fail2ban not working after installing on CentOS 8

[HonkXL]

I did some clean installs of VirtualMin on CentOS 8. In all cases, fail2ban was not working well: Sometimes there are log entries that shows that a IP was banned, but then there comes the message "[888]: WARNING [postfix-sasl] 109.237.103.19 already banned". In the example below the standard settings are running, that means after 5 logins it should be banned. This is not working.

I did the same on a system with Debian 10. Here everything works as expected. The only difference I noticed: on Debian there are the tools "iptables-services" installed, on CentOS 8 not. I did a yum install iptables-services - then the settings on Webmin/Network/Linux-Firewall are displayed as on Debian systems. But fail2ban is still not working. Settings looks similar to Debian, but on CentOS 8 it did not like to ban anything.

2021-11-21 10:15:17,706 fail2ban.filter [888]: INFO [postfix] Found 2.56.59.129 - 2021-11-21 10:15:17 2021-11-21 10:58:50,128 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:58:49 2021-11-21 10:58:53,654 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:58:53 2021-11-21 10:58:55,902 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:58:55 2021-11-21 10:58:58,605 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:58:58 2021-11-21 10:59:01,604 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:01 2021-11-21 10:59:02,358 fail2ban.actions [888]: WARNING [postfix-sasl] 109.237.103.19 already banned 2021-11-21 10:59:04,604 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:04 2021-11-21 10:59:07,150 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:06 2021-11-21 10:59:10,401 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:10 2021-11-21 10:59:13,650 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:13 2021-11-21 10:59:16,734 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:16 2021-11-21 10:59:16,980 fail2ban.actions [888]: WARNING [postfix-sasl] 109.237.103.19 already banned 2021-11-21 10:59:18,926 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:18 2021-11-21 10:59:22,104 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:21 2021-11-21 10:59:25,360 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:25 2021-11-21 10:59:28,649 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:28 2021-11-21 10:59:31,899 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:31 2021-11-21 10:59:32,203 fail2ban.actions [888]: WARNING [postfix-sasl] 109.237.103.19 already banned 2021-11-21 10:59:34,606 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:34 2021-11-21 10:59:37,574 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:37 2021-11-21 10:59:40,608 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:40 2021-11-21 10:59:43,856 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:43 2021-11-21 10:59:47,402 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:47 2021-11-21 10:59:47,424 fail2ban.actions [888]: WARNING [postfix-sasl] 109.237.103.19 already banned 2021-11-21 10:59:49,592 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:49 2021-11-21 10:59:52,473 fail2ban.filter [888]: INFO [postfix-sasl] Found 109.237.103.19 - 2021-11-21 10:59:52

[swelljoe]

I believe there's a bug in the CentOS fail2ban config. It should be using firewallcmd-ipset in the banaction in /etc/fail2ban/jail.d/00-firewalld.conf.

You don't need to install iptables-services. In a Virtualmin uses fail2ban, by default, as its firewall. You don't need to mess with iptables rules directly (and you should not, unless you plan to switch completely to using iptables directly to manage your firewall and disable firewalld).

[HonkXL]

Oh. Interesting to hear that it's a bug in CentOS. I will change the setting and try again. I installed iptables-services only because on Debian I have seen the firewall-settings and on CentOS 8 not. I wanted to have the view in Webmin similar :-)

[swelljoe]

Virtualmin on Debian 10 also defaults to using Firewalld. You can "see" the firewalld firewall with iptables, but you still shouldn't manage it with iptables, unless you want to switch to using it exclusively. There is a Firewalld module for Webmin, as well, though I admit I don't love the way Firewalld thinks about and presents rules...I find it confusing and backward. But, it's the closest thing to a "default" firewall we have that works across all of our supported distros.

[swelljoe]

But, the bug, I guess, from our perspective is that we could configure it so that fail2ban works correctly out of the box. We don't have to keep the broken default...

[HonkXL]

Yes - I agree. It would be a good idea to bring it to a working state. I think that not everybody double-checks if it is really working.