fail2ban + firewalld suggestions needed
Jonathan Underwood
jonathan.underwood at gmail.com
Wed Mar 19 19:21:30 UTC 2014
On 19 March 2014 19:16, Reindl Harald <h.reindl at thelounge.net> wrote:
> Am 19.03.2014 20:14, schrieb Jonathan Underwood:
>> On 19 March 2014 15:10, Orion Poplawski <orion at cora.nwra.com> wrote:
>>> See https://bugzilla.redhat.com/show_bug.cgi?id=1046816
>>> You are going to need fail2ban-0.9-2 - f20 build is here http://koji.fedoraproject.org/koji/taskinfo?taskID=6651548. More testing would be much appreciated.
>>
>> On a default F20 install with that package I had to do the following
>> to get a minimal ssh jail up and running (this is info for those
>> following along, not Orion who no doubt knows this)...
>>
>> In /etc/fail2ban/jail.d/ajil.local
>>
>> [DEFAULT]
>> bantime = 3600
>> banaction = firewallcmd-ipset
>> backend = systemd
>>
>> [sshd]
>> enabled = true
>>
>> So, it seems to me that at the very least we should set backend =
>> systemd in the Fedora, else it's not going to work out of the box (or,
>> more ugly, require rsyslog).
>>
>> As to the original question I'd favour enabling the firewalld support
>> in Fedora by default. Anyone disabling (or chosing not to install)
>> firewalld and installing fail2ban should know enough to configure
>> things appropriately
>
> but with not take care of it you would end in having firewalld as mandatory
> dependency which is the main point of that thread - there are still way
> too much circular dependencies making it hard to strip down a setup
I didn't advocate having fail2ban having a hard Requires for
firewalld, nor anything else creating a "circular dependence". I was
simply advocating having a configuration file that would work for the
most common case.
Cheers,
Jonathan.
More information about the devel
mailing list