On 26-09-2020 23:29, Chris Green wrote:
I have just installed fail2ban on a virtual server I run on Gandi
Internet in France.
The virtual server runs Ubuntu 8.04.5 LTS and I installed fail2ban
from the standard repositories, version 0.10.2-2.
I haven't changed the configuration at all, I just went with what 'apt
install fai2ban' did for me.
It seems to be working (I installed it because I'm seeing crazy
numbers of attempted ssh logins) but I'm getting CRITICAL errors when
it tries to unban someone. As follows:-
2020-09-26 16:24:54,491 fail2ban.actions [1563]: NOTICE [sshd] Unban
51.68.44.154
2020-09-26 16:24:54,530 fail2ban.utils [1563]: Level 39 7f20226c35e0
-- exec: iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]'
2020-09-26 16:24:54,531 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
stderr: 'modprobe: FATAL: Module ip_tables not found in directory
/lib/modules/3.10.107-xenU-36-37a7b05-x86_64'
2020-09-26 16:24:54,531 fail2ban.utils [1563]: ERROR 7f20226c35e0 -- stderr:
"iptables v1.6.1: can't initialize iptables table `filter': Table does not exist (do
you need to insmod?)"
2020-09-26 16:24:54,531 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-09-26 16:24:54,531 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
returned 1
2020-09-26 16:24:54,532 fail2ban.CommandAction [1563]: ERROR Invariant check
failed. Trying to restore a sane environment
2020-09-26 16:24:54,576 fail2ban.utils [1563]: Level 39 7f20226c35e0
-- exec: iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]'
2020-09-26 16:24:54,577 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
stderr: 'modprobe: FATAL: Module ip_tables not found in directory
/lib/modules/3.10.107-xenU-36-37a7b05-x86_64'
2020-09-26 16:24:54,577 fail2ban.utils [1563]: ERROR 7f20226c35e0 -- stderr:
"iptables v1.6.1: can't initialize iptables table `filter': Table does not exist (do
you need to insmod?)"
2020-09-26 16:24:54,578 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-09-26 16:24:54,578 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
returned 1
2020-09-26 16:24:54,578 fail2ban.CommandAction [1563]: CRITICAL Unableto
restore environment
2020-09-26 16:24:54,578 fail2ban.actions [1563]: ERROR Failed to
execute unban jail 'sshd' action 'iptables-multiport' info 'ActionInfo({'ip':
'51.68.44.154', 'family': 'inet4', 'ip-rev': '154.44.68.51.', 'ip-host':
'154.ip-51-68-44.eu', 'fid': '51.68.44.154', 'failures': 5, 'time':
1601129694.0, 'matches': 'Sep 26 16:06:35 isbdGandi sshd[3573]: Failedpassword
for invalid user escaner from 51.68.44.154 port 55371 ssh2\nSep26 16:14:54
isbdGandi sshd[3800]: Failed password for invalid user r00t from 51.68.44.154
port 38711 ssh2', 'restored': 0, 'F-*': {'matches': ['Sep 26 16:06:35 isbdGandi
sshd[3573]: Failed password for invalid user escaner from 51.68.44.154 port
55371 ssh2', 'Sep 26 16:14:54 isbdGandi sshd[3800]: Failed password for invalid
user r00t from 51.68.44.154 port 38711ssh2'], 'failures': 5, 'mlfid': '
isbdGandi sshd[3573]: ', 'user': 'escaner', 'ip4': '51.68.44.154'},
'ipmatches': 'Sep 26 15:05:48 isbdGandi sshd[2730]: Failed password for invalid
user rohit fro
m 51.68.44.154 port 53114 ssh2\nSep 26 15:09:54 isbdGandi sshd[2813]:Failed
password for invalid user esadmin from 51.68.44.154 port 58900 ssh2\nSep 26
15:17:47 isbdGandi sshd[2918]: Failed password for invalid user anonymous from
51.68.44.154 port 42243 ssh2\nSep 26 15:25:55 isbdGandi sshd[3030]: Failed
password for invalid user tibero from 51.68.44.154 port 53972 ssh2\nSep 26
15:42:10 isbdGandi sshd[3270]: Failed password for invalid user admin from
51.68.44.154 port 48886 ssh2\nSep 26 15:46:16 isbdGandi sshd[3302]: Failed
password for invalid user martin from 51.68.44.154 port 54672 ssh2\nSep 26
