Hello Nick,
Thanks for the Help in the Moment ;-)
Am Sonntag, 21. August 2016, 17:17:43 schrieb Nick Howitt:
> This has taken a bit of digging and I'm surprised there is no error in
> the message log or fail2ban log, if different. On my system (ClearOS, a
> derivative of Centos), when executing the commands manually I got:
> [root@hostname ~]# ipset create fail2ban-sshd hash:ip timeout 7776000
> ipset v6.19: Syntax error: '7776000' is out of range 0-4294967
> So, it looks like your 90 day timeout is invalid and needs to be reduced.
>
> This is on a play VM, but, interestingly, on my production box which is
> still running 6.x The set creates OK and the rule add works OK but when
> I list the set I get:
> [root@server ~]# ipset list fail2ban-sshd
> Name: fail2ban-sshd
> Type: hash:ip
> Header: family inet hashsize 1024 maxelem 65536 timeout 7776000
> Size in memory: 16568
> References: 0
> Members:
> 98.142.52.44 timeout 4294493
>
> So it looks like in v6 it just politely accepted what you gave it and
> capped the rule to 4294967 if it was out of range. I'd say it is a
> backward step in 7.2 but I understand the counter argument that it was
> appearing to do what you told it, but in reality it was dong something
> different. That would be a discussion to be had with the ip_set
> developers rather than f2b.
Yes i found it out ;-) but without background :-(
I set
bantime = 2592000
now I cane test for the high score for bantime ;-)
now Ican't found Errors
> In the meanwhile I suggest you reduce your timeout.
Yes, thanks
> On 21/08/2016 14:57, Günther J. Niederwimmer wrote:
> > Hello,
> >
> > Am Sonntag, 21. August 2016, 14:10:15 schrieb Nick Howitt:
> >> What is the output if "ipset list -n", removing all the duplicates? Can
> >> you
> >> restart f2b and look for errors in your message log, specifically
> >> anything
> >> to do with creating your jails? Please also post the contents of
> >> \etc\fail2ban\action.d\firewalldcmd-ipset.conf? And which version of f2b
> >> are you running?
> >
> > ipset list -n
> > fail2ban-sshd
> > fail2ban-sshd-ddos
> > fail2ban-selinux-ssh
> >
> > the fail2ban Vewrsion 0.9.3
> >
> > cat firewallcmd-ipset.conf
> > # Fail2Ban action file for firewall-cmd/ipset
> > #
> > # This requires:
> > # ipset (package: ipset)
> > # firewall-cmd (package: firewalld)
> > #
> > # This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
> > # Use ipset -V to see the protocol and version.
> > #
> > # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0
> > kernels. #
> > # If you are running on an older kernel you make need to patch in external
> > # modules.
> >
> > [INCLUDES]
> >
> > before = iptables-common.conf
> >
> > [Definition]
> >
> > actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
> >
> > firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p
> >
> > <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name>
> > src -j <blocktype>
> >
> > actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p
> > <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name>
> > src -j <blocktype>
> >
> > ipset flush fail2ban-<name>
> > ipset destroy fail2ban-<name>
> >
> > actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
> >
> > actionunban = ipset del fail2ban-<name> <ip> -exist
> >
> > [Init]
> >
> > # Option: chain
> > # Notes specifies the iptables chain to which the fail2ban rules should
> > be # added
> > # Values: [ STRING ]
> > #
> > chain = INPUT_direct
> >
> > # Option: bantime
> > # Notes: specifies the bantime in seconds (handled internally rather than
> > by fail2ban)
> > # Values: [ NUM ] Default: 600
> >
> > bantime = 600
> >
> > #
> > ipset -v
> > ipset v6.19, protocol version: 6
> >
> > I found nothing in /var/log/messages only a INFO fail2ban is started
> >
> >> On 21/08/2016 13:32, Günther J. Niederwimmer wrote:
> >>
> >> Am Sonntag, 21. August 2016, 13:13:14 schrieb Nick Howitt:
> >> From the error message, it does not look like the problem is with
> >>
> >> firewalld but ipset as it says the ipset set has not been created. You
> >> probably need to check through the firewallcmd-ipset action to diagnose
> >> what is going on, and perhaps, check ipset is actually loaded ("lsmod |
> >> grep ip_set")
> >> this I tested on starting with my problem.
> >>
> >> lsmod | grep _set
> >>
> >> xt_set 13181 3
> >> ip_set_hash_ip 27260 3
> >> ip_set 36439 2 ip_set_hash_ip,xt_set
> >> nfnetlink 14606 1 ip_set
> >>
> >> but I have no idea to check the firewalldcmd-ipset action ? this is a
> >> touch
> >> to high for me :-(.
