Package: fail2ban Version: 0.10.2-2.1 Severity: normal Dear Maintainer,
I have been using fail2ban for a long time with iptables-allports: banaction = iptables-allports banaction = iptables-allports With over 50k+ IPs being banned I figured that I might benefit from the perceived lower overhead of nftables so changed it to: banaction = nftables-allports banaction_allports = nftables-allports fail2ban was immediately reporting errors when I started it: 2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: fail2ban.utils [21504]: Level 39 7f227a456760 -- exec: nft add set inet filter f2b-sshd \{ type ipv4_addr\; \} nft insert rule inet filter INPUT meta l4proto tcp ip saddr @f2b-sshd reject 2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: fail2ban.utils [21504]: ERROR 7f227a456760 -- stderr: 'Error: Could not process rule: No such file or directory' 2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: fail2ban.utils [21504]: ERROR 7f227a456760 -- stderr: 'add set inet filter f2b-sshd { type ipv4_addr; }' 2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: fail2ban.utils [21504]: ERROR 7f227a456760 -- stderr: ' ^^^^^^' 2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: fail2ban.utils [21504]: ERROR 7f227a456760 -- stderr: 'Error: Could not process rule: No such file or directory' 2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: fail2ban.utils [21504]: ERROR 7f227a456760 -- stderr: 'insert rule inet filter INPUT meta l4proto tcp ip saddr @f2b-sshd reject' 2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: fail2ban.utils [21504]: ERROR 7f227a456760 -- stderr: ' ^^^^^^' 2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: fail2ban.utils [21504]: ERROR 7f227a456760 -- returned 1 I found, through trial and error, that the issue appears to be nftables_family = inet so I added action.d/nftables-common.local file with: [Init] nftables_family = ip Which seem to work. Looked at the current upstream version and it's configuration file is significantly different to the one that ships it buster to easily compare. It does appear though, that they set to inet so not sure what the deal is. Happy to help, /Allan -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/24 CPU cores) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages fail2ban depends on: ii lsb-base 10.2019051400 ii python3 3.7.3-1 Versions of packages fail2ban recommends: ii iptables 1.8.2-4 ii nftables 0.9.0-2 ii python 2.7.16-1 ii python3-pyinotify 0.9.6-1 ii python3-systemd 234-2+b1 ii whois 5.4.3 Versions of packages fail2ban suggests: ii mailutils [mailx] 1:3.5-3 pn monit <none> ii sqlite3 3.27.2-3 ii syslog-ng-core [system-log-daemon] 3.19.1-5 -- Configuration Files: /etc/fail2ban/fail2ban.conf changed: [Definition] loglevel = INFO logtarget = SYSLOG syslogsocket = auto socket = /var/run/fail2ban/fail2ban.sock pidfile = /var/run/fail2ban/fail2ban.pid dbfile = /var/lib/fail2ban/fail2ban.sqlite3 dbpurgeage = 1d /etc/fail2ban/filter.d/apache-common.conf changed: [INCLUDES] after = apache-common.local [DEFAULT] /etc/fail2ban/filter.d/postfix.conf changed: [INCLUDES] before = common.conf [Definition] _daemon = postfix/(submission/)?smtpd failregex = ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$ ^%(__prefix_line)slost connection after (AUTH|CONNECT) from .+\[<HOST>\]$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$ ^%(__prefix_line)sSSL_accept error from .+\[<HOST>\]: (-1|0) ^%(__prefix_line)swarning: .*\[<HOST>\]: SASL LOGIN authentication failed: Invalid authentication mechanism ^%(__prefix_line)swarning: .+\[<HOST>\]: SASL PLAIN authentication failed: Connection lost to authentication server ^%(__prefix_line)swarning: Connection concurrency limit exceeded: [0-9]+ from .+\[<HOST>\] for service smtp$ ^%(__prefix_line)swarning: non-SMTP command from.+\[<HOST>\]: ^%(__prefix_line)swarning: numeric hostname: <HOST>$ ignoreregex = ^%(__prefix_line)slost connection after CONNECT from unknown\[unknown\] /etc/fail2ban/filter.d/sshd.conf changed: [INCLUDES] before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)serror: maximum authentication attempts exceeded for invalid user .+: from <HOST> port .+ ssh2 \[preauth\] ^%(__prefix_line)serror: Received disconnect from <HOST> port .+: Auth fail \[preauth\]$ ^%(__prefix_line)serror: Received disconnect from <HOST> port .+: No authentication methods available \[preauth\]$ ^%(__prefix_line)serror: Received disconnect from <HOST> port .+: No more user authentication methods available\. \[preauth\] ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$ ^%(__prefix_line)sBad protocol version identification .+ from <HOST> port [0-9]+$ ^%(__prefix_line)sConnection closed by <HOST> port .+ \[preauth\]$ ^%(__prefix_line)sConnection reset by <HOST> port .+ \[preauth\]$ ^%(__prefix_line)sDid not receive identification string from <HOST> port [0-9]+$ ^%(__prefix_line)sDisconnected from <HOST> port .+ \[preauth\]$ ^%(__prefix_line)sInvalid user .+ from <HOST> port [0-9]+$ ^%(__prefix_line)sReceived disconnect from <HOST> port .+ \[preauth\]$ ^%(__prefix_line)sUnable to negotiate with <HOST> port .+: no matching host key type found\. Their offer: .+ \[preauth\]$ ^%(__prefix_line)sUnable to negotiate with <HOST> port .+: no matching key exchange method found\. Their offer: .