The info warning is I hate to say normal on Fedora 20, but I always had it lsof shows 112 entries on my machine right now. When you run iptables -L as root what does your rules look like. And I will look in my archives and see if I still have copies of my fail2ban set up for Fedora 20 which I will send you if you want to take a look at them.
On Mon, 2015-08-24 at 14:34 -0500, Michael Schwager wrote: > It appears that there's some strange interaction between fail2ban and > systemd. Thanks for the link but it talks about having a lot of files > open. I'm wondering about why fail2ban would need to open them in the > first place. ...Is the Fedora RPM broken?This is what's strange: I > have a simple VM, running Fedora 20, and by simple I mean that it is > running httpd and sshd only. And it's a sleepy little computer, very > little going on with it (outside of the usual ssh root login attempts > by hackers). > netstat shows that there is only a single connection- me, via ssh. The > error happens immediately upon start of fail2ban. > > > So I do not have a lot of concurrent connections, nor am I running > something that opens a lot of files but never closes them- except > fail2ban itself. lsof shows A TON of files opened by fail2ban > in /var/log/journal: > > > fail2ban- 19511 19633 root 737r REG 252,1 > 109051904 > 20638 > /var/log/journal/11264912be38456483e63dfd21d402f4/system@f724c4fcb41c4dd09c9b814c3e159287-000000000049dceb-00051c23d11febc7.journal > fail2ban- 19511 19633 root 738r REG 252,1 > 100663296 > 20639 > /var/log/journal/11264912be38456483e63dfd21d402f4/system@f724c4fcb41c4dd09c9b814c3e159287-000000000044db14-00051b85f6029c2c.journal > fail2ban- 19511 19633 root 739r REG 252,1 > 100663296 > 20611 > /var/log/journal/11264912be38456483e63dfd21d402f4/system@c429c1a6e1044dd79b5d5e3089276833-0000000000715351-00051a2daf9bb2b7.journal > > > If I run fail2ban by itself without using systemd, it seems to start > fine: > > > /usr/bin/python /usr/bin/fail2ban-server -b > -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid > -x > > > If I removed files from /etc/fail2ban/filter.d I got some strange > regular expression error. I just tried it again, and moved all files > but sshd.conf and sshd-ddos.conf. It started without any messages > to /var/log/fail2ban.log but this is what happens when I test: > > > # fail2ban-client -d > WARNING Wrong value for 'loglevel' in 'Definition'. Using default one: > ''INFO'' > > ERROR Failed during configuration: Bad value substitution: > section: [Definition] > option : failregex > key : __prefix_line > rawval : (?:error: PAM: )?[aA]uthentication (?:failure|error) > for .* from <HOST>( via \S+)?\s*$ > > > ...It seems to work fine when all the files are left in place under > filter.d. > > > > > On Mon, Aug 24, 2015 at 1:49 PM, Harrison Johnson > <[email protected]> wrote: > > You can remove files that are not being used in the filter.d > and action.d directories I have done this to reduce the > "noise" when I ls from a terminal the error is really the OS > telling you that too many file are already open and it can't > open another one. There are more reasons for this than you can > shake a stick at to use a favorite phrase of my great grand > mother. The first question I would have are you running a > server that has a lot of concurrent connections? The second > question is are you running a server or application that opens > a lot of files but never closes them? The third question is > are you using iptables as you firewall? > Here is a quick thread on the open file limit subject: > > http://stackoverflow.com/questions/18280612/ioerror-errno-24-too-many-open-files > > > > On Mon, 2015-08-24 at 13:16 -0500, Michael Schwager wrote: > > > Yes. > > > > > > systemd-208-26.fc20.x86_64 > > systemd-libs-208-26.fc20.x86_64 > > systemd-python-208-26.fc20.x86_64 > > > > > > > > On Mon, Aug 24, 2015 at 11:36 AM, Harrison Johnson > > <[email protected]> wrote: > > > > Did you install the systemd package? > > > > > > On Mon, 2015-08-24 at 08:57 -0500, Michael Schwager > > wrote: > > > > > Hello, > > > I have fail2ban 0.9 on Fedora 20. I notice in my > > > log files that when I start fail2ban I get the > > > following error messages. I think maybe it's > > > because the /etc/fail2ban/filters.d directory has > > > too much stuff in it...? But if I try to move > > > things out of there I get some errors about the > > > regex's. Or do I need to set ulimit? Any advice > > > would be appreciated. I'll include my > > > fail2ban.conf file after the following errors. > > > > > > > > > I notice there's a whole lot of stuff in jail.conf > > > that I don't need, but it says specifically to not > > > edit it so I have not. > > > > > > > > > Here are the errors: > > > > > > > > > 2015-08-24 08:42:49,660 > > > fail2ban.server.jail[19511]: INFO Initiated > > > 'systemd' backend > > > 2015-08-24 08:42:49,663 > > > fail2ban.server.filter[19511]: INFO Set > > > maxRetry = 3 > > > 2015-08-24 08:42:49,665 > > > fail2ban.server.actions[19511]: INFO Set > > > banTime = 600 > > > 2015-08-24 08:42:49,667 > > > fail2ban.server.filter[19511]: INFO Set > > > findtime = 600 > > > 2015-08-24 08:42:49,670 > > > fail2ban.server.filter[19511]: INFO Date > > > pattern set to `'^L %d/%m/%Y - %H:%M:%S'`: `^L Da > > > y/Month/Year - 24hour:Minute:Second` > > > 2015-08-24 08:42:49,690 > > > fail2ban.server.jail[19511]: INFO Jail 'sshd' > > > started > > > 2015-08-24 08:42:49,690 > > > fail2ban.server.action[19511]: ERROR iptables -N > > > f2b-sshd > > > iptables -A f2b-sshd -j RETURN > > > iptables -I INPUT -p tcp -m multiport --dports ssh > > > -j f2b-sshd -- failed with [Errno 24] Too many > > > open files > > > 2015-08-24 08:42:49,690 > > > fail2ban.server.actions[19511]: ERROR Failed to > > > start jail 'sshd' action 'iptables-multipor > > > t': local variable 'retcode' referenced before > > > assignment > > > 2015-08-24 08:42:49,696 > > > fail2ban.server.jail[19511]: INFO Jail > > > 'sshd-ddos' started > > > 2015-08-24 08:42:49,698 > > > fail2ban.server.actions[19511]: ERROR Failed to > > > start jail 'sshd-ddos' action 'iptables-mul > > > tiport': [Errno 24] Too many open files: > > > '/tmp/fai2ban_Kfztgy.stderr' > > > > > > > > > > > > > > > # grep -v "^#" /etc/fail2ban/fail2ban.conf > > > > > > > > > [Definition] > > > loglevel = INFO > > > > > > logtarget = /var/log/fail2ban.log > > > > > > socket = /var/run/fail2ban/fail2ban.sock > > > > > > pidfile = /var/run/fail2ban/fail2ban.pid > > > > > > dbfile = /var/lib/fail2ban/fail2ban.sqlite3 > > > > > > dbpurgeage = 86400 > > > > > > > > > > > > (notice that my IP address has been munged to > > > protect me...) > > > > > > > > > # grep -v '^#' /etc/fail2ban/jail.local > > > [INCLUDES] > > > > > > > > > [DEFAULT] > > > ignoreip = 127.0.0.1/8 X.Y.Z.A > > > bantime = 600 > > > > > > findtime = 600 > > > > > > maxretry = 3 > > > > > > backend = systemd > > > > > > usedns = no > > > enabled = true > > > filter = %(__name__)s > > > destemail = root@localhost > > > > > > sender = root@localhost > > > > > > > > > > > > [sshd] > > > > > > port = ssh > > > > > > logpath = %(sshd_log)s > > > enabled = true > > > > > > > > > [sshd-ddos] > > > port = ssh > > > logpath = %(sshd_log)s > > > > > > > > > [dropbear] > > > port = ssh > > > > > > logpath = %(dropbear_log)s > > > > > > > > > [selinux-ssh] > > > > > > port = ssh > > > > > > logpath = %(auditd_log)s > > > maxretry = 5 > > > > > > > > > -- > > > -Mike Schwager > > > > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > > > Fail2ban-users mailing list > > > [email protected] > > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > Fail2ban-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > > > > > > > -- > > -Mike Schwager > > > > > > > > > > > -- > > -Mike Schwager
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
