From the error message, it does not look like the problem is with
firewalld but ipset as it says the ipset set has not been created. You
probably need to check through the firewallcmd-ipset action to diagnose
what is going on, and perhaps, check ipset is actually loaded ("lsmod |
grep ip_set")
On 21/08/2016 12:46, Bruno Miguel Queiros wrote:
> Yes.
>
>
> It could be something wrong with firewallcmd-ipset. Have you tried with
> different versions (older) of fail2ban and/or even firewalld?
>
>
> Às 12:24 de 21-08-2016, Günther J. Niederwimmer escreveu:
>> Hello Bruno Miguel,
>>
>> Am Sonntag, 21. August 2016, 11:52:08 schrieb Bruno Miguel Queiros:
>>> What is the action of your sshd jail?
>> mean you this
>>
>> /etc/fail2ban/jail.d/00-firewalld.conf
>> [DEFAULT]
>> banaction = firewallcmd-ipset
>>
>> and a NOT changed
>> /etc/fail2ban/jail.conf
>> [DEFAULT]
>>
>> #
>> # MISCELLANEOUS OPTIONS
>> #
>>
>> # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will
>> not
>> # ban a host which matches an address in this list. Several addresses can be
>> # defined using space separator.
>> ignoreip = 127.0.0.1/8
>>
>> # External command that will take an tagged arguments to ignore, e.g. <ip>,
>> # and return true if the IP is to be ignored. False otherwise.
>> #
>> # ignorecommand = /path/to/command <ip>
>> ignorecommand =
>>
>> # "bantime" is the number of seconds that a host is banned.
>> bantime = 600
>>
>> # A host is banned if it has generated "maxretry" during the last "findtime"
>> # seconds.
>> findtime = 600
>>
>> # "maxretry" is the number of failures before a host get banned.
>> maxretry = 5
>>
>> # "backend" specifies the backend used to get files modification.
>> # Available options are "pyinotify", "gamin", "polling", "systemd" and
>> "auto".
>> # This option can be overridden in each jail as well.
>> #
>> # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
>> # If pyinotify is not installed, Fail2ban will use auto.
>> # gamin: requires Gamin (a file alteration monitor) to be installed.
>> # If Gamin is not installed, Fail2ban will use auto.
>> # polling: uses a polling algorithm which does not require external
>> libraries.
>> # systemd: uses systemd python library to access the systemd journal.
>> # Specifying "logpath" is not valid for this backend.
>> # See "journalmatch" in the jails associated filter config
>> # auto: will try to use the following backends, in order:
>> # pyinotify, gamin, polling.
>> #
>> # Note: if systemd backend is choses as the default but you enable a jail
>> # for which logs are present only in its own log files, specify some
>> other
>> # backend for that jail (e.g. polling) and provide empty value for
>> # journalmatch. See
>> https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
>> backend = auto
>>
>> # "usedns" specifies if jails should trust hostnames in logs,
>> # warn when DNS lookups are performed, or ignore all hostnames in logs
>> #
>> # yes: if a hostname is encountered, a DNS lookup will be performed.
>> # warn: if a hostname is encountered, a DNS lookup will be performed,
>> # but it will be logged as a warning.
>> # no: if a hostname is encountered, will not be used for banning,
>> # but it will be logged as info.
>> usedns = warn
>>
>> # "logencoding" specifies the encoding of the log files handled by the jail
>> # This is used to decode the lines from the log file.
>> # Typical examples: "ascii", "utf-8"
>> #
>> # auto: will use the system locale setting
>> logencoding = auto
>>
>> # "enabled" enables the jails.
>> # By default all jails are disabled, and it should stay this way.
>> # Enable only relevant to your setup jails in your .local or jail.d/*.conf
>> #
>> # true: jail will be enabled and log files will get monitored for changes
>> # false: jail is not enabled
>> enabled = false
>>
>>
>> # "filter" defines the filter to use by the jail.
>> # By default jails have names matching their filter name
>> #
>> filter = %(__name__)s
>>
>>
>> #
>> # ACTIONS
>> #
>>
>> # Some options used for actions
>>
>> # Destination email address used solely for the interpolations in
>> # jail.{conf,local,d/*} configuration files.
>> destemail = root@localhost
>>
>> # Sender email address used solely for some actions
>> sender = root@localhost
>>
>> # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
>> # mailing. Change mta configuration parameter to mail if you want to
>> # revert to conventional 'mail'.
