Nice catch, thanks! That seems to be it... it eliminates my "too many files" problem. Let's see if fail2ban now works on sshd.
I appreciate your looking at this so diligently. On Mon, Aug 24, 2015 at 4:07 PM, Harrison Johnson <[email protected]> wrote: > Missed this before in the default section of your jail.local you have > enabled = true. Delete that line and the set enabled = true for each of the > jails you have defined in the jail.local and see if that closes all the > open files. > > On Mon, 2015-08-24 at 14:34 -0500, Michael Schwager wrote: > > It appears that there's some strange interaction between fail2ban and > systemd. Thanks for the link but it talks about having a lot of files open. > I'm wondering about why fail2ban would need to open them in the first > place. ...Is the Fedora RPM broken?This is what's strange: I have a simple > VM, running Fedora 20, and by simple I mean that it is running httpd and > sshd only. And it's a sleepy little computer, very little going on with it > (outside of the usual ssh root login attempts by hackers). > > netstat shows that there is only a single connection- me, via ssh. The > error happens immediately upon start of fail2ban. > > > > So I do not have a lot of concurrent connections, nor am I running > something that opens a lot of files but never closes them- except fail2ban > itself. lsof shows A TON of files opened by fail2ban in /var/log/journal: > > > > fail2ban- 19511 19633 root 737r REG 252,1 > 109051904 20638 > /var/log/journal/11264912be38456483e63dfd21d402f4/system@f724c4fcb41c4dd09c9b814c3e159287-000000000049dceb-00051c23d11febc7.journal > > fail2ban- 19511 19633 root 738r REG 252,1 > 100663296 20639 > /var/log/journal/11264912be38456483e63dfd21d402f4/system@f724c4fcb41c4dd09c9b814c3e159287-000000000044db14-00051b85f6029c2c.journal > > fail2ban- 19511 19633 root 739r REG 252,1 > 100663296 20611 > /var/log/journal/11264912be38456483e63dfd21d402f4/system@c429c1a6e1044dd79b5d5e3089276833-0000000000715351-00051a2daf9bb2b7.journal > > > > If I run fail2ban by itself without using systemd, it seems to start fine: > > > > /usr/bin/python /usr/bin/fail2ban-server -b -s > /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x > > > > If I removed files from /etc/fail2ban/filter.d I got some strange regular > expression error. I just tried it again, and moved all files but sshd.conf > and sshd-ddos.conf. It started without any messages to > /var/log/fail2ban.log but this is what happens when I test: > > > > # fail2ban-client -d > > WARNING Wrong value for 'loglevel' in 'Definition'. Using default one: > ''INFO'' > > ERROR Failed during configuration: Bad value substitution: > > section: [Definition] > > option : failregex > > key : __prefix_line > > rawval : (?:error: PAM: )?[aA]uthentication (?:failure|error) for > .* from <HOST>( via \S+)?\s*$ > > > > ...It seems to work fine when all the files are left in place under > filter.d. > > > > > On Mon, Aug 24, 2015 at 1:49 PM, Harrison Johnson <[email protected]> > wrote: > > You can remove files that are not being used in the filter.d and action.d > directories I have done this to reduce the "noise" when I ls from a > terminal the error is really the OS telling you that too many file are > already open and it can't open another one. There are more reasons for this > than you can shake a stick at to use a favorite phrase of my great grand > mother. The first question I would have are you running a server that has a > lot of concurrent connections? The second question is are you running a > server or application that opens a lot of files but