Fail2ban with EPEL package fail2ban-firewalld on Linux RedHat 8; ip is in jail but firewalld does not block it

Question

I'm trying to use fail2ban with firewalld on Linux RedHat 8 and have not been able to get the default configuration to work. I am trying to ban ip addresses after a failed login attempt.

The web server is running a Meteor 2.5.1 app via Phusion Passenger and Nginx, which I wouldn't expect to make any difference unless there is something about websockets which makes something work differently?

I've installed the Extra Packages for Enterprise Linux (EPEL) and then installed the fail2ban-firewalld package:

sudo yum install -y yum-utils
sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(< /etc/redhat-release tr -dc '0-9.'|cut -d \. -f1).noarch.rpm
sudo yum-config-manager --enable epel
yum install fail2ban-firewalld -y

This has created the expected file /etc/fail2ban/jail.d/00-firewalld.conf

# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions.  You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-rich-rules[actiontype=<multiport>]
banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]

I've then added a jail to block ips after a failed login attempt, and a corresponding filter:

/etc/fail2ban/jail.local

[my-auth]

enabled  = true
port     = https
logpath  = %(nginx_error_log)s
maxretry = 1

/etc/fail2ban/filter.d/my-auth.conf

[INCLUDES]
[Definition]
failregex = .*?: <HOST> FailedLogin.*
ignoreregex =

then

sudo fail2ban-client reload

If I now make a failed login attempt, and run

sudo fail2ban-client status my-auth

I see this:

Status for the jail: my-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 8
|  `- File list:    /usr/share/nginx/logs/error.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 5
   `- Banned IP list:   x.x.x.x

So fail2ban has tried to ban the IP address, and the logs show this and no errors:

NOTICE  [webportal-auth] Ban x.x.x.x

But the website can still be accessed from the banned IP address, and there do not appear to be any firewalld rules set up.

sudo firewall-cmd --direct --get-all-rules

shows nothing.

However, I can get firewalld to ban IP addresses by a variation on this post. Here's what seems to work:

/etc/fail2ban/jail.local

[my-auth]

enabled  = true
port     = https
logpath  = %(nginx_error_log)s
maxretry = 1
action = custom-firewalld

Note that unlike the example, I had to use action= not banaction= to get it working.

And define the action in:

/etc/fail2ban/action.d/custom-firewalld.conf

[INCLUDES]
before  =

[Definition]
actionstart =
actionstop =
actioncheck =

actionflush = sed -i '/<source address=/d' /etc/firewalld/zones/drop.xml
actionban = firewall-cmd --change-source=<ip> --zone=drop && firewall-cmd --change-source=<ip> --zone=drop --permanent
actionunban = firewall-cmd --remove-source=<ip> --zone=drop && firewall-cmd --remove-source=<ip> --zone=drop --permanent || echo 0

[Init]

What have I missed here? I can't find any real documentation just an installation note, but from this post it seems that 00-firewalld.conf should automatically override the default actions, and set up rules in firewalld. And if there was something fundamentally wrong with my setup, custom-firewalld would not work? As I'm not seeing any errors in the fail2ban log, I don't know how to debug this further.

Answer 1

If fail2ban-firewalld is installed. /jail.d/00-firewalld.conf should exists.

and in jail.local, keep >> banaction = firewallcmd-ipset would work.

I tried modifying those action/banaction, it wont work. Keep the original works for me.