Re: [Rkhunter-users] [Fail2ban-users] fail2ban ssh-iptables has unknown option -w

Thomas Doczkal Sat, 28 Nov 2015 03:39:49 -0800

Sorry, I failed to send the mail to the list...

Hi Nick,


many thanks for your reply.

I copied the iptables.conf file to iptables.local and searched for the
-w option but could not rkhunter-users@lists.sourceforge.netfind it.

The iptables.local (which is an exact copy of iptables.conf) looks like
this.

############################################################################

# cat iptables.local

              # Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> --dport <port> -j
f2b-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j
f2b-<name>
             <iptables> -F f2b-<name>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]
############################################################################

As I wrote before. I can't find the -w option there. Is there another
config file which pulls the -w option?

Many thanks in advance.

Best Regards,
Thomas

PS: I dislike writing TOFU but as you wrote Text above and full quote
below I will do it as well.


On 11/27/2015 05:46 PM, Nick Howitt wrote:
> The clue is in the error message. Your version of iptables does not support 
> the 
> -w switch so you'll need to remove it from your action.d/iptables.conf. 
> Earlier 
> versions of f2b did not use the -w switch. You may also want to change 
> iptables-multiport.conf. Really the recommended way is to create a new file, 
> action.d/iptables.local and make the changes there. That way you leave the 
> original installation intact.
>
> Regards,
>
> Nick
>
> On 27/11/2015 14:19, Thomas Doczkal wrote:
> > Hello,
> >
> > I have a strange issue here.
> > iptables installed are Version iptables v1.4.14.
> > I haven't changed the action.d/iptables.conf.
> > I have installed the latest version fail2ban-client 0.9.3 and configured
> > ssh-iptables as follows
> >
> > ####################################
> > [ssh-iptables]
> > enabled  = true
> > bantime  = 36000
> > ignoreip = 127.0.0.1
> >
> > filter   = sshd
> > action   = iptables[name=SSH, port=ssh, protocol=tcp]
> > #          mail-whois[name=SSH,dest=yourm...@mail.com]
> > #logpath  = /var/log/sshd.log
> > logpath  = /var/log/auth.log
> > maxretry = 3
> > ####################################
> >
> > I can see failed entries and banned ips but iptables are not changed.
> >
> > One of the attacker IPs is 74.208.47.218
> >
> > I have the following in my fail2ban.log file.
> > I did an unban with fail2ban-client and received the following output:
> >
> > ####################################
> > 2015-11-25 19:16:47,463 fail2ban.actions        [26745]: NOTICE
> > [ssh-iptables] Unban 74.208.47.218
> > 2015-11-25 19:16:47,599 fail2ban.action         [26745]: ERROR  iptables
> > -w -n -L INPUT | grep -q 'f2b-SSH[ \t]' -- stdout: ''
> > 2015-11-25 19:16:47,603 fail2ban.action         [26745]: ERROR  iptables
> > -w -n -L INPUT | grep -q 'f2b-SSH[ \t]' -- stderr: 'iptables
> > v1.4.14: unknown option "-w"\nTry `iptables -h\' or \'iptables --help\'
> > for more information.\n'
> > 2015-11-25 19:16:47,607 fail2ban.action         [26745]: ERROR  iptables
> > -w -n -L INPUT | grep -q 'f2b-SSH[ \t]' -- returned 1
> > 2015-11-25 19:16:47,610 fail2ban.CommandAction  [26745]: ERROR
> > Invariant check failed. Trying to restore a sane environment
> > 2015-11-25 19:16:47,746 fail2ban.action         [26745]: ERROR  iptables
> > -w -D INPUT -p tcp --dport ssh -j f2b-SSH
> > iptables -w -F f2b-SSH
> > iptables -w -X f2b-SSH -- stdout: ''
> > 2015-11-25 19:16:47,750 fail2ban.action         [26745]: ERROR  iptables
> > -w -D INPUT -p tcp --dport ssh -j f2b-SSH
> > iptables -w -F f2b-SSH
> > iptables -w -X f2b-SSH -- stderr: 'iptables v1.4.14: unknown option
> > "-w"\nTry `iptables -h\' or \'iptables --help\' for more
> > information.\niptables v1.4.14: unknown option "-w"\nTry `iptables -h\'
