fail2ban – twinn.co.uk

Rules not being applied to firewalld as fail2ban as the zone is missing.

2026-05-27 07:31:34 WARNING: NOT_ENABLED: ‘rule family=”ipv4″ source address=”2.57.121.25″ port port=”ssh” protocol=”tcp” reject type=”icmp-port-unreachable”‘ not in ‘public’

action.d/firewallcmd-rich-rules.conf

# zone example:
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' <rich-blocktype>"
#

Hmm, can’t split the colours in a code block in WordPress?!

actionban = ports="<port>"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done

actionunban = ports="<port>"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done

actionban = ports="<port>"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --zone=public --add-rich-rule="%(fwcmd_rich_rule)s"; done

actionunban = ports="<port>"; for p in $(echo $ports | tr ":, " "- "); do firewall-cmd --zone=public --remove-rich-rule="%(fwcmd_rich_rule)s"; done

Default rules too tight on time.

Seeing a slow burn from the attack bots. Not a consistent hard attack but a consistent slow burn of connect, try a username/password, give-up, come back later try again. Fail2ban default check time is limited to 2hr and ban time up to 2hr. When you are being hit with thousands of bots each can take it’s time, trying slow and sneaking under radars.

maxretry=2
findtime=36h
bantime=48h