Package: fail2ban
Version: 1.1.0-8
Severity: normal
Dear Maintainer,
* What led up to the situation?
I noticed the issue after the trixie update, however it may have been in the
bookworm version also already, without me noticing it.
* What exactly did you do (or not do) that was effective (or
ineffective)?
When you add a banned IP to the recidive jail, the IP is added, and an error is
logged to fail2ban.log. This also happens when the banned IPs are re-added to
the recidive jail when fail2ban is started.
The error is:
2025-08-12 23:20:46,008 fail2ban.actions [191971]: NOTICE [recidive]
Ban 91.210.179.185
2025-08-12 23:20:46,047 fail2ban.utils [191971]: ERROR 7fcd1d583360
-- exec: nft add table inet f2b-table
nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1
\; \}
nft add set inet f2b-table addr-set-recidive \{ type ipv4_addr\; \}
nft add rule inet f2b-table f2b-chain meta l4proto \{ all \} ip saddr
@addr-set-recidive reject
2025-08-12 23:20:46,047 fail2ban.utils [191971]: ERROR 7fcd1d583360
-- stderr: 'Error: syntax error, unexpected all'
2025-08-12 23:20:46,047 fail2ban.utils [191971]: ERROR 7fcd1d583360
-- stderr: 'add rule inet f2b-table f2b-chain meta l4proto { all } ip saddr
@addr-set-recidive reject'
2025-08-12 23:20:46,048 fail2ban.utils [191971]: ERROR 7fcd1d583360
-- stderr: ' ^^^'
2025-08-12 23:20:46,048 fail2ban.utils [191971]: ERROR 7fcd1d583360
-- returned 1
2025-08-12 23:20:46,048 fail2ban.actions [191971]: ERROR Failed to
execute ban jail 'recidive' action 'nftables' info 'ActionInfo({'ip':
'91.210.179.185', 'family': 'inet4', 'fid': <function
Actions.ActionInfo.<lambda> at 0x7fcd1f05e020>, 'raw-ticket': <function
Actions.ActionInfo.<lambda> at 0x7fcd1f05e7a0>})': Error starting action
Jail('recidive')/nftables: 'Script error'
* What was the outcome of this action?
Many errors added to the log fail2ban.log. The IPs _are_ added to the jail,
it's just that this error is also logged. And because I had about 818 IPs in
the recidive jail, that's a lot of errors that are not needed.
* What outcome did you expect instead?
The error shuold not be logged. I checked the jail with fail2ban-client get
recidive banned and the correct IPs are listed, so they seem ot have been
re-added correctly.
Thanks for all the awesome work for fail2ban in Debian.
With kind regards, Erik
-- System Information:
Debian Release: 13.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.38+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages fail2ban depends on:
ii python3 3.13.5-1
ii python3-systemd 235-1+b6
Versions of packages fail2ban recommends:
ii iptables 1.8.11-2
ii nftables 1.1.3-1
pn python3-pyinotify <none>
pn python3-setuptools <none>
ii whois 5.6.3
Versions of packages fail2ban suggests:
ii bsd-mailx [mailx] 8.1.2-0.20220412cvs-1.1
pn monit <none>
ii rsyslog [system-log-daemon] 8.2504.0-1
pn sqlite3 <none>
-- Configuration Files:
/etc/fail2ban/action.d/complain.conf changed:
[INCLUDES]
before = helpers-common.conf
[Definition]
debug = 0
norestored = 1
actionstart =
actionstop =
actioncheck =
actionban = oifs=${IFS};
RESOLVER_ADDR="%(addr_resolver)s"
if [ "<debug>" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR";
fi
ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"')
IFS=,; ADDRESSES=$(echo $ADDRESSES)
IFS=${oifs}
IP=<ip>
if [ ! -z "$ADDRESSES" ]; then
( printf %%b "<message>\n"; date '+Note: Local timezone is %%z
(%%Z)';
printf %%b "\nLines containing failures of <ip> (max
<grepmax>)\n";
%(_grep_logs)s;
) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
fi
actionunban =
addr_resolver = <ip-rev>abuse-contacts.abusix.org
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP,
which according to a abusix.com is on your network. We would appreciate if you
would investigate and take action as appropriate.\n\nLog lines are given below,
but please ask if you require any further information.\n\n(If you are not the
correct person to contact about this please accept our apologies - your e-mail
address was extracted from the whois record by an automated process.)\n\n This
mail was generated by Fail2Ban.\nThe recipient address of this report was
provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain
the content of the database. All information which we pass out, derives from
the RIR databases and is processed for ease of use. If you want to change or
report non working abuse contacts please contact the appropriate RIR. If you
have any further question, contact abusix.com directly via email
(i...@abusix.com). Information about the Abuse Contact Database can be found
here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is
neither responsible nor liable for the content or accuracy of this message.\n
