I am using @GarethTheRed 's answer to this question to install fail2ban on a remote CentOS 7 server. I am able to complete all the steps up until tail -f /var/log/fail2ban.log
, at which point I get different results than he gets in his answer.
Here are the results I am getting at this step:
[root@remotecentosserver.com ~]# tail -f /var/log/fail2ban.log
2014-12-02 16:55:53,548 fail2ban.server.server[6667]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.0
2014-12-02 16:55:53,550 fail2ban.server.database[6667]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2014-12-02 16:55:54,239 fail2ban.server.database[6667]: WARNING New database created. Version '2'
After the last line, I just get a cursor but no command prompt unless I type Ctrl-C
.
When I type systemctl status fail2ban
, it tells me that fail2ban
is active. When I log out of the system and log back in later, sshd
tells me that there have been many failed attempts to login since my last login. So there should be fail2ban
logs. But I cannot seem to find them.
Can someone show me how to get this set up so that fail2ban
generates logs that I can track?
Best Answer
Try installing
fail2ban
from EPEL. It's packaged for CentOS 7 and you'll get updates as they are released. Installing therpm
form another repo may work (it did in this case) but is not the best way of doing things.First of all, install the EPEL repository by issuing the following (as root):
The above should install EPEL and give you access to many new packages. One of those packages is
fail2ban
, therefore install it by running:By default there are no jails configured, therefore to configure a basic
sshd
jail:Create/edit the file
/etc/fail2ban/jail.local
and add:Start it with:
Make it start at boot time:
There used to be a known bug where SELinux would block
fail2ban
from accessing the log files it needed to do its job. This seems to be fixed in the most recent version of CentOS 7; you shouldn't need to make the changes below.If you do have this issue, symptoms are nothing appearing in the logs and nothing appearing as failed or blocked in the output of
fail2ban-client status sshd
.To check for SELinux error, read the journals with:
Watch them for messages such as:
Therefore do as suggested and run:
Then, to be safe, restart
fail2ban
:You may even have to repeat the process above until no more error messages appear in the log.
If your server is on the internet then monitor
fail2ban-client status sshd
. It will soon start to show failed and banned counts if you've caught all the SELinux issues.Note that you will have to keep an eye on your SELinux policy updates. If a
selinux-policy
package update appears, it may overwrite the above and you may need to run the above commands again. You'll know if this is the case asfail2ban
will stop working again!