This has taken a bit of digging and I'm surprised there is no error in
the message log or fail2ban log, if different. On my system (ClearOS, a
derivative of Centos), when executing the commands manually I got:
[root@hostname ~]# ipset create fail2ban-sshd hash:ip timeout 7776000
ipset v6.19: Syntax error: '7776000' is out of range 0-4294967
So, it looks like your 90 day timeout is invalid and needs to be reduced.
This is on a play VM, but, interestingly, on my production box which is
still running 6.x The set creates OK and the rule add works OK but when
I list the set I get:
[root@server ~]# ipset list fail2ban-sshd
Name: fail2ban-sshd
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536 timeout 7776000
Size in memory: 16568
References: 0
Members:
98.142.52.44 timeout 4294493
So it looks like in v6 it just politely accepted what you gave it and
capped the rule to 4294967 if it was out of range. I'd say it is a
backward step in 7.2 but I understand the counter argument that it was
appearing to do what you told it, but in reality it was dong something
different. That would be a discussion to be had with the ip_set
developers rather than f2b.
In the meanwhile I suggest you reduce your timeout.
On 21/08/2016 14:57, Günther J. Niederwimmer wrote:
> Hello,
> Am Sonntag, 21. August 2016, 14:10:15 schrieb Nick Howitt:
>> What is the output if "ipset list -n", removing all the duplicates? Can you
>> restart f2b and look for errors in your message log, specifically anything
>> to do with creating your jails? Please also post the contents of
>> \etc\fail2ban\action.d\firewalldcmd-ipset.conf? And which version of f2b
>> are you running?
> ipset list -n
> fail2ban-sshd
> fail2ban-sshd-ddos
> fail2ban-selinux-ssh
>
> the fail2ban Vewrsion 0.9.3
>
> cat firewallcmd-ipset.conf
> # Fail2Ban action file for firewall-cmd/ipset
> #
> # This requires:
> # ipset (package: ipset)
> # firewall-cmd (package: firewalld)
> #
> # This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
> # Use ipset -V to see the protocol and version.
> #
> # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
> #
> # If you are running on an older kernel you make need to patch in external
> # modules.
>
> [INCLUDES]
>
> before = iptables-common.conf
>
> [Definition]
>
> actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
> firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p
> <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src
> -j <blocktype>
>
> actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p
> <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src
> -j <blocktype>
> ipset flush fail2ban-<name>
> ipset destroy fail2ban-<name>
>
> actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
>
> actionunban = ipset del fail2ban-<name> <ip> -exist
>
> [Init]
>
> # Option: chain
> # Notes specifies the iptables chain to which the fail2ban rules should be
> # added
> # Values: [ STRING ]
> #
> chain = INPUT_direct
>
> # Option: bantime
> # Notes: specifies the bantime in seconds (handled internally rather than by
> fail2ban)
> # Values: [ NUM ] Default: 600
>
> bantime = 600
>
> #
> ipset -v
> ipset v6.19, protocol version: 6
>
> I found nothing in /var/log/messages only a INFO fail2ban is started
>
>
>> On 21/08/2016 13:32, Günther J. Niederwimmer wrote:
>>
>> Am Sonntag, 21. August 2016, 13:13:14 schrieb Nick Howitt:
>> From the error message, it does not look like the problem is with
>> firewalld but ipset as it says the ipset set has not been created. You
>> probably need to check through the firewallcmd-ipset action to diagnose
>> what is going on, and perhaps, check ipset is actually loaded ("lsmod |
>> grep ip_set")
>> this I tested on starting with my problem.
>>
>> lsmod | grep _set
>> xt_set 13181 3
>> ip_set_hash_ip 27260 3
>> ip_set 36439 2 ip_set_hash_ip,xt_set
>> nfnetlink 14606 1 ip_set
>>
>> but I have no idea to check the firewalldcmd-ipset action ? this is a touch
>> to high for me :-(.
>>
>> On 21/08/2016 12:46, Bruno Miguel Queiros wrote:
>> Yes.
>>
>>
>> It could be something wrong with firewallcmd-ipset. Have you tried with
>> different versions (older) of fail2ban and/or even firewalld?
