open };
>
Looks like this was already fixed in 'selinux-policy'. See
https://bugzilla.redhat.com/show_bug.cgi?id=1114821



John.

-- 
John Horne                   Tel: +44 (0)1752 587287
Plymouth University, UK