Configuring Fail2ban to work with firewalld
This document (000021067) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP4
Situation
This document details how to configure Fail2ban service to work with firewalld on SLES15. Fail2ban can dynamically add rich rules to firewalld to block banned IPs. It will remove them if the Fail2ban service is stopped.
Resolution
1) Open /etc/fail2ban/jail.local file and add the banaction and banaction_allports parameters:
2) Restart Fail2ban service:
When Fail2ban blocks an IP it will also add a related rich rule to firewalld.
To verify all the firewalld rich rules:
Fail2ban deletes the rich rules from firewalld when Fail2ban service is stopped or the jail (in this case the [sshd] jail) is stopped (fail2ban-client stop sshd).
# Do all your modifications to the jail's configuration in jail.local! [DEFAULT] banaction = firewallcmd-rich-rules[actiontype=<multiport>] banaction_allports = firewallcmd-rich-rules[actiontype=<allports>] [sshd] enabled = true
2) Restart Fail2ban service:
systemctl restart fail2ban.service
When Fail2ban blocks an IP it will also add a related rich rule to firewalld.
To verify all the firewalld rich rules:
firewall-cmd --list-allor
firewall-cmd --list-rich-rules
Fail2ban deletes the rich rules from firewalld when Fail2ban service is stopped or the jail (in this case the [sshd] jail) is stopped (fail2ban-client stop sshd).
Additional Information
The banaction and banaction_allports parameters can be redefined centrally in the [DEFAULT] section inside jail.local (to apply it to all jails at once) or separately in each jail, where this substitution will be used.
jail.conf man page: https://manpages.opensuse.org/Tumbleweed/fail2ban/jail.conf.5.en.html
Fail2ban: https://www.fail2ban.org/wiki/index.php/Main_Page
https://github.com/fail2ban/fail2ban
Firewalld : https://firewalld.org/
Firewalld runtime vs permanent: https://firewalld.org/documentation/configuration/runtime-versus-permanent.html
Please note: Fail2ban package is supported only on SLES 15 SP4 and later versions. In previous releases of SLES Fail2ban is provided only through SUSE Package Hub. While the packages from the SUSE Package Hub are not officially supported by SUSE, SUSE Linux Enterprise Server remains supported and supportable when using these packages.
jail.conf man page: https://manpages.opensuse.org/Tumbleweed/fail2ban/jail.conf.5.en.html
Fail2ban: https://www.fail2ban.org/wiki/index.php/Main_Page
https://github.com/fail2ban/fail2ban
Firewalld : https://firewalld.org/
Firewalld runtime vs permanent: https://firewalld.org/documentation/configuration/runtime-versus-permanent.html
Please note: Fail2ban package is supported only on SLES 15 SP4 and later versions. In previous releases of SLES Fail2ban is provided only through SUSE Package Hub. While the packages from the SUSE Package Hub are not officially supported by SUSE, SUSE Linux Enterprise Server remains supported and supportable when using these packages.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021067
- Creation Date: 12-May-2023
- Modified Date:16-May-2023
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