>>
>> Às 12:24 de 21-08-2016, Günther J. Niederwimmer escreveu:
>> Hello Bruno Miguel,
>>
>> Am Sonntag, 21. August 2016, 11:52:08 schrieb Bruno Miguel Queiros:
>> What is the action of your sshd jail?
>> mean you this
>>
>> /etc/fail2ban/jail.d/00-firewalld.conf
>> [DEFAULT]
>> banaction = firewallcmd-ipset
>>
>> and a NOT changed
>> /etc/fail2ban/jail.conf
>> [DEFAULT]
>>
>> #
>> # MISCELLANEOUS OPTIONS
>> #
>>
>> # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban
>> will
>> not
>> # ban a host which matches an address in this list. Several addresses can
>> be # defined using space separator.
>> ignoreip = 127.0.0.1/8
>>
>> # External command that will take an tagged arguments to ignore, e.g.
>> <ip>,
>> # and return true if the IP is to be ignored. False otherwise.
>> #
>> # ignorecommand = /path/to/command <ip>
>> ignorecommand =
>>
>> # "bantime" is the number of seconds that a host is banned.
>> bantime = 600
>>
>> # A host is banned if it has generated "maxretry" during the last
>> "findtime" # seconds.
>> findtime = 600
>>
>> # "maxretry" is the number of failures before a host get banned.
>> maxretry = 5
>>
>> # "backend" specifies the backend used to get files modification.
>> # Available options are "pyinotify", "gamin", "polling", "systemd" and
>> "auto". # This option can be overridden in each jail as well.
>> #
>> # pyinotify: requires pyinotify (a file alteration monitor) to be
>> installed. # If pyinotify is not installed, Fail2ban will
>> use auto. # gamin: requires Gamin (a file alteration monitor) to be
>> installed. # If Gamin is not installed, Fail2ban will use
>> auto.
>> # polling: uses a polling algorithm which does not require external
>> libraries.
>> # systemd: uses systemd python library to access the systemd journal.
>> # Specifying "logpath" is not valid for this backend.
>> # See "journalmatch" in the jails associated filter config
>> # auto: will try to use the following backends, in order:
>> # pyinotify, gamin, polling.
>> #
>> # Note: if systemd backend is choses as the default but you enable a jail
>> # for which logs are present only in its own log files, specify
>> some
>> other
>> # backend for that jail (e.g. polling) and provide empty value for
>> # journalmatch. See
>> https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
>> backend = auto
>>
>> # "usedns" specifies if jails should trust hostnames in logs,
>> # warn when DNS lookups are performed, or ignore all hostnames in logs
>> #
>> # yes: if a hostname is encountered, a DNS lookup will be performed.
>> # warn: if a hostname is encountered, a DNS lookup will be performed,
>> # but it will be logged as a warning.
>> # no: if a hostname is encountered, will not be used for banning,
>> # but it will be logged as info.
>> usedns = warn
>>
>> # "logencoding" specifies the encoding of the log files handled by the
>> jail
>> # This is used to decode the lines from the log file.
>> # Typical examples: "ascii", "utf-8"
>> #
>> # auto: will use the system locale setting
>> logencoding = auto
>>
>> # "enabled" enables the jails.
>> # By default all jails are disabled, and it should stay this way.
>> # Enable only relevant to your setup jails in your .local or
>> jail.d/*.conf
>> #
>> # true: jail will be enabled and log files will get monitored for
>> changes
>> # false: jail is not enabled
>> enabled = false
>>
>>
>> # "filter" defines the filter to use by the jail.
>> # By default jails have names matching their filter name
>> #
>> filter = %(__name__)s
>>
>>
>> #
>> # ACTIONS
>> #
>>
>> # Some options used for actions
>>
>> # Destination email address used solely for the interpolations in
>> # jail.{conf,local,d/*} configuration files.
>> destemail = root@localhost
>>
>> # Sender email address used solely for some actions
>> sender = root@localhost
>>
>> # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
>> # mailing. Change mta configuration parameter to mail if you want to
>> # revert to conventional 'mail'.