>> mta = sendmail
>>
>> # Default protocol
>> protocol = tcp
>>
>> # Specify chain where jumps would need to be added in iptables-* actions
>> chain = INPUT
>>
>> # Ports to be banned
>> # Usually should be overridden in a particular jail
>> port = 0:65535
>>
>> #
>> # Action shortcuts. To be used to define action parameter
>>
>> # Default banning action (e.g. iptables, iptables-new,
>> # iptables-multiport, shorewall, etc) It is used to define
>> # action_* variables. Can be overridden globally or per
>> # section within jail.local file
>> banaction = iptables-multiport
>>
>> # The simplest action to take: ban only
>> action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
>> port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
>> ........
>>
>>> Às 11:21 de 21-08-2016, Günther J. Niederwimmer escreveu:
>>>> Hello
>>>>
>>>> Am Samstag, 20. August 2016, 13:25:24 schrieb Bruno Miguel Queiros:
>>>>> Tried disabling firewalld and going with regular iptables?
>>>> On the Internet all say firewalld is working, and it is working, but only
>>>> with CentOS 7.0 (????), but after update it is broken why???
>>>>
>>>> this is my jail.local
>>>> #
>>>> [DEFAULT]
>>>> bantime = 2592000
>>>> findtime = 3600
>>>> ignoreip = 127.0.0.1/8 192.168.55.0/24 192.168.100.0/24
>>>> maxretry = 2
>>>>
>>>> #
>>>> [sshd-ddos]
>>>> enabled = true
>>>>
>>>> [sshd]
>>>> enabled = true
>>>>
>>>> [selinux-ssh]
>>>> enabled = true
>>>>
>>>> and this thousands off Errors
>>>> 2016-08-21 11:09:33,565 fail2ban.actions [2066]: ERROR Failed to
>>>> execute ban jail 'sshd' action 'firewallcmd-ipset' info
>>>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8baa0>,
>>>> 'matches': '2016-06-18T13:12:13.154635 yyy.xxxxx.com sshd[3705]: Invalid
>>>> user john from 95.211.190.210\n2016-06-18T13:12:13.590404 yyy.xxxxx.com
>>>> sshd[3707]: Invalid user nagios from 95.211.190.210', 'ip':
>>>> '95.211.190.210', 'ipmatches': <function <lambda> at 0x7f19e1d8ba28>,
>>>> 'ipfailures': <function <lambda> at 0x7f19e1d8b9b0>, 'time':
>>>> 1471770573.462379, 'failures': 2, 'ipjailfailures': <function <lambda> at
>>>> 0x7f19e1d8b938>})': Error banning 95.211.190.210 2016-08-21 11:09:33,565
>>>> fail2ban.actions [2066]: NOTICE [sshd] Ban 97.74.232.35
>>>> 2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset add
>>>> fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- stdout: ''
>>>> 2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset add
>>>> fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- stderr: 'ipset v6.19:
>>>> The set with the given name does not exist\n'
>>>> 2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset add
>>>> fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- returned 1
>>>> 2016-08-21 11:09:33,668 fail2ban.actions [2066]: ERROR Failed to
>>>> execute ban jail 'sshd' action 'firewallcmd-ipset' info
>>>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8b9b0>,
>>>> 'matches': '2016-08-14T16:19:53.289264 yyy.xxxxx.com sshd[24915]: Invalid
>>>> user guest from 97.74.232.35\n2016-08-14T16:19:54.661401 yyy.xxxxx.com
>>>> sshd[24917]: Invalid user pi from 97.74.232.35', 'ip': '97.74.232.35',
>>>> 'ipmatches': <function <lambda> at 0x7f19e1d8b938>, 'ipfailures':
>>>> <function <lambda> at 0x7f19e1d8ba28>, 'time': 1471770573.565505,
>>>> 'failures': 2, 'ipjailfailures': <function <lambda> at
>>>> 0x7f19e1d8baa0>})': Error banning 97.74.232.35 2016-08-21 11:09:33,668
>>>> fail2ban.actions [2066]: NOTICE [sshd] Ban 98.142.52.44
>>>> 2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset add
>>>> fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- stdout: ''
>>>> 2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset add
>>>> fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- stderr: 'ipset v6.19:
>>>> The set with the given name does not exist\n'
>>>> 2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset add
>>>> fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- returned 1
>>>> 2016-08-21 11:09:33,771 fail2ban.actions [2066]: ERROR Failed to
>>>> execute ban jail 'sshd' action 'firewallcmd-ipset' info
>>>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8ba28>,