> >>
> >> On 21/08/2016 12:46, Bruno Miguel Queiros wrote:
> >> Yes.
> >>
> >>
> >> It could be something wrong with firewallcmd-ipset. Have you tried with
> >> different versions (older) of fail2ban and/or even firewalld?
> >>
> >> Às 12:24 de 21-08-2016, Günther J. Niederwimmer escreveu:
> >> Hello Bruno Miguel,
> >>
> >> Am Sonntag, 21. August 2016, 11:52:08 schrieb Bruno Miguel Queiros:
> >> What is the action of your sshd jail?
> >> mean you this
> >>
> >> /etc/fail2ban/jail.d/00-firewalld.conf
> >> [DEFAULT]
> >> banaction = firewallcmd-ipset
> >>
> >> and a NOT changed
> >> /etc/fail2ban/jail.conf
> >> [DEFAULT]
> >>
> >> #
> >> # MISCELLANEOUS OPTIONS
> >> #
> >>
> >> # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban
> >> will
> >> not
> >> # ban a host which matches an address in this list. Several addresses can
> >> be # defined using space separator.
> >> ignoreip = 127.0.0.1/8
> >>
> >> # External command that will take an tagged arguments to ignore, e.g.
> >> <ip>,
> >> # and return true if the IP is to be ignored. False otherwise.
> >> #
> >> # ignorecommand = /path/to/command <ip>
> >> ignorecommand =
> >>
> >> # "bantime" is the number of seconds that a host is banned.
> >> bantime = 600
> >>
> >> # A host is banned if it has generated "maxretry" during the last
> >> "findtime" # seconds.
> >> findtime = 600
> >>
> >> # "maxretry" is the number of failures before a host get banned.
> >> maxretry = 5
> >>
> >> # "backend" specifies the backend used to get files modification.
> >> # Available options are "pyinotify", "gamin", "polling", "systemd" and
> >> "auto". # This option can be overridden in each jail as well.
> >> #
> >> # pyinotify: requires pyinotify (a file alteration monitor) to be
> >> installed. # If pyinotify is not installed, Fail2ban will
> >> use auto. # gamin: requires Gamin (a file alteration monitor) to be
> >> installed. # If Gamin is not installed, Fail2ban will use
> >> auto.
> >> # polling: uses a polling algorithm which does not require external
> >> libraries.
> >> # systemd: uses systemd python library to access the systemd journal.
> >> # Specifying "logpath" is not valid for this backend.
> >> # See "journalmatch" in the jails associated filter config
> >> # auto: will try to use the following backends, in order:
> >> # pyinotify, gamin, polling.
> >> #
> >> # Note: if systemd backend is choses as the default but you enable a jail
> >> # for which logs are present only in its own log files, specify
> >> some
> >> other
> >> # backend for that jail (e.g. polling) and provide empty value for
> >> # journalmatch. See
> >> https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
> >> backend = auto
> >>
> >> # "usedns" specifies if jails should trust hostnames in logs,
> >> # warn when DNS lookups are performed, or ignore all hostnames in logs
> >> #
> >> # yes: if a hostname is encountered, a DNS lookup will be performed.
> >> # warn: if a hostname is encountered, a DNS lookup will be performed,
> >> # but it will be logged as a warning.
> >> # no: if a hostname is encountered, will not be used for banning,
> >> # but it will be logged as info.
> >> usedns = warn
> >>
> >> # "logencoding" specifies the encoding of the log files handled by the
> >> jail
> >> # This is used to decode the lines from the log file.
> >> # Typical examples: "ascii", "utf-8"
> >> #
> >> # auto: will use the system locale setting
> >> logencoding = auto
> >>
> >> # "enabled" enables the jails.
> >> # By default all jails are disabled, and it should stay this way.
> >> # Enable only relevant to your setup jails in your .local or
> >> jail.d/*.conf
> >> #
> >> # true: jail will be enabled and log files will get monitored for
> >> changes
> >> # false: jail is not enabled
> >> enabled = false
> >>
> >>
> >> # "filter" defines the filter to use by the jail.
> >> # By default jails have names matching their filter name
> >> #
> >> filter = %(__name__)s
> >>
> >>
> >> #
> >> # ACTIONS
> >> #
> >>
> >> # Some options used for actions
> >>
> >> # Destination email address used solely for the interpolations in
> >> # jail.{conf,local,d/*} configuration files.
> >> destemail = root@localhost
> >>
> >> # Sender email address used solely for some actions
> >> sender = root@localhost
> >>
> >> # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
> >> # mailing. Change mta configuration parameter to mail if you want to
> >> # revert to conventional 'mail'.
