Fail2Ban fails to start on CentOS 7

I'm running CentOS 7, all fully updated, and am trying to get Fail2Ban to work, but I'm running into problems. Specifically, I'm trying to block brute force SSH attacks. I'm pretty sure I've set up everything right – enabled the sshd jail in

.local

, using

-ipset

as the ban action, definitely using Firewalld, not using SELinux. But when I start Fail2Ban, here's what's in

/var/log/fail2ban.log

: 2017-06-21 06:11:44,186 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6 2017-06-21 06:11:44,186 fail2ban.database : INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2017-06-21 06:11:44,188 fail2ban.jail : INFO Creating new jail 'sshd' 2017-06-21 06:11:44,206 fail2ban.jail : INFO Jail 'sshd' uses systemd {} 2017-06-21 06:11:44,230 fail2ban.jail : INFO Initiated 'systemd' backend 2017-06-21 06:11:44,232 fail2ban.filter : INFO Set maxRetry = 3 2017-06-21 06:11:44,232 fail2ban.filter : INFO Set jail log file encoding to UTF-8 2017-06-21 06:11:44,233 fail2ban.actions : INFO Set banTime = 86400 2017-06-21 06:11:44,233 fail2ban.filter : INFO Set findtime = 3600 2017-06-21 06:11:44,234 fail2ban.filter : INFO Set maxlines = 10 2017-06-21 06:11:44,320 fail2ban.filtersystemd : INFO Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd' 2017-06-21 06:11:44,335 fail2ban.jail : INFO Jail 'sshd' started 2017-06-21 06:11:44,864 fail2ban.action : ERROR ipset create fail2ban-sshd hash:ip timeout 86400 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport --dports 44 -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- stdout: '' 2017-06-21 06:11:44,865 fail2ban.action : ERROR ipset create fail2ban-sshd hash:ip timeout 86400 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport --dports 44 -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- stderr: '\x1b[91mError: COMMAND_FAILED\x1b[00m\n' 2017-06-21 06:11:44,865 fail2ban.action : ERROR ipset create fail2ban-sshd hash:ip timeout 86400 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport --dports 44 -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- returned 13 2017-06-21 06:11:44,865 fail2ban.actions : ERROR Failed to start jail 'sshd' action 'firewallcmd-ipset': Error starting action As you'll note, everything runs smoothly until

-cmd

is tried. The commands it's trying to run are:

create fail2ban-sshd hash:ip timeout 86400

followed by

-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport --dports 44 -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable

If I try to run those myself, the

command works fine, but the

-cmd

one returns with

: COMMAND_FAILED

. So, I'm guessing it's a problem with the command that Fail2Ban is trying to send to

-cmd

– but I don't know enough about Firewalld to fix it. (Oh, SSH is on port 44 because I've found that it massively reduces drive-by attacks, so let's not get into the pros and cons of that! Also,

status fail2ban

shows everything to be running smoothly, no problems reported there. I only noticed this when I logged in and saw that there'd been a bunch of failed login attempts, which is rare what with the port change and all. Finally,

-r

returns

.10.0-229.14.1.el7.centos.plus.x86_64

so I'm fairly sure it's not the OpenVZ problem which I've seen as a cause of this elsewhere.)