>>>> 'matches': '2016-06-08T15:27:16.145465 yyy.xxxxx.com sshd[20294]: Invalid
>>>> user a from 98.142.52.44\n2016-06-08T15:27:19.797928 yyy.xxxxx.com
>>>> sshd[20297]: Invalid user ajay from 98.142.52.44', 'ip': '98.142.52.44',
>>>> 'ipmatches': <function <lambda> at 0x7f19e1d8baa0>, 'ipfailures':
>>>> <function <lambda> at 0x7f19e1d8b938>, 'time': 1471770573.668562,
>>>> 'failures': 2, 'ipjailfailures': <function <lambda> at
>>>> 0x7f19e1d8b9b0>})': Error banning 98.142.52.44 2016-08-21 11:09:33,771
>>>> fail2ban.actions [2066]: NOTICE [sshd] Ban 98.254.171.195
>>>> 2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset add
>>>> fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- stdout: ''
>>>> 2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset add
>>>> fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- stderr: 'ipset
>>>> v6.19: The set with the given name does not exist\n'
>>>> 2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset add
>>>> fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- returned 1
>>>> 2016-08-21 11:09:33,874 fail2ban.actions [2066]: ERROR Failed to
>>>> execute ban jail 'sshd' action 'firewallcmd-ipset' info
>>>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8b938>,
>>>> 'matches': '2016-06-01T03:21:56.504682 yyy.xxxxx.com sshd[8392]: Invalid
>>>> user ubnt from 98.254.171.195\n2016-06-01T03:22:42.468330 yyy.xxxxx.com
>>>> sshd[8473]: Invalid user pi from 98.254.171.195', 'ip': '98.254.171.195',
>>>> 'ipmatches': <function <lambda> at 0x7f19e1d8b9b0>, 'ipfailures':
>>>> <function <lambda> at 0x7f19e1d8baa0>, 'time': 1471770573.771765,
>>>> 'failures': 2, 'ipjailfailures': <function <lambda> at
>>>> 0x7f19e1d8ba28>})': Error banning 98.254.171.195
>>>>
>>>>
>>>> is ipset broken v6.19 or iptables v1.4.21 and or
>>>>
>>>> fail2ban-sendmail-0.9.3-1.el7.noarch
>>>> fail2ban-firewalld-0.9.3-1.el7.noarch
>>>> fail2ban-0.9.3-1.el7.noarch
>>>> fail2ban-server-0.9.3-1.el7.noarch
>>>>
>>>> I mean this is not only my problem :-((.
>>>>
>>>>> Às 11:31 de 20-08-2016, Günther J. Niederwimmer escreveu:
>>>>>> Hello,
>>>>>>
>>>>>> I mean I have a big Problem with fail2ban :-(
>>>>>> when I make a restart / reload or reboot from fail2ban afterward my
>>>>>> firewalld status found this
>>>>>>
>>>>>> ● firewalld.service - firewalld - dynamic firewall daemon
>>>>>>
>>>>>> Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
>>>>>> enabled;
>>>>>> vendor
>>>>>>
>>>>>> preset: enabled)
>>>>>>
>>>>>> Active: active (running) since Sa 2016-08-20 12:08:27 CEST; 4min
>>>>>> 50s
>>>>>> ago
>>>>>>
>>>>>> Main PID: 13158 (firewalld)
>>>>>>
>>>>>> CGroup: /system.slice/firewalld.service
>>>>>>
>>>>>> └─13158 /usr/bin/python -Es /usr/sbin/firewalld --nofork
>>>>>> --nopid
>>>>>>
>>>>>> Aug 20 12:12:23 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:23
>>>>>> ERROR:
>>>>>> NOT_ENABLED
>>>>>> Aug 20 12:12:24 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:24
>>>>>> ERROR:
>>>>>> NOT_ENABLED
>>>>>> Aug 20 12:12:25 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:25
>>>>>> ERROR:
>>>>>> NOT_ENABLED
>>>>>> Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27
>>>>>> ERROR:
>>>>>> NOT_ENABLED
>>>>>> Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27
>>>>>> ERROR:
>>>>>> NOT_ENABLED
>>>>>> Aug 20 12:12:28 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:28
>>>>>> ERROR:
>>>>>> NOT_ENABLED
>>>>>> Aug 20 12:12:29 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:29
>>>>>> ERROR:
>>>>>> NOT_ENABLED
>>>>>> Aug 20 12:12:30 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:30
>>>>>> ERROR:
>>>>>> NOT_ENABLED
>>>>>> Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31
>>>>>> ERROR:
>>>>>> NOT_ENABLED
>>>>>> Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31
>>>>>> ERROR:
>>>>>> NOT_ENABLED
>>>>>>
>>>>>> fail2ban is working "normal" no errors
>>>>>>
>>>>>> This is a installation from EPEL with all Updates ???
>>>>>>
>>>>>> I don't change nothing only I make a jail.local for enabling filters
>>>>>>
>>>>>> I found no way to have a working fail2ban :-((.
>>>>>>
>>>>>> Thanks for any help
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
