fail2ban sshd jail is not enabled on RHEL7/CentOS7
showaltb opened this issue · comments
Not sure if this would be considered a bug or a documentation issue, but the fail2ban sshd
jail is not enabled by default on RHEL7/CentOS7. The role just installs the fail2ban
package but does not further configure it. On Debian, the jail is automatically enabled by the file /etc/fail2ban/jail.d/defaults-debian.conf
, but on RHEL7/CentoOS7, all jails are disabled by default.
Possibly a solution to #30 will address this as well?
fail2ban is a package that you need to configure, and test! Deploy a server online and watch the brute-force break-in attempts logged in /var/log/secure. The idea is that fail2ban parses this log and that it adds the violating ip addresses to an ipset that are govered by firewalld, for instance with a rich-rule:
firewall-cmd --zone=drop --add-rich-rule='rule source ipset=fail2ban-sshd drop'
Note: The default firewalld zone should be 'drop' to comply with NIST, DISA-STIG etc.
The problem on Centos 7.5+ is that the fail2ban package does not work out-of-the-box. Lots of blogs simply mention its config, but if you would actually tail /var/log/secure and inspect ipset list fail2ban-sshd
you will see that there are regular expressions to tweak before it works.
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Please read this blog post to see the reasons why I mark issues as stale.
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.