never closes them? The > third question is are you using iptables as you firewall? > Here is a quick thread on the open file limit subject: > http://stackoverflow.com/questions/18280612/ioerror-errno-24-too-many-open-files > > > > On Mon, 2015-08-24 at 13:16 -0500, Michael Schwager wrote: > > Yes. > > > systemd-208-26.fc20.x86_64 > systemd-libs-208-26.fc20.x86_64 > systemd-python-208-26.fc20.x86_64 > > > > On Mon, Aug 24, 2015 at 11:36 AM, Harrison Johnson <[email protected]> > wrote: > > Did you install the systemd package? > > > On Mon, 2015-08-24 at 08:57 -0500, Michael Schwager wrote: > > Hello, > I have fail2ban 0.9 on Fedora 20. I notice in my log files that when I > start fail2ban I get the following error messages. I think maybe it's > because the /etc/fail2ban/filters.d directory has too much stuff in it...? > But if I try to move things out of there I get some errors about the > regex's. Or do I need to set ulimit? Any advice would be appreciated. I'll > include my fail2ban.conf file after the following errors. > > > I notice there's a whole lot of stuff in jail.conf that I don't need, but > it says specifically to not edit it so I have not. > > > Here are the errors: > > > 2015-08-24 08:42:49,660 fail2ban.server.jail[19511]: INFO Initiated > 'systemd' backend > 2015-08-24 08:42:49,663 fail2ban.server.filter[19511]: INFO Set > maxRetry = 3 > 2015-08-24 08:42:49,665 fail2ban.server.actions[19511]: INFO Set > banTime = 600 > 2015-08-24 08:42:49,667 fail2ban.server.filter[19511]: INFO Set > findtime = 600 > 2015-08-24 08:42:49,670 fail2ban.server.filter[19511]: INFO Date > pattern set to `'^L %d/%m/%Y - %H:%M:%S'`: `^L Da > y/Month/Year - 24hour:Minute:Second` > 2015-08-24 08:42:49,690 fail2ban.server.jail[19511]: INFO Jail 'sshd' > started > 2015-08-24 08:42:49,690 fail2ban.server.action[19511]: ERROR iptables -N > f2b-sshd > iptables -A f2b-sshd -j RETURN > iptables -I INPUT -p tcp -m multiport --dports ssh -j f2b-sshd -- failed > with [Errno 24] Too many open files > 2015-08-24 08:42:49,690 fail2ban.server.actions[19511]: ERROR Failed to > start jail 'sshd' action 'iptables-multipor > t': local variable 'retcode' referenced before assignment > 2015-08-24 08:42:49,696 fail2ban.server.jail[19511]: INFO Jail > 'sshd-ddos' started > 2015-08-24 08:42:49,698 fail2ban.server.actions[19511]: ERROR Failed to > start jail 'sshd-ddos' action 'iptables-mul > tiport': [Errno 24] Too many open files: '/tmp/fai2ban_Kfztgy.stderr' > > > > > # grep -v "^#" /etc/fail2ban/fail2ban.conf > > > [Definition] > loglevel = INFO > > logtarget = /var/log/fail2ban.log > > socket = /var/run/fail2ban/fail2ban.sock > > pidfile = /var/run/fail2ban/fail2ban.pid > > dbfile = /var/lib/fail2ban/fail2ban.sqlite3 > > dbpurgeage = 86400 > > > > (notice that my IP address has been munged to protect me...) > > > # grep -v '^#' /etc/fail2ban/jail.local > [INCLUDES] > > > [DEFAULT] > ignoreip = 127.0.0.1/8 X.Y.Z.A > bantime = 600 > > findtime = 600 > > maxretry = 3 > > backend = systemd > > usedns = no > enabled = true > filter = %(__name__)s > destemail = root@localhost > > sender = root@localhost > > > > [sshd] > > port = ssh > > logpath = %(sshd_log)s > enabled = true > > > [sshd-ddos] > port = ssh > logpath = %(sshd_log)s > > > [dropbear] > port = ssh > > logpath = %(dropbear_log)s > > > [selinux-ssh] > > port = ssh > > logpath = %(auditd_log)s > maxretry = 5 > > > -- > -Mike Schwager > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > -- > -Mike Schwager > > > > > > > > -- > > -Mike Schwager > > > -- -Mike Schwager
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
