What version of iptables are you running? My version (I can't check at
the moment) and any el6 derivative does not support the -w switch so it
needs to be removed from the f2b configs.
Nick
On 2016-04-07 12:50, Alexander R. Gruber wrote:
> Sorry for replying to myself, but I found a lot of errors in the log
> that might have to do with the problem at hand:
>
> <snip>
> 2016-04-06 08:53:19,351 fail2ban.filter [3526]: INFO [ssh]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:19,352 fail2ban.filter [3526]: INFO [sshd]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:19,577 fail2ban.filter [3526]: INFO [ssh]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:19,578 fail2ban.filter [3526]: INFO [sshd]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:21,608 fail2ban.filter [3526]: INFO [sshd]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:21,609 fail2ban.filter [3526]: INFO [ssh]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:21,731 fail2ban.actions [3526]: NOTICE [sshd]
> Ban 146.0.77.xxx
>
> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR
> iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: ''
>
> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR
> iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: ''
>
> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR
> iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
>
> 2016-04-06 08:53:21,836 fail2ban.CommandAction [3526]: ERROR
> Invariant check failed. Trying to restore a sane environment
>
> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR
> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
>
> iptables -w -F f2b-sshd
>
> iptables -w -X f2b-sshd -- stdout: ''
>
> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR
> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
>
> iptables -w -F f2b-sshd
>
> iptables -w -X f2b-sshd -- stderr: "iptables v1.4.21: Couldn't load
> target `f2b-sshd':No such file or directory\n\nTry `iptables -h' or
> 'iptables --help' for more information.\niptables: No
> chain/target/match by that name.\niptables: No chain/target/match by
> that
>
> name.\n"
>
> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR
> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
>
> iptables -w -F f2b-sshd
>
> iptables -w -X f2b-sshd -- returned 1
>
> 2016-04-06 08:53:21,942 fail2ban.actions [3526]: ERROR Failed
> to execute ban jail 'sshd' action 'iptables-multiport' info
> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f3f3dfff938>,
> 'matches': u'Apr 6 08:53:19 bmn1 sshd[15131]: Invalid user ftpuser
> from 146.0.77.xxx\nApr 6 08:53:19 bmn1 sshd[15131]:
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=146.0.77.xxx \nApr 6 08:53:21 bmn1 sshd[15131]:
> Failed password for invalid user ftpuser from 146.0.77.xxx port 50352
> ssh2', 'ip': '146.0.77.xxx', 'ipmatches': <function <lambda> at
> 0x7f3f3dfff848>, 'ipfailures': <function <lambda> at 0x7f3f3dfff7d0>,
> 'time': 1459925601.7313, 'failures': 3, 'ipjailfailures': <function
> <lambda> at 0x7f3f3dfff758>})': Error stopping action
>
> 2016-04-06 08:53:22,865 fail2ban.filter [3526]: INFO [sshd]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:22,867 fail2ban.filter [3526]: INFO [ssh]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:23,424 fail2ban.filter [3526]: INFO [sshd]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:23,426 fail2ban.filter [3526]: INFO [ssh]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:25,339 fail2ban.filter [3526]: INFO [ssh]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:25,340 fail2ban.filter [3526]: INFO [sshd]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:25,738 fail2ban.actions [3526]: NOTICE [ssh]
> Ban 146.0.77.xxx
>
> 2016-04-06 08:53:25,843 fail2ban.action [3526]: ERROR
> iptables -w -n -L INPUT | grep -q 'f2b-ssh[ \t]' -- stdout: ''
>
> 2016-04-06 08:53:25,843 fail2ban.action [3526]: ERROR
> iptables -w -n -L INPUT | grep -q 'f2b-ssh[ \t]' -- stderr: ''
>
> 2016-04-06 08:53:25,843 fail2ban.action [3526]: ERROR
> iptables -w -n -L INPUT | grep -q 'f2b-ssh[ \t]' -- returned 1
>
> 2016-04-06 08:53:25,843 fail2ban.CommandAction [3526]: ERROR
> Invariant check failed. Trying to restore a sane environment
>
> 2016-04-06 08:53:25,947 fail2ban.actions [3526]: NOTICE [sshd]
> 146.0.77.xxx already banned
>
> 2016-04-06 08:53:25,948 fail2ban.action [3526]: ERROR
> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-ssh
>
> iptables -w -F f2b-ssh
>
> iptables -w -X f2b-ssh -- stdout: ''
>
> 2016-04-06 08:53:25,949 fail2ban.action [3526]: ERROR
> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-ssh
>
> iptables -w -F f2b-ssh
>
> iptables -w -X f2b-ssh -- stderr: "iptables v1.4.21: Couldn't load
> target `f2b-ssh':No such file or directory\n\nTry `iptables -h' or
> 'iptables --help' for more information.\niptables: No
> chain/target/match by that name.\niptables: No chain/target/match by
> that name.\n"
>
> 2016-04-06 08:53:25,949 fail2ban.action [3526]: ERROR
> iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-ssh
>
> iptables -w -F f2b-ssh
>
> iptables -w -X f2b-ssh -- returned 1
>
> 2016-04-06 08:53:25,949 fail2ban.actions [3526]: ERROR Failed