> > or \'iptables --help\' for more information.\niptables v1.4.14: unknown
> > option "-w"\nTry `iptables -h\' or \'iptables --help\' for more
> > information.\n'
> > 2015-11-25 19:16:47,754 fail2ban.action         [26745]: ERROR  iptables
> > -w -D INPUT -p tcp --dport ssh -j f2b-SSH
> > iptables -w -F f2b-SSH
> > iptables -w -X f2b-SSH -- returned 2
> > 2015-11-25 19:16:47,758 fail2ban.actions        [26745]: ERROR   Failed
> > to execute unban jail 'ssh-iptables' action 'iptables' info '{'matches':
> > 'Nov 25 15:35:35 homeserver01 sshd[31789]: Invalid user pi from
> > 74.208.47.218Nov 25 15:35:38 homeserver01 sshd[31793]: Invalid user pi
> > from 74.208.47.218Nov 25 15:35:39 homeserver01 sshd[31795]: Invalid user
> > pi from 74.208.47.218Nov 25 15:35:41 homeserver01 sshd[31797]: Invalid
> > user pi from 74.208.47.218Nov 25 15:35:42 homeserver01 sshd[31799]:
> > Invalid user pi from 74.208.47.218', 'ip': '74.208.47.218', 'time':
> > 1448474683.343454, 'failures': 5}': Error stopping action
> > ####################################
> >
> > same if I try to ban the ip manually:
> > ####################################
> > 2015-11-25 19:40:21,364 fail2ban.actions        [26745]: NOTICE
> > [ssh-iptables] Ban 74.208.47.218
> > 2015-11-25 19:40:21,501 fail2ban.action         [26745]: ERROR  iptables
> > -w -n -L INPUT | grep -q 'f2b-SSH[ \t]' -- stdout: ''
> > 2015-11-25 19:40:21,506 fail2ban.action         [26745]: ERROR  iptables
> > -w -n -L INPUT | grep -q 'f2b-SSH[ \t]' -- stderr: 'iptables
> > v1.4.14: unknown option "-w"\nTry `iptables -h\' or \'iptables --help\'
> > for more information.\n'
> > 2015-11-25 19:40:21,509 fail2ban.action         [26745]: ERROR  iptables
> > -w -n -L INPUT | grep -q 'f2b-SSH[ \t]' -- returned 1
> > 2015-11-25 19:40:21,513 fail2ban.CommandAction  [26745]: ERROR
> > Invariant check failed. Trying to restore a sane environment
> > 2015-11-25 19:40:21,650 fail2ban.action         [26745]: ERROR  iptables
> > -w -D INPUT -p tcp --dport ssh -j f2b-SSH
> > iptables -w -F f2b-SSH
> > iptables -w -X f2b-SSH -- stdout: ''
> > 2015-11-25 19:40:21,654 fail2ban.action         [26745]: ERROR  iptables
> > -w -D INPUT -p tcp --dport ssh -j f2b-SSH
> > iptables -w -F f2b-SSH
> > iptables -w -X f2b-SSH -- stderr: 'iptables v1.4.14: unknown option
> > "-w"\nTry `iptables -h\' or \'iptables --help\' for more
> > information.\niptables v1.4.14: unknown option "-w"\nTry `iptables -h\'
> > or \'iptables --help\' for more information.\niptables v1.4.14: unknown
> > option "-w"\nTry `iptables -h\' or \'iptables --help\' for more
> > information.\n'
> > 2015-11-25 19:40:21,658 fail2ban.action         [26745]: ERROR  iptables
> > -w -D INPUT -p tcp --dport ssh -j f2b-SSH
> > iptables -w -F f2b-SSH
> > iptables -w -X f2b-SSH -- returned 2
> > 2015-11-25 19:40:21,661 fail2ban.actions        [26745]: ERROR   Failed
> > to execute ban jail 'ssh-iptables' action 'iptables' info
> > 'CallingMap({'ipjailmatches': <function <lambda> at 0xb66644b0>,
> > 'matches': '', 'ip': '74.208.47.218', 'ipmatches': <function <lambda> at
> > 0xb6664470>, 'ipfailures': <function <lambda> at 0xb6664430>, 'time':
> > 1448476821.364055, 'failures': 3, 'ipjailfailures': <function <lambda>
> > at 0xb66643f0>})': Error stopping action
> > ####################################
> >
> > I haven't changed the action.d/iptables.conf.
> >
> >
> > Any idea where I have to delete the unknown option -w?
> > I have tried to grep for -w but could not find a way to escape - so I
> > had no luck with this.
> >
> > Many thanks in advance.
> >
> > Best Regards,
> > Thomas
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > Fail2ban-users mailing list
> > fail2ban-us...@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>



------------------------------------------------------------------------------
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Re: [Rkhunter-users] [Fail2ban-users] fail2ban ssh-iptables has unknown option -w

Reply via email to