What is the output if "ipset list -n", removing all the duplicates?
Can you restart f2b and look for errors in your message log,
specifically anything to do with creating your jails? Please also
post the contents of \etc\fail2ban\action.d\firewalldcmd-ipset.conf?
And which version of f2b are you running?
On 21/08/2016 13:32, Günther J.
Niederwimmer wrote:
Hello,
Am Sonntag, 21. August 2016, 13:13:14 schrieb Nick Howitt:
From the error message, it does not look like the problem is with
firewalld but ipset as it says the ipset set has not been created. You
probably need to check through the firewallcmd-ipset action to diagnose
what is going on, and perhaps, check ipset is actually loaded ("lsmod |
grep ip_set")
this I tested on starting with my problem.
lsmod | grep _set
xt_set 13181 3
ip_set_hash_ip 27260 3
ip_set 36439 2 ip_set_hash_ip,xt_set
nfnetlink 14606 1 ip_set
but I have no idea to check the firewalldcmd-ipset action ? this is a touch to
high for me :-(.
On 21/08/2016 12:46, Bruno Miguel Queiros wrote:
Yes.
It could be something wrong with firewallcmd-ipset. Have you tried with
different versions (older) of fail2ban and/or even firewalld?
Às 12:24 de 21-08-2016, Günther J. Niederwimmer escreveu:
Hello Bruno Miguel,
Am Sonntag, 21. August 2016, 11:52:08 schrieb Bruno Miguel Queiros:
What is the action of your sshd jail?
mean you this
/etc/fail2ban/jail.d/00-firewalld.conf
[DEFAULT]
banaction = firewallcmd-ipset
and a NOT changed
/etc/fail2ban/jail.conf
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban
will
not
# ban a host which matches an address in this list. Several addresses can
be # defined using space separator.
ignoreip = 127.0.0.1/8
# External command that will take an tagged arguments to ignore, e.g.
<ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last
"findtime" # seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and
"auto". # This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be
installed. # If pyinotify is not installed, Fail2ban will
use auto. # gamin: requires Gamin (a file alteration monitor) to be
installed. # If Gamin is not installed, Fail2ban will use
auto.
# polling: uses a polling algorithm which does not require external
libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
#
# Note: if systemd backend is choses as the default but you enable a jail
# for which logs are present only in its own log files, specify
some
other
# backend for that jail (e.g. polling) and provide empty value for
# journalmatch. See
https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
# "logencoding" specifies the encoding of the log files handled by the
jail
# This is used to decode the lines from the log file.
# Typical examples: "ascii", "utf-8"
#
# auto: will use the system locale setting
logencoding = auto
# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or
jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for
changes
# false: jail is not enabled
enabled = false
# "filter" defines the filter to use by the jail.
# By default jails have names matching their filter name
#
filter = %(__name__)s
#
# ACTIONS
#
# Some options used for actions
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost
# Sender email address used solely for some actions
sender = root@localhost
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
#
# Action shortcuts. To be used to define action parameter
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
........
Às 11:21 de 21-08-2016, Günther J. Niederwimmer escreveu:
Hello
Am Samstag, 20. August 2016, 13:25:24 schrieb Bruno Miguel Queiros:
Tried disabling firewalld and going with regular iptables?
On the Internet all say firewalld is working, and it is working, but
only
with CentOS 7.0 (????), but after update it is broken why???
this is my jail.local
#
[DEFAULT]
bantime = 2592000
findtime = 3600
ignoreip = 127.0.0.1/8 192.168.55.0/24 192.168.100.0/24
maxretry = 2
#
[sshd-ddos]
enabled = true
[sshd]
enabled = true
[selinux-ssh]
enabled = true
and this thousands off Errors
2016-08-21 11:09:33,565 fail2ban.actions [2066]: ERROR Failed
to
execute ban jail 'sshd' action 'firewallcmd-ipset' info
'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8baa0>,
'matches': '2016-06-18T13:12:13.154635 yyy.xxxxx.com sshd[3705]:
Invalid
user john from 95.211.190.210\n2016-06-18T13:12:13.590404 yyy.xxxxx.com
sshd[3707]: Invalid user nagios from 95.211.190.210', 'ip':
'95.211.190.210', 'ipmatches': <function <lambda> at 0x7f19e1d8ba28>,
'ipfailures': <function <lambda> at 0x7f19e1d8b9b0>, 'time':
1471770573.462379, 'failures': 2, 'ipjailfailures': <function <lambda>
at
0x7f19e1d8b938>})': Error banning 95.211.190.210 2016-08-21
11:09:33,565
fail2ban.actions [2066]: NOTICE [sshd] Ban 97.74.232.35
2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset
add
fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- stdout: ''
2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset
add
fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- stderr: 'ipset
v6.19:
The set with the given name does not exist\n'