> to execute ban jail 'ssh' action 'iptables-multiport' info
> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f3f3dfff7d0>,
> 'matches': u'Apr 6 08:53:19 bmn1 sshd[15131]: Invalid user ftpuser
> from 146.0.77.xxx\nApr 6 08:53:19 bmn1 sshd[15131]:
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=146.0.77.xxx \nApr 6 08:53:21 bmn1 sshd[15131]:
> Failed password for invalid user ftpuser from 146.0.77.xxx port 50352
> ssh2\nApr 6 08:53:22 bmn1 sshd[15140]: Invalid user ftpuser from
> 146.0.77.xxx\nApr 6 08:53:23 bmn1 sshd[15140]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=146.0.77.xxx \nApr 6 08:53:25 bmn1 sshd[15140]: Failed password
> for invalid user ftpuser from 146.0.77.xxx port 50691 ssh2', 'ip':
> '146.0.77.xxx', 'ipmatches': <function <lambda> at 0x7f3f3dfff758>,
> 'ipfailures': <function <lambda> at 0x7f3f3dfff848>, 'time':
> 1459925605.738062, 'failures': 6, 'ipjailfailures': <function <lambda>
> at 0x7f3f3dfff938>})': Error stopping action
>
> 2016-04-06 08:53:26,498 fail2ban.filter [3526]: INFO [ssh]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:26,500 fail2ban.filter [3526]: INFO [sshd]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:26,523 fail2ban.filter [3526]: INFO [ssh]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:26,525 fail2ban.filter [3526]: INFO [sshd]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:28,182 fail2ban.filter [3526]: INFO [ssh]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:28,183 fail2ban.filter [3526]: INFO [sshd]
> Found 146.0.77.xxx
>
> 2016-04-06 08:53:28,950 fail2ban.actions [3526]: NOTICE [sshd]
> 146.0.77.xxx already banned
> <snap>
>
>
>
> On 07.04.2016 20:33, Alexander R. Gruber wrote:
>> Thank you Steve, for your answer.
>>
>> To your questions:
>>
>>> How do you have the load balanced rules set? are they persistent in a
>>> file that is always run from server start up?
>> -> I have a startup script, that sets the Firewall NAT rules on every
>> startup of the system in RC4.
>>
>> Every few hours f2b reloads the Firewall rules from its database
>> (according to the log) and when that happens the NAT rules vanish from
>> my server - leading to a STOP in service, as the loadbalancing breaks.
>>
>> The time this happens is every few hours and always goes hand in hand
>> with the time in the f2b log where the system does the before
>> mentioned process of "resetting" and loading stuff from its database.
>> So I have a strong bias towards f2b being the "culprit" as this is the
>> only process that fiddles around with the IPtables in the first
>> instance.
>>
>> I also noticed very strange things:
>>
>> <snip>
>> 2016-04-07 13:22:19,849 fail2ban.filter [3526]: INFO [ssh]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:20,294 fail2ban.actions [3526]: NOTICE [sshd]
>> 183.3.202.200 already banned
>> 2016-04-07 13:22:21,836 fail2ban.filter [3526]: INFO [ssh]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:21,837 fail2ban.filter [3526]: INFO [sshd]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:28,687 fail2ban.filter [3526]: INFO [sshd]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:28,688 fail2ban.filter [3526]: INFO [ssh]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:30,912 fail2ban.filter [3526]: INFO [ssh]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:30,913 fail2ban.filter [3526]: INFO [sshd]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:31,306 fail2ban.actions [3526]: NOTICE [sshd]
>> 183.3.202.xxx already banned
>> 2016-04-07 13:22:31,857 fail2ban.actions [3526]: NOTICE [ssh]
>> 183.3.202.xxx already banned
>> 2016-04-07 13:22:42,443 fail2ban.filter [3526]: INFO [sshd]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:42,445 fail2ban.filter [3526]: INFO [ssh]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO [sshd]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO [ssh]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:50,860 fail2ban.filter [3526]: INFO [sshd]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:50,861 fail2ban.filter [3526]: INFO [ssh]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:51,329 fail2ban.actions [3526]: NOTICE [sshd]
>> 183.3.202.xxx already banned
>> 2016-04-07 13:22:53,105 fail2ban.filter [3526]: INFO [sshd]
>> Found 183.3.202.xxx
>> 2016-04-07 13:22:53,106 fail2ban.filter [3526]: INFO [ssh]
>> Found 183.3.202.xxx
>> 2016-04-07 13:23:00,356 fail2ban.filter [3526]: INFO [ssh]
>> Found 183.3.202.xxx
>> 2016-04-07 13:23:00,358 fail2ban.filter [3526]: INFO [sshd]
>> Found 183.3.202.xxx
>> 2016-04-07 13:23:01,974 fail2ban.filter [3526]: INFO [ssh]
>> Found 183.3.202.xxx
>> 2016-04-07 13:23:01,975 fail2ban.filter [3526]: INFO [sshd]
>> Found 183.3.202.xxx
>> 2016-04-07 13:23:02,342 fail2ban.actions [3526]: NOTICE [sshd]
>> 183.3.202.xxx already banned
>> 2016-04-07 13:23:02,893 fail2ban.actions [3526]: NOTICE [ssh]
>> 183.3.202.xxx already banned
>> root@xxx:~# iptables -L
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>> root@bmn1:~# sudo iptables -L
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> The chain rules seem to be empty ...