+ \[preauth\]$ ignoreregex = /etc/fail2ban/jail.conf changed: [INCLUDES] before = paths-debian.conf [DEFAULT] ignoreip = 127.0.0.1/8 ::1 192.168.0.0/24 ignorecommand = bantime = -1 findtime = 10m maxretry = 1 backend = auto usedns = warn logencoding = auto enabled = false mode = normal filter = %(__name__)s[mode=%(mode)s] destemail = root@localhost sender = root@localhost mta = sendmail protocol = tcp chain = INPUT port = 0:65535 fail2ban_agent = Fail2Ban/%(fail2ban_version)s banaction = nftables-allports banaction_allports = nftables-allports action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] action_abuseipdb = abuseipdb action = %(action_)s [sshd] port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] port = ssh logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] port = ssh logpath = %(auditd_log)s [apache-auth] port = http,https logpath = %(apache_error_log)s [apache-badbots] port = http,https logpath = %(apache_access_log)s bantime = 48h maxretry = 1 [apache-noscript] port = http,https logpath = %(apache_error_log)s [apache-overflows] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] port = http,https logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip> [apache-modsecurity] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] port = http,https logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log [nginx-http-auth] port = http,https logpath = %(nginx_error_log)s [nginx-limit-req] port = http,https logpath = %(nginx_error_log)s [nginx-botsearch] port = http,https logpath = %(nginx_error_log)s maxretry = 2 [php-url-fopen] port = http,https logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] port = http,https logpath = %(suhosin_log)s [lighttpd-auth] port = http,https logpath = %(lighttpd_error_log)s [roundcube-auth] port = http,https logpath = %(roundcube_errors_log)s [openwebmail] port = http,https logpath = /var/log/openwebmail.log [horde] port = http,https logpath = /var/log/horde/horde.log [groupoffice] port = http,https logpath = /home/groupoffice/log/info.log [sogo-auth] port = http,https logpath = /var/log/sogo/sogo.log [tine20] logpath = /var/log/tine20/tine20.log port = http,https [drupal-auth] port = http,https logpath = %(syslog_daemon)s backend = %(syslog_backend)s [guacamole] port = http,https logpath = /var/log/tomcat*/catalina.out [monit] port = 2812 logpath = /var/log/monit [webmin-auth] port = 10000 logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [squid] port = 80,443,3128,8080 logpath = /var/log/squid/access.log [3proxy] port = 3128 logpath = /var/log/3proxy.log [proftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s [vsftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s [assp] port = smtp,465,submission logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] backend = %(postfix_backend)s port = smtp,465,submission logpath = %(postfix_log)s mode = more [postfix-rbl] filter = postfix[mode=rbl] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 [sendmail-auth] port = submission,465,smtp logpath = %(syslog_mail)s backend = %(syslog_backend)s [sendmail-reject] port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] filter = qmail port = smtp,465,submission logpath = /service/qmail/log/main/current [dovecot] port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] port = smtp,465,submission logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] port = pop3,pop3s logpath = %(solidpop3d_log)s [exim] port = smtp,465,submission logpath = %(exim_main_log)s [exim-spam] port = smtp,465,submission logpath = %(exim_main_log)s [kerio] port = imap,smtp,imaps,465 logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] port = smtp,465,submission,imap,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix-sasl] filter = postfix[mode=auth] port = smtp,465,submission,imap,imaps,pop3,pop3s logpath = %(postfix_log)s backend = %(postfix_backend)s [perdition] port = imap,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] port = imap,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] port = imap,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s [named-refused] port = domain,953 logpath = /var/log/named/security.log [nsd] port = 53 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log [asterisk] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 10 [freeswitch] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/freeswitch.log maxretry = 10 [mysqld-auth] port = 3306 logpath = %(mysql_log)s backend = %(mysql_backend)s [mongodb-auth] port = 27017 logpath = /var/log/mongodb/mongodb.log [recidive] logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 1w findtime = 1d [pam-generic] banaction = %(banaction_allports)s logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [xinetd-fail] banaction = iptables-multiport-log logpath = %(syslog_daemon)s backend = %(syslog_backend)s maxretry = 2 [stunnel] logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] port = 5222 logpath = /var/log/ejabberd/ejabberd.log [counter-strike] logpath = /opt/cstrike/logs/L[0-9]*.log tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] [nagios] logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility backend = %(syslog_backend)s maxretry = 1 [oracleims] logpath = /opt/sun/comms/messaging64/log/mail.log_current banaction = %(banaction_allports)s [directadmin] logpath = /var/log/directadmin/login.log port = 2222 [portsentry] logpath = /var/lib/portsentry/portsentry.history maxretry = 1 [pass2allow-ftp] port = ftp,ftp-data,ftps,ftps-data knocking_url = /knocking/ filter = apache-pass[knocking_url="%(knocking_url)s"] logpath = %(apache_access_log)s blocktype = RETURN returntype = DROP action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s] bantime = 1h maxretry = 1 findtime = 1 [murmur] port = 64738 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/mumble-server/mumble-server.log [screensharingd] logpath = /var/log/system.log logencoding = utf-8 [haproxy-http-auth] logpath = /var/log/haproxy.log [slapd] port = ldap,ldaps logpath = /var/log/slapd.log [domino-smtp] port = smtp,ssmtp logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log [phpmyadmin-syslog] port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [zoneminder] port = http,https logpath = %(apache_error_log)s /etc/fail2ban/jail.d/defaults-debian.conf [Errno 2] No such file or directory: '/etc/fail2ban/jail.d/defaults-debian.conf' /etc/logrotate.d/fail2ban changed: -- no debconf information