2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset
add
fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- returned 1
2016-08-21 11:09:33,668 fail2ban.actions [2066]: ERROR Failed
to
execute ban jail 'sshd' action 'firewallcmd-ipset' info
'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8b9b0>,
'matches': '2016-08-14T16:19:53.289264 yyy.xxxxx.com sshd[24915]:
Invalid
user guest from 97.74.232.35\n2016-08-14T16:19:54.661401 yyy.xxxxx.com
sshd[24917]: Invalid user pi from 97.74.232.35', 'ip': '97.74.232.35',
'ipmatches': <function <lambda> at 0x7f19e1d8b938>, 'ipfailures':
<function <lambda> at 0x7f19e1d8ba28>, 'time': 1471770573.565505,
'failures': 2, 'ipjailfailures': <function <lambda> at
0x7f19e1d8baa0>})': Error banning 97.74.232.35 2016-08-21 11:09:33,668
fail2ban.actions [2066]: NOTICE [sshd] Ban 98.142.52.44
2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset
add
fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- stdout: ''
2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset
add
fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- stderr: 'ipset
v6.19:
The set with the given name does not exist\n'
2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset
add
fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- returned 1
2016-08-21 11:09:33,771 fail2ban.actions [2066]: ERROR Failed
to
execute ban jail 'sshd' action 'firewallcmd-ipset' info
'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8ba28>,
'matches': '2016-06-08T15:27:16.145465 yyy.xxxxx.com sshd[20294]:
Invalid
user a from 98.142.52.44\n2016-06-08T15:27:19.797928 yyy.xxxxx.com
sshd[20297]: Invalid user ajay from 98.142.52.44', 'ip':
'98.142.52.44',
'ipmatches': <function <lambda> at 0x7f19e1d8baa0>, 'ipfailures':
<function <lambda> at 0x7f19e1d8b938>, 'time': 1471770573.668562,
'failures': 2, 'ipjailfailures': <function <lambda> at
0x7f19e1d8b9b0>})': Error banning 98.142.52.44 2016-08-21 11:09:33,771
fail2ban.actions [2066]: NOTICE [sshd] Ban 98.254.171.195
2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset
add
fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- stdout: ''
2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset
add
fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- stderr: 'ipset
v6.19: The set with the given name does not exist\n'
2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset
add
fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- returned 1
2016-08-21 11:09:33,874 fail2ban.actions [2066]: ERROR Failed
to
execute ban jail 'sshd' action 'firewallcmd-ipset' info
'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8b938>,
'matches': '2016-06-01T03:21:56.504682 yyy.xxxxx.com sshd[8392]:
Invalid
user ubnt from 98.254.171.195\n2016-06-01T03:22:42.468330 yyy.xxxxx.com
sshd[8473]: Invalid user pi from 98.254.171.195', 'ip':
'98.254.171.195',
'ipmatches': <function <lambda> at 0x7f19e1d8b9b0>, 'ipfailures':
<function <lambda> at 0x7f19e1d8baa0>, 'time': 1471770573.771765,
'failures': 2, 'ipjailfailures': <function <lambda> at
0x7f19e1d8ba28>})': Error banning 98.254.171.195
is ipset broken v6.19 or iptables v1.4.21 and or
fail2ban-sendmail-0.9.3-1.el7.noarch
fail2ban-firewalld-0.9.3-1.el7.noarch
fail2ban-0.9.3-1.el7.noarch
fail2ban-server-0.9.3-1.el7.noarch
I mean this is not only my problem :-((.
Às 11:31 de 20-08-2016, Günther J. Niederwimmer escreveu:
Hello,
I mean I have a big Problem with fail2ban :-(
when I make a restart / reload or reboot from fail2ban afterward my
firewalld status found this
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
enabled;
vendor
preset: enabled)
Active: active (running) since Sa 2016-08-20 12:08:27 CEST;
4min
50s
ago
Main PID: 13158 (firewalld)
CGroup: /system.slice/firewalld.service
└─13158 /usr/bin/python -Es /usr/sbin/firewalld
--nofork
--nopid
Aug 20 12:12:23 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:23
ERROR:
NOT_ENABLED
Aug 20 12:12:24 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:24
ERROR:
NOT_ENABLED
Aug 20 12:12:25 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:25
ERROR:
NOT_ENABLED
Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27
ERROR:
NOT_ENABLED
Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27
ERROR:
NOT_ENABLED
Aug 20 12:12:28 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:28
ERROR:
NOT_ENABLED
Aug 20 12:12:29 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:29
ERROR:
NOT_ENABLED
Aug 20 12:12:30 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:30
ERROR:
NOT_ENABLED
Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31
ERROR:
NOT_ENABLED
Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31
ERROR:
NOT_ENABLED
fail2ban is working "normal" no errors
This is a installation from EPEL with all Updates ???
I don't change nothing only I make a jail.local for enabling filters
I found no way to have a working fail2ban :-((.
Thanks for any help
--------------------------------------------------------------------------
---- _______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
|