>>
>> root@xxx:~# service fail2ban restart
>> * Restarting authentication failure monitor fail2ban
>> root@xxx:~# iptables -n -L
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> f2b-hn-apache-retry-ban tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 80,443
>> f2b-apache tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 80,443
>> f2b-ssh tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 22
>> f2b-php-url-fopen tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 80,443
>> f2b-apache-nohome tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 80,443
>> f2b-apache-overflows tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 80,443
>> f2b-apache-badbots tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 80,443
>> f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 22
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain f2b-apache (1 references)
>> target prot opt source destination
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain f2b-apache-badbots (1 references)
>> target prot opt source destination
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain f2b-apache-nohome (1 references)
>> target prot opt source destination
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain f2b-apache-overflows (1 references)
>> target prot opt source destination
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain f2b-hn-apache-retry-ban (1 references)
>> target prot opt source destination
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain f2b-php-url-fopen (1 references)
>> target prot opt source destination
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain f2b-ssh (1 references)
>> target prot opt source destination
>> REJECT all -- 221.229.162.xxx 0.0.0.0/0
>> reject-with icmp-port-unreachable
>> REJECT all -- 183.3.202.xxx 0.0.0.0/0
>> reject-with icmp-port-unreachable
>> REJECT all -- 111.13.70.xxx 0.0.0.0/0
>> reject-with icmp-port-unreachable
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain f2b-sshd (1 references)
>> target prot opt source destination
>> REJECT all -- 221.229.162.xxx 0.0.0.0/0
>> reject-with icmp-port-unreachable
>> REJECT all -- 186.228.90.xxx 0.0.0.0/0
>> reject-with icmp-port-unreachable
>> REJECT all -- 183.3.202.xxx 0.0.0.0/0
>> reject-with icmp-port-unreachable
>> REJECT all -- 14.139.46.xxx 0.0.0.0/0
>> reject-with icmp-port-unreachable
>> REJECT all -- 111.13.70.xxx 0.0.0.0/0
>> reject-with icmp-port-unreachable
>> RETURN all -- 0.0.0.0/0 0.0.0.0/0
>>
>> After an explicit restart, the system seems to be up and running again
>> ...
>>
>> I feel a bit at loss here ...
>>
>> Thanks for any hints!
>> Alexander
>>
>>> By design, f2b (when restarting) unblocks all blocked IP addresses
>>> within its own DB, it then removes the f2b chains from iptables. It
>>> then
>>> starts up creating the chains and re-adds the IP's that are within
>>> the
>>> selected time scale of bans.
>>>
>>> It does not remove anything other than its own chains in IPtables.
>>>
>>> How do you have the load balanced rules set? are they persistent in a
>>> file that is always run from server start up?
>>>
>>> I have a reset firewall script that once f2b is shutdown, i run and
>>> it
>>> reloads my own pre-set rules on iptables, then i fire up f2b, i've
>>> never
>>> had it remove rules, or chains that are not starting "f2b-chainname"
>>> (i.e f2b-php-url-open) etc.
>>>
>>> if you do a iptables -n -L do your f2b chains all start with chain
>>> f2b- ?
>>> if the f2b chains are missing and all your rules are not starting as
>>> above, i suppose there is a chance it could remove rules it never
>>> created, although i would doubt that.
>>>
>>> I hope this helps a little.
>>>
>>> Steve
>>
>> ---
>> Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
>> https://www.avast.com/antivirus
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Fail2ban-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
>
> ---
> Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
> https://www.avast.com/antivirus
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
