I am using @GarethTheRed ‘s answer to this question to install fail2ban on a remote CentOS 7 server. I am able to complete all the steps up until tail -f /var/log/fail2ban.log, at which point I get different results than he gets in his answer.
Here are the results I am getting at this step:
[<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="afddc0c0dbefddcac2c0dbcacccac1dbc0dcdccaddd9cadd81ccc0c2">[email protected]</a> ~]# tail -f /var/log/fail2ban.log 2014-12-02 16:55:53,548 fail2ban.server.server[6667]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.0 2014-12-02 16:55:53,550 fail2ban.server.database[6667]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2014-12-02 16:55:54,239 fail2ban.server.database[6667]: WARNING New database created. Version '2'
After the last line, I just get a cursor but no command prompt unless I type Ctrl-C.
When I type systemctl status fail2ban, it tells me that fail2ban is active. When I log out of the system and log back in later, sshd tells me that there have been many failed attempts to login since my last login. So there should be fail2ban logs. But I cannot seem to find them.
Can someone show me how to get this set up so that fail2ban generates logs that I can track?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Try installing fail2ban from EPEL. It’s packaged for CentOS 7 and you’ll get updates as they are released. Installing the rpm form another repo may work (it did in this case) but is not the best way of doing things.
First of all, install the EPEL repository by issuing the following (as root):
yum install epel-release
The above should install EPEL and give you access to many new packages. One of those packages is fail2ban, therefore install it by running:
yum install fail2ban
By default there are no jails configured, therefore to configure a basic sshd jail:
Create/edit the file /etc/fail2ban/jail.local and add:
[sshd] enabled = true
Start it with:
systemctl start fail2ban
Make it start at boot time:
systemctl enable fail2ban
There used to be a known bug where SELinux would block fail2ban from accessing the log files it needed to do its job. This seems to be fixed in the most recent version of CentOS 7; you shouldn’t need to make the changes below.
If you do have this issue, symptoms are nothing appearing in the logs and nothing appearing as failed or blocked in the output of fail2ban-client status sshd.
To check for SELinux error, read the journals with:
journalctl -lfu fail2ban
Watch them for messages such as:
SELinux is preventing /usr/bin/python2.7 from getattr access on the file .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python2.7 should be allowed getattr access on the file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fail2ban-server /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Therefore do as suggested and run:
grep fail2ban-server /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp
Then, to be safe, restart fail2ban:
systemctl restart fail2ban
You may even have to repeat the process above until no more error messages appear in the log.
If your server is on the internet then monitor fail2ban-client status sshd. It will soon start to show failed and banned counts if you’ve caught all the SELinux issues.
Note that you will have to keep an eye on your SELinux policy updates. If a selinux-policy package update appears, it may overwrite the above and you may need to run the above commands again. You’ll know if this is the case as fail2ban will stop working again!
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0