Rob Kampen
2020-Apr-17 00:59 UTC
[CentOS] [SOLVED] fail2ban firewalld problems with current CentOS 7
On 13/04/20 1:30 pm, Orion Poplawski wrote:> On 4/9/20 6:31 AM, Andreas Haumer wrote: > ... >> I'm neither a fail2ban nor a SELinux expert, but it seems the >> standard fail2ban SELinux policy as provided by CentOS 7 is not >> sufficient anymore and the recent updates did not correctly >> update the required SELinux policies. >> >> I could report this as bug, but where does such a bugreport belong to >> in the first place? >> >> - andreas >> > > > See https://bugzilla.redhat.com/show_bug.cgi?id=1777562 > We're a bit stalled at the moment I'm afradi >Finally had some time to look into this. Happy to say fail2ban now appears to be working. 1. I found that reading the CentOS web site about SElinux was helpful and this led me to issue the following: semanage permissive -a fail2ban_t this places just fail2ban requests (got the context from the scontext part of the SElinux error message) into permissive mode rather than the entire OS. 2. Then a look into the SElinux troubleshooter gave me the errors that were occurring and following the suggested instructions I created a my-f2bfsshd.pp & my-f2bfsshd.te 3. restarted fail2ban via systemctl restart fail2ban.service 4. monitored via fail2ban-client status <filter_name> and now get Status for the jail: sshd |- Filter |? |- Currently failed:??? 0 |? |- Total failed:??? 109 |? `- Journal matches:??? _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions ?? |- Currently banned:??? 3 ?? |- Total banned:??? 6 ?? `- Banned IP list:??? 27.78.14.83 116.105.216.179 139.99.71.227 5. set fail2ban back into enforcing with semanage permissive -d fail2ban_t All solved for me. I have now done this on a second machine and it too seems to be functioning again. HTH Rob
Leon Fauster
2020-Apr-17 10:55 UTC
[CentOS] [SOLVED] fail2ban firewalld problems with current CentOS 7
Am 17.04.20 um 02:59 schrieb Rob Kampen:> On 13/04/20 1:30 pm, Orion Poplawski wrote: >> On 4/9/20 6:31 AM, Andreas Haumer wrote: >> ... >>> I'm neither a fail2ban nor a SELinux expert, but it seems the >>> standard fail2ban SELinux policy as provided by CentOS 7 is not >>> sufficient anymore and the recent updates did not correctly >>> update the required SELinux policies. >>> >>> I could report this as bug, but where does such a bugreport belong to >>> in the first place? >>> >>> - andreas >>> >> >> >> See https://bugzilla.redhat.com/show_bug.cgi?id=1777562 >> We're a bit stalled at the moment I'm afradi >> > Finally had some time to look into this. Happy to say fail2ban now > appears to be working. > > 1. I found that reading the CentOS web site about SElinux was helpful > and this led me to issue the following: > > semanage permissive -a fail2ban_t > > this places just fail2ban requests (got the context from the scontext > part of the SElinux error message) into permissive mode rather than the > entire OS. > > 2. Then a look into the SElinux troubleshooter gave me the errors that > were occurring and following the suggested instructions I created a > my-f2bfsshd.pp & my-f2bfsshd.te > > 3. restarted fail2ban via systemctl restart fail2ban.service > > 4. monitored via fail2ban-client status <filter_name> and now get > > Status for the jail: sshd > |- Filter > |? |- Currently failed:??? 0 > |? |- Total failed:??? 109 > |? `- Journal matches:??? _SYSTEMD_UNIT=sshd.service + _COMM=sshd > `- Actions > ?? |- Currently banned:??? 3 > ?? |- Total banned:??? 6 > ?? `- Banned IP list:??? 27.78.14.83 116.105.216.179 139.99.71.227 > > 5. set fail2ban back into enforcing with > > semanage permissive -d fail2ban_t > > All solved for me. > > I have now done this on a second machine and it too seems to be > functioning again. >Great that there is a solution. I am just curious; how does your my-f2bfsshd.te looks like? -- Leon
Rob Kampen
2020-Apr-17 22:36 UTC
[CentOS] [SOLVED] fail2ban firewalld problems with current CentOS 7
On 17/04/20 10:55 pm, Leon Fauster via CentOS wrote:> Am 17.04.20 um 02:59 schrieb Rob Kampen: >> On 13/04/20 1:30 pm, Orion Poplawski wrote: >>> On 4/9/20 6:31 AM, Andreas Haumer wrote: >>> ... >>>> I'm neither a fail2ban nor a SELinux expert, but it seems the >>>> standard fail2ban SELinux policy as provided by CentOS 7 is not >>>> sufficient anymore and the recent updates did not correctly >>>> update the required SELinux policies. >>>> >>>> I could report this as bug, but where does such a bugreport belong to >>>> in the first place? >>>> >>>> - andreas >>>> >>> >>> >>> See https://bugzilla.redhat.com/show_bug.cgi?id=1777562 >>> We're a bit stalled at the moment I'm afradi >>> >> Finally had some time to look into this. Happy to say fail2ban now >> appears to be working. >> >> 1. I found that reading the CentOS web site about SElinux was helpful >> and this led me to issue the following: >> >> semanage permissive -a fail2ban_t >> >> this places just fail2ban requests (got the context from the scontext >> part of the SElinux error message) into permissive mode rather than >> the entire OS. >> >> 2. Then a look into the SElinux troubleshooter gave me the errors >> that were occurring and following the suggested instructions I >> created a my-f2bfsshd.pp & my-f2bfsshd.te >> >> 3. restarted fail2ban via systemctl restart fail2ban.service >> >> 4. monitored via fail2ban-client status <filter_name> and now get >> >> Status for the jail: sshd >> |- Filter >> |? |- Currently failed:??? 0 >> |? |- Total failed:??? 109 >> |? `- Journal matches:??? _SYSTEMD_UNIT=sshd.service + _COMM=sshd >> `- Actions >> ??? |- Currently banned:??? 3 >> ??? |- Total banned:??? 6 >> ??? `- Banned IP list:??? 27.78.14.83 116.105.216.179 139.99.71.227 >> >> 5. set fail2ban back into enforcing with >> >> semanage permissive -d fail2ban_t >> >> All solved for me. >> >> I have now done this on a second machine and it too seems to be >> functioning again. >> > > Great that there is a solution. > I am just curious; how does your my-f2bfsshd.te looks like?module my-f2bfsshd 1.0; require { ??? type proc_net_t; ??? type sysctl_net_t; ??? type sysfs_t; ??? type fail2ban_t; ??? class dir search; ??? class file { getattr open read }; } #============= fail2ban_t =============allow fail2ban_t proc_net_t:file read; allow fail2ban_t sysctl_net_t:dir search; allow fail2ban_t sysctl_net_t:file { getattr open read }; allow fail2ban_t sysfs_t:file { getattr open read };> > -- > Leon > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos