Bug#847728: fail2ban: Fail2ban running shorewall instructions before shorewall is started

Tue, 08 Aug 2017 10:39:27 -0700 

Hello,

I see that this bug report has gone a bit cold.  It came first in responses
to a Web search for information about a problem that I have recently
noticed.  The most recent visible update asks 'I wonder though if "service
fail2ban stop" exits prematurely'.  I think it might.

#
##
### Note that this is from Gentoo, rather than Debian
##
#

On a Pentium at 200MHz, it seems that it can indeed terminate prematurely.
Trying to restart Fail2Ban can result in an error, but it is not
guaranteed.  Here is output from a failure:-

---%<---
[Gentoo] graham@kevin $ sudo /etc/init.d/fail2ban restart
 * Caching service dependencies ...                                       [
ok ]
 * Stopping fail2ban ...
 * start-stop-daemon: 1 process refused to stop
 * Failed to stop fail2ban                                                [
!! ]
 * ERROR: fail2ban failed to stop
Tue Aug 08 14:06:04 /usr/src/linux-4.9.34-gentoo
[Gentoo] graham@kevin $ sudo /etc/init.d/fail2ban stop
 * Stopping fail2ban ...                                                  [
ok ]
Tue Aug 08 14:06:15 /usr/src/linux-4.9.34-gentoo
[Gentoo] graham@kevin $ ps aux | grep -e "f2b" -e "fail2ban"
graham   17610  0.0  1.0   4616  1880 pts/0    S+   14:06   0:00 grep
--colour=auto -e f2b -e fail2ban
Tue Aug 08 14:06:21 /usr/src/linux-4.9.34-gentoo
[Gentoo] graham@kevin $ sudo /etc/init.d/fail2ban start
 * Starting fail2ban ...
2017-08-08 14:06:57,813 fail2ban.server         [17655]: INFO    Starting
Fail2ban v0.9.6
2017-08-08 14:06:57,823 fail2ban.server         [17655]: INFO    Starting
in daemon mode
                                                                  [ ok ]
Tue Aug 08 14:07:39 /usr/src/linux-4.9.34-gentoo
[Gentoo] graham@kevin $ ps aux | grep -e "f2b" -e "fail2ban"
root     17697 35.5  5.2  65868  9632 ?        Sl   14:06   0:16
/usr/bin/python3.4 /usr/bin/fail2ban-server -s /run/fail2ban/fail2ban.sock
-p /run/fail2ban/fail2ban.pid -b
graham   17764  0.0  1.0   4616  1880 pts/0    S+   14:07   0:00 grep
--colour=auto -e f2b -e fail2ban
Tue Aug 08 14:07:46 /usr/src/linux-4.9.34-gentoo
--->%---


Later, on trying to repeat the exercise, there was no problem detected:-

---%<---
[Gentoo] graham@kevin $ sudo -v && time sudo /etc/init.d/fail2ban restart
 * Stopping fail2ban ...                                                  [
ok ]
 * Starting fail2ban ...
2017-08-08 15:41:48,570 fail2ban.server         [25644]: INFO    Starting
Fail2ban v0.9.6
2017-08-08 15:41:48,583 fail2ban.server         [25644]: INFO    Starting
in daemon mode
                                                                  [ ok ]

real    1m15.999s
user    0m41.864s
sys     0m3.598s        load    59.81%
Tue Aug 08 15:42:32 /usr/src/linux-4.9.34-gentoo
--->%---


There is another observation: there are occasions when fail2ban cannot ban
or unban an address because iptables does not contain any chains beginning
"f2b" - the rules disappear.  Here's a log fragment that tells part of the
story:-

---%<---
2017-08-06 11:28:43,466 fail2ban.action         [31847]: ERROR   iptables
-w -n
-L INPUT | grep -q 'f2b-ssh-iptables[ \t]' -- returned 1
2017-08-06 11:28:43,472 fail2ban.CommandAction  [31847]: ERROR   Invariant
check
 failed. Trying to restore a sane environment
2017-08-06 11:28:43,798 fail2ban.action         [31847]: ERROR   iptables
-w -D
INPUT -p tcp -m multiport --dports 0:65535 -j f2b-ssh-iptables
iptables -w -F f2b-ssh-iptables
iptables -w -X f2b-ssh-iptables -- stdout: b''
2017-08-06 11:28:43,806 fail2ban.action         [31847]: ERROR   iptables
-w -D
INPUT -p tcp -m multiport --dports 0:65535 -j f2b-ssh-iptables
iptables -w -F f2b-ssh-iptables
iptables -w -X f2b-ssh-iptables -- stderr: b"iptables v1.4.21: Couldn't
load tar
get `f2b-ssh-iptables':No such file or directory\n\nTry `iptables -h' or
'iptabl
es --help' for more information.\niptables: No chain/target/match by that
name.\
niptables: No chain/target/match by that name.\n"
2017-08-06 11:28:43,813 fail2ban.action         [31847]: ERROR   iptables
-w -D
INPUT -p tcp -m multiport --dports 0:65535 -j f2b-ssh-iptables
iptables -w -F f2b-ssh-iptables
iptables -w -X f2b-ssh-iptables -- returned 1
2017-08-06 11:28:43,820 fail2ban.actions        [31847]: ERROR   Failed to
execu
te unban jail 'ssh-iptables' action 'iptables-multiport' info '{'time':
15020141
22.2688327, 'matches': 'Aug  6 11:08:28 kevin sshd[18419]: Invalid user 0
from 9
1.197.232.11 port 52798Aug  6 11:08:30 kevin sshd[18424]: Invalid user 0000
from
 91.197.232.11 port 43927Aug  6 11:08:33 kevin sshd[18426]: Invalid user
010101
from 91.197.232.11 port 40298Aug  6 11:08:36 kevin sshd[18428]: Invalid
user 111
1 from 91.197.232.11 port 36500Aug  6 11:08:40 kevin sshd[18447]:
Connection clo
sed by 91.197.232.11 port 60791 [preauth]', 'ip': '91.197.232.11',
'failures': 5
}': Error stopping action
--->%---

I hope this helps,
-- 
Graham Bosworth

Reply via email to