logpath = /dev/null
mailcmd = mail -s
mailargs =
/etc/fail2ban/action.d/dshield.conf changed:
[Definition]
norestored = 1
actionstart =
actionstop = if [ -f <tmpfile>.buffer ]; then
cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID
<userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs>
<dest>
date +%%s > <tmpfile>.lastsent
fi
rm -f <tmpfile>.buffer <tmpfile>.first
actioncheck =
actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d
%%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE"
PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}'
/etc/protocols`
if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
printf %%b
"$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n"
>> <tmpfile>.buffer
NOW=`date +%%s`
if [ ! -f <tmpfile>.first ]; then
echo <time> | cut -d. -f1 > <tmpfile>.first
fi
if [ ! -f <tmpfile>.lastsent ]; then
echo 0 > <tmpfile>.lastsent
fi
LOGAGE=$(($NOW - `cat <tmpfile>.first`))
LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))
LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )
if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] ||
[ $LOGAGE -gt <maxbufferage> ]; then
cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID
<userid> TZ $TZONE Fail2Ban" <mailargs> <dest>
rm -f <tmpfile>.buffer <tmpfile>.first
echo $NOW > <tmpfile>.lastsent
fi
actionunban = if [ -f <tmpfile>.first ]; then
NOW=`date +%%s`
LOGAGE=$(($NOW - `cat <tmpfile>.first`))
if [ $LOGAGE -gt <maxbufferage> ]; then
cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID
<userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs>
<dest>
rm -f <tmpfile>.buffer <tmpfile>.first
echo $NOW > <tmpfile>.lastsent
fi
fi
[Init]
port = ???
userid = 0
myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet
([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
protocol = tcp
lines = 50
minreportinterval = 3600
maxbufferage = 21600
srcport = ???
tcpflags =
mailcmd = mail -s
mailargs =
dest = repo...@dshield.org
tmpfile = /var/run/fail2ban/tmp-dshield
/etc/fail2ban/action.d/mail-buffered.conf changed:
[Definition]
norestored = 1
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Output will be buffered until <lines> lines are available.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>"
<dest>
actionstop = if [ -f <tmpfile> ]; then
printf %%b "Hi,\n
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from
<fq-hostname>" <dest>
rm <tmpfile>
fi
printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>"
<dest>
actioncheck =
actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
if [ $LINE -ge <lines> ]; then
printf %%b "Hi,\n
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
\nRegards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
rm <tmpfile>
fi
actionunban =
[Init]
name = default
lines = 5
tmpfile = /var/run/fail2ban/tmp-mail.txt
dest = root
/etc/fail2ban/action.d/mail-whois-lines.conf changed:
[INCLUDES]
before = mail-whois-common.conf
helpers-common.conf
[Definition]
norestored = 1
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | <mailcmd> "[Fail2Ban] <name>: started on
<fq-hostname>" <dest>
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | <mailcmd> "[Fail2Ban] <name>: stopped on
<fq-hostname>" <dest>
actioncheck =
_ban_mail_content = ( printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n"
%(_whois_command)s;
printf %%b "\nLines containing failures of <ip> (max <grepmax>)\n";
%(_grep_logs)s;
printf %%b "\n
Regards,\n
Fail2Ban" )
actionban = %(_ban_mail_content)s | <mailcmd> "[Fail2Ban] <name>: banned <ip>
from <fq-hostname>" <dest>
actionunban =
[Init]
mailcmd = mail -s
name = default
dest = root
logpath = /dev/null
/etc/fail2ban/action.d/mail-whois.conf changed:
[INCLUDES]
before = mail-whois-common.conf
[Definition]
norestored = 1
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>"
<dest>
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>"
<dest>
actioncheck =
actionban = printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
`%(_whois_command)s`\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from
<fq-hostname>" <dest>
actionunban =
[Init]
name = default
dest = root
/etc/fail2ban/action.d/mail.conf changed:
[Definition]
norestored = 1
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>"
<dest>
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>"
<dest>
actioncheck =
actionban = printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from
<fq-hostname>" <dest>
actionunban =
[Init]
name = default
dest = root
/etc/fail2ban/fail2ban.conf changed:
[DEFAULT]
loglevel = INFO
logtarget = /var/log/fail2ban.log
syslogsocket = auto
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 2w
dbmaxmatches = 10
[Definition]
[Thread]
-- no debconf information
