fail2ban fails to send banned IPs to Cloudflare

Question

I am running a WordPress site on a CentOS 7 server. I have fail2ban installed and working, and have verified that it is adding IPs to iptables. I just added Cloudflare to the site, and now I'm trying to get fail2ban working with the Cloudflare v4 API. I followed this guide to get up the fail2ban jails and configs. Everything seems to be working, but fail2ban is unable to send the banned IP to Cloudflare. But, I can run the same curl command myself and Cloudflare will ban the IP. My Google-fu is failing me, as everything I've found is for failures to un-ban IPs.

Here's what's going on:

This is the command I'm running. If I run this from the command line, the IP will show up in the Cloudflare site as banned.

curl -s -o /dev/null -X POST -H 'X-Auth-Email: me@email.com' -H 'X-Auth-Key: xxxx' \
        -H 'Content-Type: application/json' -d '{ "mode": "block", "configuration": { "target": "ip", "value": "1.2.3.4" } }' \
        https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules

When fail2ban tries the same command, this is the result (debug logs turned on):

2020-02-29 01:42:01,129 fail2ban.actions        [25495]: NOTICE  [wordpress-hard] Ban 1.2.3.4
2020-02-29 01:42:01,129 fail2ban.action         [25495]: DEBUG   curl -s -o /dev/null -X POST -H 'X-Auth-Email: me@email.com' -H 'X-Auth-Key: XXXX' \
-H 'Content-Type: application/json' -d '{ "mode": "block", "configuration": { "target": "ip", "value": "1.2.3.4" } }' \
https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules
2020-02-29 01:42:01,153 fail2ban.utils          [25495]: ERROR   7f35e1c815b0 -- exec: curl -s -o /dev/null -X POST -H 'X-Auth-Email: me@email.com' -H 'X-Auth-Key: XXXX' \
-H 'Content-Type: application/json' -d '{ "mode": "block", "configuration": { "target": "ip", "value": "1.2.3.4" } }' \
https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules
2020-02-29 01:42:01,153 fail2ban.utils          [25495]: ERROR   7f35e1c815b0 -- returned 7
2020-02-29 01:42:01,153 fail2ban.actions        [25495]: ERROR   Failed to execute ban jail 'wordpress-hard' action 'cloudflare' info 'ActionInfo({'ip': '1.2.3.4', 'fid': <function <lambda> at 0x7f35e23f9a28>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7f35e23f9ed8>})': Error banning 1.2.3.4
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/fail2ban/server/actions.py", line 458, in __checkBan
    action.ban(aInfo)
  File "/usr/lib/python2.7/site-packages/fail2ban/server/action.py", line 540, in ban
    raise RuntimeError("Error banning %(ip)s" % aInfo)
RuntimeError: Error banning 1.2.3.4

What am I missing? I found one page talking about the "7f35e1c815b0 -- returned 7" error as part of Cloudflare rate limiting, but I'm nowhere near that limit.

Answer 1

It turns out that SELinux was blocking fail2ban from using curl. I tracked it down and fixed it by adding a new policy package following this guide: Fiddling With SELinux Policies. Now fail2ban is properly updating Cloudflare.

Note for anyone who find this on Google in the future: I had to name the new policy fail2ban-mod in order for it to install. Naming it fail2ban wouldn’t work, although some internet guides said it should.