mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

banaction = iptables-multiport
banaction_allports = iptables-allports
替换成
banaction = firewallcmd-rich-rules[actiontype=]
banaction_allports = firewallcmd-rich-rules[actiontype=]

jail.d下新建sshd.local，内容为
[sshd]

enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
bantime = 1d
findtime = 10m
maxretry = 5