It appears that there's some strange interaction between fail2ban and
systemd. Thanks for the link but it talks about having a lot of files open.
I'm wondering about why fail2ban would need to open them in the first
place. ...Is the Fedora RPM broken?This is what's strange: I have a simple
VM, running Fedora 20, and by simple I mean that it is running httpd and
sshd only. And it's a sleepy little computer, very little going on with it
(outside of the usual ssh root login attempts by hackers).
netstat shows that there is only a single connection- me, via ssh. The
error happens immediately upon start of fail2ban.
So I do not have a lot of concurrent connections, nor am I running
something that opens a lot of files but never closes them- except fail2ban
itself. lsof shows A TON of files opened by fail2ban in /var/log/journal:
fail2ban- 19511 19633 root 737r REG 252,1 109051904
20638
/var/log/journal/11264912be38456483e63dfd21d402f4/system@f724c4fcb41c4dd09c9b814c3e159287-000000000049dceb-00051c23d11febc7.journal
fail2ban- 19511 19633 root 738r REG 252,1 100663296
20639
/var/log/journal/11264912be38456483e63dfd21d402f4/system@f724c4fcb41c4dd09c9b814c3e159287-000000000044db14-00051b85f6029c2c.journal
fail2ban- 19511 19633 root 739r REG 252,1 100663296
20611
/var/log/journal/11264912be38456483e63dfd21d402f4/system@c429c1a6e1044dd79b5d5e3089276833-0000000000715351-00051a2daf9bb2b7.journal
If I run fail2ban by itself without using systemd, it seems to start fine:
/usr/bin/python /usr/bin/fail2ban-server -b -s
/var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x
If I removed files from /etc/fail2ban/filter.d I got some strange regular
expression error. I just tried it again, and moved all files but sshd.conf
and sshd-ddos.conf. It started without any messages to
/var/log/fail2ban.log but this is what happens when I test:
# fail2ban-client -d
WARNING Wrong value for 'loglevel' in 'Definition'. Using default one:
''INFO''
ERROR Failed during configuration: Bad value substitution:
section: [Definition]
option : failregex
key : __prefix_line
rawval : (?:error: PAM: )?[aA]uthentication (?:failure|error) for
.* from <HOST>( via \S+)?\s*$
...It seems to work fine when all the files are left in place under
filter.d.
On Mon, Aug 24, 2015 at 1:49 PM, Harrison Johnson <[email protected]>
wrote:
> You can remove files that are not being used in the filter.d and action.d
> directories I have done this to reduce the "noise" when I ls from a
> terminal the error is really the OS telling you that too many file are
> already open and it can't open another one. There are more reasons for this
> than you can shake a stick at to use a favorite phrase of my great grand
> mother. The first question I would have are you running a server that has a
> lot of concurrent connections? The second question is are you running a
> server or application that opens a lot of files but never closes them? The
> third question is are you using iptables as you firewall?
> Here is a quick thread on the open file limit subject:
> http://stackoverflow.com/questions/18280612/ioerror-errno-24-too-many-open-files
>
>
> On Mon, 2015-08-24 at 13:16 -0500, Michael Schwager wrote:
>
> Yes.
>
>
>
> systemd-208-26.fc20.x86_64
>
> systemd-libs-208-26.fc20.x86_64
>
> systemd-python-208-26.fc20.x86_64
>
>
>
>
> On Mon, Aug 24, 2015 at 11:36 AM, Harrison Johnson <[email protected]>
> wrote:
>
> Did you install the systemd package?
>
>
>
> On Mon, 2015-08-24 at 08:57 -0500, Michael Schwager wrote:
>
> Hello,
> I have fail2ban 0.9 on Fedora 20. I notice in my log files that when I
> start fail2ban I get the following error messages. I think maybe it's
> because the /etc/fail2ban/filters.d directory has too much stuff in it...?
> But if I try to move things out of there I get some errors about the
> regex's. Or do I need to set ulimit? Any advice would be appreciated. I'll
> include my fail2ban.conf file after the following errors.
>
>
> I notice there's a whole lot of stuff in jail.conf that I don't need, but
> it says specifically to not edit it so I have not.
>
>
> Here are the errors:
>
>
> 2015-08-24 08:42:49,660 fail2ban.server.jail[19511]: INFO Initiated
> 'systemd' backend
> 2015-08-24 08:42:49,663 fail2ban.server.filter[19511]: INFO Set
> maxRetry = 3
> 2015-08-24 08:42:49,665 fail2ban.server.actions[19511]: INFO Set
> banTime = 600
> 2015-08-24 08:42:49,667 fail2ban.server.filter[19511]: INFO Set
> findtime = 600
> 2015-08-24 08:42:49,670 fail2ban.server.filter[19511]: INFO Date
> pattern set to `'^L %d/%m/%Y - %H:%M:%S'`: `^L Da
> y/Month/Year - 24hour:Minute:Second`
> 2015-08-24 08:42:49,690 fail2ban.server.jail[19511]: INFO Jail 'sshd'
> started
> 2015-08-24 08:42:49,690 fail2ban.server.action[19511]: ERROR iptables -N
> f2b-sshd
> iptables -A f2b-sshd -j RETURN
> iptables -I INPUT -p tcp -m multiport --dports ssh -j f2b-sshd -- failed
> with [Errno 24] Too many open files
> 2015-08-24 08:42:49,690 fail2ban.server.actions[19511]: ERROR Failed to
> start jail 'sshd' action 'iptables-multipor
> t': local variable 'retcode' referenced before assignment
> 2015-08-24 08:42:49,696 fail2ban.server.jail[19511]: INFO Jail
> 'sshd-ddos' started
> 2015-08-24 08:42:49,698 fail2ban.server.actions[19511]: ERROR Failed to
> start jail 'sshd-ddos' action 'iptables-mul
> tiport': [Errno 24] Too many open files: '/tmp/fai2ban_Kfztgy.stderr'
>
>
>
>
> # grep -v "^#" /etc/fail2ban/fail2ban.conf
>
>
> [Definition]
> loglevel = INFO
>
> logtarget = /var/log/fail2ban.log
>
> socket = /var/run/fail2ban/fail2ban.sock
>
> pidfile = /var/run/fail2ban/fail2ban.pid
>
> dbfile = /var/lib/fail2ban/fail2ban.sqlite3
>
> dbpurgeage = 86400
>
>
>
> (notice that my IP address has been munged to protect me...)
>
>
> # grep -v '^#' /etc/fail2ban/jail.local
> [INCLUDES]
>
>
> [DEFAULT]
> ignoreip = 127.0.0.1/8 X.Y.Z.A
> bantime = 600
>
> findtime = 600
>
> maxretry = 3
>
> backend = systemd
>
> usedns = no
> enabled = true
> filter = %(__name__)s
> destemail = root@localhost
>
> sender = root@localhost
>
>
>
> [sshd]
>
> port = ssh
>
> logpath = %(sshd_log)s
> enabled = true
>
>
> [sshd-ddos]
> port = ssh
> logpath = %(sshd_log)s
>
>
> [dropbear]
> port = ssh
>
> logpath = %(dropbear_log)s
>
>
> [selinux-ssh]
>
> port = ssh
>
> logpath = %(auditd_log)s
> maxretry = 5
>
>
> --
> -Mike Schwager
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Fail2ban-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
>
>
>
> --
>
> -Mike Schwager
>
>
>
--
-Mike Schwager
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