> >> mta = sendmail
> >>
> >> # Default protocol
> >> protocol = tcp
> >>
> >> # Specify chain where jumps would need to be added in iptables-* actions
> >> chain = INPUT
> >>
> >> # Ports to be banned
> >> # Usually should be overridden in a particular jail
> >> port = 0:65535
> >>
> >> #
> >> # Action shortcuts. To be used to define action parameter
> >>
> >> # Default banning action (e.g. iptables, iptables-new,
> >> # iptables-multiport, shorewall, etc) It is used to define
> >> # action_* variables. Can be overridden globally or per
> >> # section within jail.local file
> >> banaction = iptables-multiport
> >>
> >> # The simplest action to take: ban only
> >> action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
> >> port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
> >> ........
> >>
> >> Às 11:21 de 21-08-2016, Günther J. Niederwimmer escreveu:
> >> Hello
> >>
> >> Am Samstag, 20. August 2016, 13:25:24 schrieb Bruno Miguel Queiros:
> >> Tried disabling firewalld and going with regular iptables?
> >> On the Internet all say firewalld is working, and it is working, but
> >> only
> >> with CentOS 7.0 (????), but after update it is broken why???
> >>
> >> this is my jail.local
> >> #
> >> [DEFAULT]
> >> bantime = 2592000
> >> findtime = 3600
> >> ignoreip = 127.0.0.1/8 192.168.55.0/24 192.168.100.0/24
> >> maxretry = 2
> >>
> >> #
> >> [sshd-ddos]
> >> enabled = true
> >>
> >> [sshd]
> >> enabled = true
> >>
> >> [selinux-ssh]
> >> enabled = true
> >>
> >> and this thousands off Errors
> >> 2016-08-21 11:09:33,565 fail2ban.actions [2066]: ERROR Failed
> >> to
> >> execute ban jail 'sshd' action 'firewallcmd-ipset' info
> >> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8baa0>,
> >> 'matches': '2016-06-18T13:12:13.154635 yyy.xxxxx.com sshd[3705]:
> >> Invalid
> >> user john from 95.211.190.210\n2016-06-18T13:12:13.590404 yyy.xxxxx.com
> >> sshd[3707]: Invalid user nagios from 95.211.190.210', 'ip':
> >> '95.211.190.210', 'ipmatches': <function <lambda> at 0x7f19e1d8ba28>,
> >> 'ipfailures': <function <lambda> at 0x7f19e1d8b9b0>, 'time':
> >> 1471770573.462379, 'failures': 2, 'ipjailfailures': <function <lambda>
> >> at
> >> 0x7f19e1d8b938>})': Error banning 95.211.190.210 2016-08-21
> >> 11:09:33,565
> >> fail2ban.actions [2066]: NOTICE [sshd] Ban 97.74.232.35
> >> 2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset
> >> add
> >> fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- stdout: ''
> >> 2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset
> >> add
> >> fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- stderr: 'ipset
> >> v6.19:
> >> The set with the given name does not exist\n'
> >> 2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset
> >> add
> >> fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- returned 1
> >> 2016-08-21 11:09:33,668 fail2ban.actions [2066]: ERROR Failed
> >> to
> >> execute ban jail 'sshd' action 'firewallcmd-ipset' info
> >> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8b9b0>,
> >> 'matches': '2016-08-14T16:19:53.289264 yyy.xxxxx.com sshd[24915]:
> >> Invalid
> >> user guest from 97.74.232.35\n2016-08-14T16:19:54.661401 yyy.xxxxx.com
> >> sshd[24917]: Invalid user pi from 97.74.232.35', 'ip': '97.74.232.35',
> >> 'ipmatches': <function <lambda> at 0x7f19e1d8b938>, 'ipfailures':
> >> <function <lambda> at 0x7f19e1d8ba28>, 'time': 1471770573.565505,
> >> 'failures': 2, 'ipjailfailures': <function <lambda> at
> >> 0x7f19e1d8baa0>})': Error banning 97.74.232.35 2016-08-21 11:09:33,668
> >> fail2ban.actions [2066]: NOTICE [sshd] Ban 98.142.52.44
> >> 2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset
> >> add
> >> fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- stdout: ''
> >> 2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset
> >> add
> >> fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- stderr: 'ipset
> >> v6.19:
> >> The set with the given name does not exist\n'
> >> 2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset
> >> add
> >> fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- returned 1
> >> 2016-08-21 11:09:33,771 fail2ban.actions [2066]: ERROR Failed
> >> to
> >> execute ban jail 'sshd' action 'firewallcmd-ipset' info
> >> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8ba28>,
> >> 'matches': '2016-06-08T15:27:16.145465 yyy.xxxxx.com sshd[20294]:
