My self and another person are seeing a race condition in the start up
of fail2ban on boot in ClearOS (a Centos derivative). There is a thread
on it at
https://www.clearos.com/clearfoundation/social/community/attack-detector-fail2ban-sshd-iptables-rule-missing-at-boot-time.
The set up is fail2ban running with 5 jails enabled through files
dropped into /etc/fail2ban/jail.d. All files are configured to use ipset
for blocking. In ClearOS, ip_set is not loaded by default at boot time
so it appears that f2b must be loading it, but it is not waiting long
enough for the module to load before applying its first ipset rule. Logs
show:
2017-09-14 21:10:39,450 fail2ban.jail [3589]: INFO Jail 'sshd' started
2017-09-14 21:10:39,459 fail2ban.jail [3589]: INFO Jail 'sshd-ddos' started
2017-09-14 21:10:39,462 fail2ban.filtersystemd [3589]: NOTICE Jail
started without 'journalmatch' set. Jail regexs will be checked against
all journal entries, which is not advised for performance reasons.
2017-09-14 21:10:39,468 fail2ban.jail [3589]: INFO Jail 'proftpd' started
2017-09-14 21:10:39,487 fail2ban.jail [3589]: INFO Jail 'postfix-sasl'
started
2017-09-14 21:10:39,498 fail2ban.filtersystemd [3589]: NOTICE Jail
started without 'journalmatch' set. Jail regexs will be checked against
all journal entries, which is not advised for performance reasons.
2017-09-14 21:10:39,508 fail2ban.jail [3589]: INFO Jail 'cyrus-imap' started
2017-09-14 21:10:39,557 fail2ban.action [3589]: ERROR ipset create
f2b-sshd hash:ip timeout 600
iptables -w -I INPUT -m set --match-set f2b-sshd src -j REJECT
--reject-with icmp-port-unreachable -- stdout: ''
2017-09-14 21:10:39,558 fail2ban.action [3589]: ERROR ipset create
f2b-sshd hash:ip timeout 600
iptables -w -I INPUT -m set --match-set f2b-sshd src -j REJECT
--reject-with icmp-port-unreachable -- stderr: "ipset v6.19: Cannot open
session to kernel.\niptables v1.4.21: Set f2b-sshd doesn't exist.\n\nTry
`iptables -h' or 'iptables --help' for more information.\n"
2017-09-14 21:10:39,563 fail2ban.action [3589]: ERROR ipset create
f2b-sshd hash:ip timeout 600
iptables -w -I INPUT -m set --match-set f2b-sshd src -j REJECT
--reject-with icmp-port-unreachable -- returned 2
2017-09-14 21:10:39,564 fail2ban.actions [3589]: ERROR Failed to start
jail 'sshd' action 'iptables-ipset-proto6-allports': Error starting action
For both me and the o/p, it is only the first rule which fails. The
error can be avoided by loading ip_set through a file in
/etc/sysconfig/modules, forcing ip_set to load much earlier in the boot
sequence. This indicates a race condition to me. Restarting f2b also
works as ip_set will have loaded by then.
The distro is going down a different route which fixes it, by loading
ip_set during the firewall load and adding a "Before=fail2ban.service"
to the firewall systemd configuration, but this is really distro
specific as they have their own firewall script.
Regards,
Nick
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
