[Fail2ban-users] error in the logs for firewalld

Wed, 10 Jun 2015 02:57:56 -0700 

Hi.

Its been a long time since I configured fail2ban, given my new server in
CentOS 7 I decided I would learn the new systemd way, on my last attempt, I
reinstalled the following :

Installed Packages
fail2ban-all.noarch
    0.9.1-4.el7                                                       @epel
fail2ban-firewalld.noarch
    0.9.1-4.el7                                                       @epel
fail2ban-hostsdeny.noarch
    0.9.1-4.el7                                                       @epel
fail2ban-mail.noarch
     0.9.1-4.el7                                                       @epel
fail2ban-sendmail.noarch
     0.9.1-4.el7                                                       @epel
fail2ban-server.noarch
     0.9.1-4.el7                                                       @epel
fail2ban-shorewall.noarch
    0.9.1-4.el7                                                       @epel
Available Packages
fail2ban.noarch
    0.9.1-4.el7                                                       epel
fail2ban-systemd.noarch
    0.9.1-4.el7                                                       epel

I have configured the jail.local as follows:

[root@host1 fail2ban]# cat jail.local | egrep -v "(^#.*|^$)"
[INCLUDES]
before = /etc/fail2ban/paths-centos7.conf
[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime  = 600
findtime  = 600
maxretry = 5
backend = auto
usedns = warn
logencoding = auto
enabled = true
filter = %(__name__)s
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
banaction = firewallcmd-ipset
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s",
protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s",
logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s",
logpath=%(logpath)s, port="%(port)s"]
action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s,
apikey="%(blocklist_de_apikey)s"]
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
action = %(action_)s
[sshd]
port    = ssh
logpath = %(sshd_log)s
[sshd-ddos]
port    = ssh
logpath = %(sshd_log)s
[dropbear]
port     = ssh
logpath  = %(dropbear_log)s
[selinux-ssh]
port     = ssh
logpath  = %(auditd_log)s
maxretry = 5
[apache-auth]
port     = http,https
logpath  = %(apache_error_log)s
[apache-badbots]
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 172800
maxretry = 1
[apache-noscript]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 6
[apache-overflows]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2
[apache-nohome]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2
[apache-botsearch]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2
[apache-modsecurity]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2
[apache-shellshock]
port    = http,https
logpath = /var/log/httpd/*error_log
maxretry = 1
[php-url-fopen]
port    = http,https
logpath = %(apache_access_log)s
[webmin-auth]
port    = 10000
logpath = %(syslog_authpriv)s
[proftpd]
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
[recidive]
logpath  = /var/log/fail2ban.log
port     = all
protocol = all
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5
[pam-generic]
banaction = iptables-allports
logpath  = %(syslog_authpriv)s

/etc/fail2ban/paths-centos7.conf follows:

[root@host1 fail2ban]# cat /etc/fail2ban/paths-centos7.conf | egrep -v
"(^#.*|^$)"
[INCLUDES]
[DEFAULT]
sshd_log = %(syslog_authpriv)s
dropbear_log = %(syslog_authpriv)s
syslog_daemon =
syslog_ftp =
syslog_local0 =
syslog_mail_warn =
syslog_user =
auditd_log = /var/log/audit/audit.log
exim_main_log = /var/log/exim/mainlog
nginx_error_log = /var/log/nginx/error.log
nginx_access_log = /var/log/nginx/access.log
lighttpd_error_log = /var/log/lighttpd/error.log
suhosin_log = %(syslog_user)s %(lighttpd_error_log)s
proftpd_log = %(syslog_ftp)s
pureftpd_log = %(syslog_ftp)s
wuftpd_log = %(syslog_ftp)s
vsftpd_log = /var/log/vsftpd.log
postfix_log = %(syslog_mail_warn)s
dovecot_log = %(syslog_mail_warn)s
solidpop3d_log = %(syslog_local0)s
mysql_log = %(syslog_daemon)s
syslog_mail = /var/log/maillog
syslog_mail_warn = /var/log/maillog
syslog_authpriv = /var/log/secure
syslog_user =  /var/log/messages
syslog_ftp  = /var/log/messages
syslog_daemon  = /var/log/messages
syslog_local0  = /var/log/messages
apache_error_log = /var/log/httpd/*error_log
apache_access_log = /var/log/httpd/*access_log
exim_main_log = /var/log/exim/main.log
mysql_log = /var/lib/mysql/mysqld.log

The remaining are as shipped.

I get the following errors when I use banaction = firewallcmd-ipset

2015-06-10 11:24:07,944 fail2ban.action         [26480]: ERROR   ipset
create fail2ban-recidive hash:ip timeout 604800
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport
--dports all -m set --match-set fail2ban-recidive src -j REJECT
--reject-with icmp-port-unreachable -- stdout: "\x1b[91mError:
COMMAND_FAILED: '/sbin/iptables -t filter -I INPUT_direct 16 -p all -m
multiport --dports all -m set --match-set fail2ban-recidive src -j REJECT
--reject-with icmp-port-unreachable' failed: iptables v1.4.21: multiport
needs `-p tcp', `-p udp', `-p udplite', `-p sctp' or `-p dccp'\nTry
`iptables -h' or 'iptables --help' for more information.\x1b[00m\nFailed to
apply rules. A firewall reload might solve the issue if the firewall has
been modified using ip*tables or ebtables.\n"
2015-06-10 11:24:07,945 fail2ban.action         [26480]: ERROR   ipset
create fail2ban-recidive hash:ip timeout 604800
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport
--dports all -m set --match-set fail2ban-recidive src -j REJECT
--reject-with icmp-port-unreachable -- stderr: ''
2015-06-10 11:24:07,951 fail2ban.action         [26480]: ERROR   ipset
create fail2ban-recidive hash:ip timeout 604800
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport
--dports all -m set --match-set fail2ban-recidive src -j REJECT
--reject-with icmp-port-unreachable -- returned 13
2015-06-10 11:24:07,952 fail2ban.actions        [26480]: ERROR   Failed to
start jail 'recidive' action 'firewallcmd-ipset': Error starting action

When I use banaction = firewallcmd-new most of the jails cause similar
errors.

Can some advise where the issue may be ?

------------------------------------------------------------------------------

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to