>> mta = sendmail
>>
>> # Default protocol
>> protocol = tcp
>>
>> # Specify chain where jumps would need to be added in iptables-* actions
>> chain = INPUT
>>
>> # Ports to be banned
>> # Usually should be overridden in a particular jail
>> port = 0:65535
>>
>> #
>> # Action shortcuts. To be used to define action parameter
>>
>> # Default banning action (e.g. iptables, iptables-new,
>> # iptables-multiport, shorewall, etc) It is used to define
>> # action_* variables. Can be overridden globally or per
>> # section within jail.local file
>> banaction = iptables-multiport
>>
>> # The simplest action to take: ban only
>> action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
>> port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
>> ........
>>
>> Às 11:21 de 21-08-2016, Günther J. Niederwimmer escreveu:
>> Hello
>>
>> Am Samstag, 20. August 2016, 13:25:24 schrieb Bruno Miguel Queiros:
>> Tried disabling firewalld and going with regular iptables?
>> On the Internet all say firewalld is working, and it is working, but
>> only
>> with CentOS 7.0 (????), but after update it is broken why???
>>
>> this is my jail.local
>> #
>> [DEFAULT]
>> bantime = 2592000
>> findtime = 3600
>> ignoreip = 127.0.0.1/8 192.168.55.0/24 192.168.100.0/24
>> maxretry = 2
>>
>> #
>> [sshd-ddos]
>> enabled = true
>>
>> [sshd]
>> enabled = true
>>
>> [selinux-ssh]
>> enabled = true
>>
>> and this thousands off Errors
>> 2016-08-21 11:09:33,565 fail2ban.actions [2066]: ERROR Failed
>> to
>> execute ban jail 'sshd' action 'firewallcmd-ipset' info
>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8baa0>,
>> 'matches': '2016-06-18T13:12:13.154635 yyy.xxxxx.com sshd[3705]:
>> Invalid
>> user john from 95.211.190.210\n2016-06-18T13:12:13.590404 yyy.xxxxx.com
>> sshd[3707]: Invalid user nagios from 95.211.190.210', 'ip':
>> '95.211.190.210', 'ipmatches': <function <lambda> at 0x7f19e1d8ba28>,
>> 'ipfailures': <function <lambda> at 0x7f19e1d8b9b0>, 'time':
>> 1471770573.462379, 'failures': 2, 'ipjailfailures': <function <lambda>
>> at
>> 0x7f19e1d8b938>})': Error banning 95.211.190.210 2016-08-21
>> 11:09:33,565
>> fail2ban.actions [2066]: NOTICE [sshd] Ban 97.74.232.35
>> 2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset
>> add
>> fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- stdout: ''
>> 2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset
>> add
>> fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- stderr: 'ipset
>> v6.19:
>> The set with the given name does not exist\n'
>> 2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset
>> add
>> fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- returned 1
>> 2016-08-21 11:09:33,668 fail2ban.actions [2066]: ERROR Failed
>> to
>> execute ban jail 'sshd' action 'firewallcmd-ipset' info
>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8b9b0>,
>> 'matches': '2016-08-14T16:19:53.289264 yyy.xxxxx.com sshd[24915]:
>> Invalid
>> user guest from 97.74.232.35\n2016-08-14T16:19:54.661401 yyy.xxxxx.com
>> sshd[24917]: Invalid user pi from 97.74.232.35', 'ip': '97.74.232.35',
>> 'ipmatches': <function <lambda> at 0x7f19e1d8b938>, 'ipfailures':
>> <function <lambda> at 0x7f19e1d8ba28>, 'time': 1471770573.565505,
>> 'failures': 2, 'ipjailfailures': <function <lambda> at
>> 0x7f19e1d8baa0>})': Error banning 97.74.232.35 2016-08-21 11:09:33,668
>> fail2ban.actions [2066]: NOTICE [sshd] Ban 98.142.52.44
>> 2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset
>> add
>> fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- stdout: ''
>> 2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset
>> add
>> fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- stderr: 'ipset
>> v6.19:
>> The set with the given name does not exist\n'
>> 2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset
>> add
>> fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- returned 1
>> 2016-08-21 11:09:33,771 fail2ban.actions [2066]: ERROR Failed
>> to
>> execute ban jail 'sshd' action 'firewallcmd-ipset' info
