fail2ban + firewalld suggestions needed
Richard Shaw
hobbes1069 at gmail.com
Fri Mar 21 00:55:56 UTC 2014
On Thu, Mar 20, 2014 at 8:54 AM, Jonathan Underwood <
jonathan.underwood at gmail.com> wrote:
> On 20 March 2014 13:04, Richard Shaw <hobbes1069 at gmail.com> wrote:
> > On Wed, Mar 19, 2014 at 10:57 PM, Orion Poplawski <orion at cora.nwra.com>
> > wrote:
> >>
> >> On 03/19/2014 09:10 PM, Richard Shaw wrote:
> >> > Ok using Jonathan's suggestion for the settings from a clean install
> I'm
> >> > getting an error whether I use the systemd backend or not...
> >> >
> >> >[12698]: ERROR ipset
> >> > create fail2ban-sshd hash:ip timeout 600
> >> > firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m
> multiport
> >> > --dports ssh -m set --match-set fail2ban-sshd src -j REJECT
> >> > --reject-with icmp-port-unreachable -- stderr: '/bin/sh: ipset:
> command
> >> > not found\n'
> >> ^^^^^^^^
> >>
> >> Currently we're missing a requires on ipset.
> >
> >
> >
> > Ok, is installing ipset sufficient or do I need to enable the service as
> > well?
>
> Installing ipset should be sufficient to start the fail2ban service.
> But, you'll need to have selinux-policy-3.12.1-135 or later installed,
> otherwise you'll hit this:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1069640
Thanks, that indeed seem to be enough. I'm seeing banned IPs not in the
log, I have to assume that they're being banned successfully though...
Thanks,
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140320/9b12d713/attachment.html>
More information about the devel
mailing list