Fail2ban is a program, that can prevent brute force attempts to your server. Basically it counts failed login attempts and after given treshold is reached, it triggers an action, which usually is a ban for IP addresses.

Recently, I installed fail2ban on my centos 7 server and startet it. After some time (bad…), I checked the fail2ban log and saw 0 ip’s banned. This seems to be unrealistic, because in the /var/log/secure file I found many entries from failed login tries, which should have been banned.

So what is the problem? in the fail2ban log /var/log/fail2ban.log was no error or warning. also no ban-entry. at the end of my research, I noticed in the audit log, that selinux prevented fail2ban to read the sshd journal and logfiles and couldn’t execute the ban command for firewalld.

cat /var/log/audit/audit.log | grep -i avc

So here are 2 modules to allow fail2ban those actions:

Allow fail2ban his actions

module fail2ban-syslog 1.0;
require {
type syslogd_var_run_t;
type fail2ban_t;
class dir read;
class file read;
class file open;
class file getattr;
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:dir read;
allow fail2ban_t syslogd_var_run_t:file read;
allow fail2ban_t syslogd_var_run_t:file open;
allow fail2ban_t syslogd_var_run_t:file getattr;

Allow Logrote doing the fail2ban log

require {
type fail2ban_client_exec_t;
type logrotate_t;
type init_var_lib_t;
class file { open read execute getattr write create execute_no_trans setattr unlink ioctl rename};
}

#============= logrotate_t ==============
allow logrotate_t fail2ban_client_exec_t:file execute_no_trans;
allow logrotate_t fail2ban_client_exec_t:file { open read execute ioctl };
allow logrotate_t init_var_lib_t:file { open read getattr write create unlink setattr rename };

Create a new mod file

checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te

Compile new pp file

semodule_package -m fail2ban-syslog.mod -o fail2ban-syslog.pp

Install new module

semodule -i fail2ban-syslog.pp

After a restart of fail2ban it should work nicely
systemctl restart fail2ban

Normally it should work. why not at my server? after a little bit of research i discovered, that my time was not right and must be in sync. the current timezone was UTC and not my timezone in europe/zurich. Also the ntpd service was not running to keep the time in sync. So many pitfalls...

timedatectl set-timezone Europe/Zurich
systemctl start ntpdate
systemctl enable ntpd
systemctl start ntpd
systemctl restart fail2ban

And everything worked smooth again.

Next Post Previous Post

Add a comment