> >> Invalid
> >> user a from 98.142.52.44\n2016-06-08T15:27:19.797928 yyy.xxxxx.com
> >> sshd[20297]: Invalid user ajay from 98.142.52.44', 'ip':
> >> '98.142.52.44',
> >> 'ipmatches': <function <lambda> at 0x7f19e1d8baa0>, 'ipfailures':
> >> <function <lambda> at 0x7f19e1d8b938>, 'time': 1471770573.668562,
> >> 'failures': 2, 'ipjailfailures': <function <lambda> at
> >> 0x7f19e1d8b9b0>})': Error banning 98.142.52.44 2016-08-21 11:09:33,771
> >> fail2ban.actions [2066]: NOTICE [sshd] Ban 98.254.171.195
> >> 2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset
> >> add
> >> fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- stdout: ''
> >> 2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset
> >> add
> >> fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- stderr: 'ipset
> >> v6.19: The set with the given name does not exist\n'
> >> 2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset
> >> add
> >> fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- returned 1
> >> 2016-08-21 11:09:33,874 fail2ban.actions [2066]: ERROR Failed
> >> to
> >> execute ban jail 'sshd' action 'firewallcmd-ipset' info
> >> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8b938>,
> >> 'matches': '2016-06-01T03:21:56.504682 yyy.xxxxx.com sshd[8392]:
> >> Invalid
> >> user ubnt from 98.254.171.195\n2016-06-01T03:22:42.468330 yyy.xxxxx.com
> >> sshd[8473]: Invalid user pi from 98.254.171.195', 'ip':
> >> '98.254.171.195',
> >> 'ipmatches': <function <lambda> at 0x7f19e1d8b9b0>, 'ipfailures':
> >> <function <lambda> at 0x7f19e1d8baa0>, 'time': 1471770573.771765,
> >> 'failures': 2, 'ipjailfailures': <function <lambda> at
> >> 0x7f19e1d8ba28>})': Error banning 98.254.171.195
> >>
> >>
> >> is ipset broken v6.19 or iptables v1.4.21 and or
> >>
> >> fail2ban-sendmail-0.9.3-1.el7.noarch
> >> fail2ban-firewalld-0.9.3-1.el7.noarch
> >> fail2ban-0.9.3-1.el7.noarch
> >> fail2ban-server-0.9.3-1.el7.noarch
> >>
> >> I mean this is not only my problem :-((.
> >>
> >> Às 11:31 de 20-08-2016, Günther J. Niederwimmer escreveu:
> >> Hello,
> >>
> >> I mean I have a big Problem with fail2ban :-(
> >> when I make a restart / reload or reboot from fail2ban afterward my
> >> firewalld status found this
> >>
> >> ● firewalld.service - firewalld - dynamic firewall daemon
> >>
> >> Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
> >> enabled;
> >> vendor
> >>
> >> preset: enabled)
> >>
> >> Active: active (running) since Sa 2016-08-20 12:08:27 CEST;
> >> 4min
> >> 50s
> >> ago
> >>
> >> Main PID: 13158 (firewalld)
> >>
> >> CGroup: /system.slice/firewalld.service
> >>
> >> └─13158 /usr/bin/python -Es /usr/sbin/firewalld
> >> --nofork
> >> --nopid
> >>
> >> Aug 20 12:12:23 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:23
> >> ERROR:
> >> NOT_ENABLED
> >> Aug 20 12:12:24 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:24
> >> ERROR:
> >> NOT_ENABLED
> >> Aug 20 12:12:25 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:25
> >> ERROR:
> >> NOT_ENABLED
> >> Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27
> >> ERROR:
> >> NOT_ENABLED
> >> Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27
> >> ERROR:
> >> NOT_ENABLED
> >> Aug 20 12:12:28 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:28
> >> ERROR:
> >> NOT_ENABLED
> >> Aug 20 12:12:29 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:29
> >> ERROR:
> >> NOT_ENABLED
> >> Aug 20 12:12:30 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:30
> >> ERROR:
> >> NOT_ENABLED
> >> Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31
> >> ERROR:
> >> NOT_ENABLED
> >> Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31
> >> ERROR:
> >> NOT_ENABLED
> >>
> >> fail2ban is working "normal" no errors
> >>
> >> This is a installation from EPEL with all Updates ???
> >>
> >> I don't change nothing only I make a jail.local for enabling filters
> >>
> >> I found no way to have a working fail2ban :-((.
> >>
> >> Thanks for any help
> >> -------------------------------------------------------------------------
> >> -
> >> ---- _______________________________________________
> >> Fail2ban-users mailing list
> >> Fail2ban-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
> ----------------------------------------------------------------------------
> -- _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
