[Fail2ban-users] How to implement ban using ipset

[Phillip C. <dom...@en...>]

I have been using csf/lfd as my firewall for several years on several 
versions of CentOS, currently CentOS7. I am using several ipset-managed 
blocklists supported directly by csf. Some of these are fairly huge 
(such as whole country blocks), and it changes them in fractions of a 
second. Very happy with everything it does.

However, csf syntax for custom regex applied to logs is relatively 
clumsy and error-prone so I have installed fail2ban in hopes of using 
that for custom log-based bans.

For my initial testing I have set up one jail and a corresponding 
filters. (I found that all very simple.)

My intent:
On filter matches, immediately ban the host IP for one full day. Use 
ipset to implement the bans.

The test case basically watches my exim reject.log (using inotify) and 
unerringly finds the naughty hosts I want to ban.

My setup:
jail.local has:

> [exim-reject]
> mode      = normal
> port      = smtp,ssmtp
> logpath   = /var/log/exim/reject.log
> filter    = exim-reject
> maxmatches = 1
> maxretry   = 1
> backend   = auto
> bantime   = 1d
> banaction = iptables-ipset-proto6
> enabled   = true

And exim-reject.conf contains:

> [INCLUDES]
> before = exim-common.conf
> [Definition]
> failregex = <HOST> is listed at zen.spamhaus.org
>             \[<HOST>\]:25 dropped: too many syntax or protocol errors

The contents of fail2ban.log indicates everything is working. It says it 
found the lines I expected it to find, and has issued bans (and unbans a 
day later).

However, when I list the ipset sets on the console, the only sets listed 
are those managed by csf. Clearly I have implemented something 
incorrectly. I am hoping somebody on the list can set me straight. Is it 
possibly a permissions problem?