15:54:21 isbdGandi sshd[3408]: Failed passwordfor invalid user jeff from
51.68.44.154 port 38013 ssh2\nSep 26 16:02:30isbdGandi sshd[3506]: Failed
password for invalid user user1 from 51.68.44.154 port 49586 ssh2\nSep 26
16:06:35 isbdGandi sshd[3573]: Failed password for invalid user escaner from
51.68.44.154 port 55371 ssh2\nSep 26 16:14:54 isbdGandi sshd[3800]: Failed
password for in
valid user r00t from 51.68.44.154 port 38711 ssh2', 'ipjailmatches': 'Sep 26
15:05:48 isbdGandi sshd[2730]: Failed password for invalid user rohit from
51.68.44.154 port 53114 ssh2\nSep 26 15:09:54 isbdGandi sshd[2813]: Failed
password for invalid user esadmin from 51.68.44.154 port 58900 ssh2\nSep 26
15:17:47 isbdGandi sshd[2918]: Failed password for invaliduser anonymous from
51.68.44.154 port 42243 ssh2\nSep 26 15:25:55 isbdGandi sshd[3030]: Failed
password for invalid user tibero from 51.68.44.154port 53972 ssh2\nSep 26
15:42:10 isbdGandi sshd[3270]: Failed password for invalid user admin from
51.68.44.154 port 48886 ssh2\nSep 26 15:46:16 isbdGandi sshd[3302]: Failed
password for invalid user martin from 51.68.44.154 port 54672 ssh2\nSep 26
15:54:21 isbdGandi sshd[3408]: Failed password for invalid user jeff from
51.68.44.154 port 38013 ssh2\nSep 26 16:02:30 isbdGandi sshd[3506]: Failed
password for invalid user user1 from 51.68.44.154 port 49586 ssh2\nSep 26
16:06:35 isbdGand
i sshd[3573]: Failed password for invalid user escaner from 51.68.44.154
port 55371 ssh2\nSep 26 16:14:54 isbdGandi sshd[3800]: Failed password for
invalid user r00t from 51.68.44.154 port 38711 ssh2', 'ipfailures':25,
'ipjailfailures': 25})': Error unbanning 51.68.44.154
It carries on running OK but obviously there's something rather wrong
somwhere.
So can someone point me in the right direction please, maybe I need to
install something else as well or maybe I simply need to tweak the
fail2ban configuration somewhere.
I'm a total newbie where fail2ban is concerned though I'm fairly OK
with basic Linux system administration.
Oh, the virtual server doesn't have many ports open, just 22/ssh and
443/https, it's really only the ssh port I seem to need to protect.
Your virtual machine seems to be a xen DomU VM, based on the path to the
kernel modules directory as listed in:
2020-09-26 16:24:54,531 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
stderr: 'modprobe: FATAL: Module ip_tables not found in directory
/lib/modules/3.10.107-xenU-36-37a7b05-x86_64'
The last time I looked at Xen virtualization (some years ago), it used a
kernel that was setup outside of the xen container. The actual kernel
image and the related modules are not part of the distribution you're
running. The path to the kernel modules is setup in the kernel, and all
modulesare loaded outside of the boot process of your distribution.
This means that your VM vendor (gandhi) should load the iptables modules
for you, and you can't do it yourself within the container. Maybe they
provide you with some config panel where you can alter the kernel setup
a bit, or their support team can help you out.
More probable is that they allow you to administer the firewall through
their config panel (and the firewall is ran outside your VM, on the VM
host), which means that fail2ban can't issue any firewall management
commands at all. Your use for fail2ban is thereby limited to
application-level blocking techniques (f.i hostsdeny) and mail alerts.
As far as protecting your ssh port to all the attacks you;re seeing, I
would say that your best shot is running sshd on an alternative port,
and be done with it. Or find a different virtualisation host.
Kind regards,
Tom
But I guess you're out of luck: gandhi should protect you from
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