>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8ba28>,
>> 'matches': '2016-06-08T15:27:16.145465 yyy.xxxxx.com sshd[20294]:
>> Invalid
>> user a from 98.142.52.44\n2016-06-08T15:27:19.797928 yyy.xxxxx.com
>> sshd[20297]: Invalid user ajay from 98.142.52.44', 'ip':
>> '98.142.52.44',
>> 'ipmatches': <function <lambda> at 0x7f19e1d8baa0>, 'ipfailures':
>> <function <lambda> at 0x7f19e1d8b938>, 'time': 1471770573.668562,
>> 'failures': 2, 'ipjailfailures': <function <lambda> at
>> 0x7f19e1d8b9b0>})': Error banning 98.142.52.44 2016-08-21 11:09:33,771
>> fail2ban.actions [2066]: NOTICE [sshd] Ban 98.254.171.195
>> 2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset
>> add
>> fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- stdout: ''
>> 2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset
>> add
>> fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- stderr: 'ipset
>> v6.19: The set with the given name does not exist\n'
>> 2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset
>> add
>> fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- returned 1
>> 2016-08-21 11:09:33,874 fail2ban.actions [2066]: ERROR Failed
>> to
>> execute ban jail 'sshd' action 'firewallcmd-ipset' info
>> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8b938>,
>> 'matches': '2016-06-01T03:21:56.504682 yyy.xxxxx.com sshd[8392]:
>> Invalid
>> user ubnt from 98.254.171.195\n2016-06-01T03:22:42.468330 yyy.xxxxx.com
>> sshd[8473]: Invalid user pi from 98.254.171.195', 'ip':
>> '98.254.171.195',
>> 'ipmatches': <function <lambda> at 0x7f19e1d8b9b0>, 'ipfailures':
>> <function <lambda> at 0x7f19e1d8baa0>, 'time': 1471770573.771765,
>> 'failures': 2, 'ipjailfailures': <function <lambda> at
>> 0x7f19e1d8ba28>})': Error banning 98.254.171.195
>>
>>
>> is ipset broken v6.19 or iptables v1.4.21 and or
>>
>> fail2ban-sendmail-0.9.3-1.el7.noarch
>> fail2ban-firewalld-0.9.3-1.el7.noarch
>> fail2ban-0.9.3-1.el7.noarch
>> fail2ban-server-0.9.3-1.el7.noarch
>>
>> I mean this is not only my problem :-((.
>>
>> Às 11:31 de 20-08-2016, Günther J. Niederwimmer escreveu:
>> Hello,
>>
>> I mean I have a big Problem with fail2ban :-(
>> when I make a restart / reload or reboot from fail2ban afterward my
>> firewalld status found this
>>
>> ● firewalld.service - firewalld - dynamic firewall daemon
>>
>> Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
>> enabled;
>> vendor
>>
>> preset: enabled)
>>
>> Active: active (running) since Sa 2016-08-20 12:08:27 CEST;
>> 4min
>> 50s
>> ago
>>
>> Main PID: 13158 (firewalld)
>>
>> CGroup: /system.slice/firewalld.service
>>
>> └─13158 /usr/bin/python -Es /usr/sbin/firewalld
>> --nofork
>> --nopid
>>
>> Aug 20 12:12:23 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:23
>> ERROR:
>> NOT_ENABLED
>> Aug 20 12:12:24 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:24
>> ERROR:
>> NOT_ENABLED
>> Aug 20 12:12:25 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:25
>> ERROR:
>> NOT_ENABLED
>> Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27
>> ERROR:
>> NOT_ENABLED
>> Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27
>> ERROR:
>> NOT_ENABLED
>> Aug 20 12:12:28 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:28
>> ERROR:
>> NOT_ENABLED
>> Aug 20 12:12:29 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:29
>> ERROR:
>> NOT_ENABLED
>> Aug 20 12:12:30 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:30
>> ERROR:
>> NOT_ENABLED
>> Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31
>> ERROR:
>> NOT_ENABLED
>> Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31
>> ERROR:
>> NOT_ENABLED
>>
>> fail2ban is working "normal" no errors
>>
>> This is a installation from EPEL with all Updates ???
>>
>> I don't change nothing only I make a jail.local for enabling filters
>>
>> I found no way to have a working fail2ban :-((.
>>
>> Thanks for any help
>> --------------------------------------------------------------------------
>> ---- _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
