Hello,
Am Sonntag, 21. August 2016, 14:10:15 schrieb Nick Howitt:
> What is the output if "ipset list -n", removing all the duplicates? Can you
> restart f2b and look for errors in your message log, specifically anything
> to do with creating your jails? Please also post the contents of
> \etc\fail2ban\action.d\firewalldcmd-ipset.conf? And which version of f2b
> are you running?
ipset list -n
fail2ban-sshd
fail2ban-sshd-ddos
fail2ban-selinux-ssh
the fail2ban Vewrsion 0.9.3
cat firewallcmd-ipset.conf
# Fail2Ban action file for firewall-cmd/ipset
#
# This requires:
# ipset (package: ipset)
# firewall-cmd (package: firewalld)
#
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
# Use ipset -V to see the protocol and version.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules.
[INCLUDES]
before = iptables-common.conf
[Definition]
actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p
<protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src
-j <blocktype>
actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p
<protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src
-j <blocktype>
ipset flush fail2ban-<name>
ipset destroy fail2ban-<name>
actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
actionunban = ipset del fail2ban-<name> <ip> -exist
[Init]
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added
# Values: [ STRING ]
#
chain = INPUT_direct
# Option: bantime
# Notes: specifies the bantime in seconds (handled internally rather than by
fail2ban)
# Values: [ NUM ] Default: 600
bantime = 600
#
ipset -v
ipset v6.19, protocol version: 6
I found nothing in /var/log/messages only a INFO fail2ban is started
> On 21/08/2016 13:32, Günther J. Niederwimmer wrote:
>
> Am Sonntag, 21. August 2016, 13:13:14 schrieb Nick Howitt:
> From the error message, it does not look like the problem is with
> firewalld but ipset as it says the ipset set has not been created. You
> probably need to check through the firewallcmd-ipset action to diagnose
> what is going on, and perhaps, check ipset is actually loaded ("lsmod |
> grep ip_set")
> this I tested on starting with my problem.
>
> lsmod | grep _set
> xt_set 13181 3
> ip_set_hash_ip 27260 3
> ip_set 36439 2 ip_set_hash_ip,xt_set
> nfnetlink 14606 1 ip_set
>
> but I have no idea to check the firewalldcmd-ipset action ? this is a touch
> to high for me :-(.
>
> On 21/08/2016 12:46, Bruno Miguel Queiros wrote:
> Yes.
>
>
> It could be something wrong with firewallcmd-ipset. Have you tried with
> different versions (older) of fail2ban and/or even firewalld?
>
> Às 12:24 de 21-08-2016, Günther J. Niederwimmer escreveu:
> Hello Bruno Miguel,
>
> Am Sonntag, 21. August 2016, 11:52:08 schrieb Bruno Miguel Queiros:
> What is the action of your sshd jail?
> mean you this
>
> /etc/fail2ban/jail.d/00-firewalld.conf
> [DEFAULT]
> banaction = firewallcmd-ipset
>
> and a NOT changed
> /etc/fail2ban/jail.conf
> [DEFAULT]
>
> #
> # MISCELLANEOUS OPTIONS
> #
>
> # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban
> will
> not
> # ban a host which matches an address in this list. Several addresses can
> be # defined using space separator.
> ignoreip = 127.0.0.1/8
>
> # External command that will take an tagged arguments to ignore, e.g.
> <ip>,
> # and return true if the IP is to be ignored. False otherwise.
> #
> # ignorecommand = /path/to/command <ip>
> ignorecommand =
>
> # "bantime" is the number of seconds that a host is banned.
> bantime = 600
>
> # A host is banned if it has generated "maxretry" during the last
> "findtime" # seconds.
> findtime = 600
>
> # "maxretry" is the number of failures before a host get banned.
> maxretry = 5
>
> # "backend" specifies the backend used to get files modification.
> # Available options are "pyinotify", "gamin", "polling", "systemd" and
> "auto". # This option can be overridden in each jail as well.
> #
> # pyinotify: requires pyinotify (a file alteration monitor) to be
> installed. # If pyinotify is not installed, Fail2ban will
> use auto. # gamin: requires Gamin (a file alteration monitor) to be
> installed. # If Gamin is not installed, Fail2ban will use
> auto.
> # polling: uses a polling algorithm which does not require external
> libraries.
> # systemd: uses systemd python library to access the systemd journal.
> # Specifying "logpath" is not valid for this backend.
> # See "journalmatch" in the jails associated filter config
> # auto: will try to use the following backends, in order:
> # pyinotify, gamin, polling.
> #
> # Note: if systemd backend is choses as the default but you enable a jail
> # for which logs are present only in its own log files, specify
> some
> other
> # backend for that jail (e.g. polling) and provide empty value for
> # journalmatch. See
> https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
> backend = auto
>
> # "usedns" specifies if jails should trust hostnames in logs,
> # warn when DNS lookups are performed, or ignore all hostnames in logs
> #
> # yes: if a hostname is encountered, a DNS lookup will be performed.
> # warn: if a hostname is encountered, a DNS lookup will be performed,
> # but it will be logged as a warning.
> # no: if a hostname is encountered, will not be used for banning,
> # but it will be logged as info.
> usedns = warn
>
> # "logencoding" specifies the encoding of the log files handled by the
> jail
> # This is used to decode the lines from the log file.
> # Typical examples: "ascii", "utf-8"
> #
> # auto: will use the system locale setting
> logencoding = auto
>
> # "enabled" enables the jails.
> # By default all jails are disabled, and it should stay this way.
> # Enable only relevant to your setup jails in your .local or
> jail.d/*.conf
> #
> # true: jail will be enabled and log files will get monitored for
> changes
> # false: jail is not enabled
> enabled = false
>
>
> # "filter" defines the filter to use by the jail.
> # By default jails have names matching their filter name
> #
> filter = %(__name__)s
>
>
> #
> # ACTIONS
> #
>
> # Some options used for actions
>
> # Destination email address used solely for the interpolations in
> # jail.{conf,local,d/*} configuration files.
> destemail = root@localhost
>
> # Sender email address used solely for some actions
> sender = root@localhost
>
> # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
> # mailing. Change mta configuration parameter to mail if you want to
> # revert to conventional 'mail'.
> mta = sendmail
>
> # Default protocol
> protocol = tcp
>
> # Specify chain where jumps would need to be added in iptables-* actions
> chain = INPUT
>
> # Ports to be banned
> # Usually should be overridden in a particular jail
> port = 0:65535
>
> #
> # Action shortcuts. To be used to define action parameter
>
> # Default banning action (e.g. iptables, iptables-new,
> # iptables-multiport, shorewall, etc) It is used to define
> # action_* variables. Can be overridden globally or per
> # section within jail.local file
> banaction = iptables-multiport
>
> # The simplest action to take: ban only
> action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
> port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
> ........
>
> Às 11:21 de 21-08-2016, Günther J. Niederwimmer escreveu:
> Hello
>
> Am Samstag, 20. August 2016, 13:25:24 schrieb Bruno Miguel Queiros:
> Tried disabling firewalld and going with regular iptables?
> On the Internet all say firewalld is working, and it is working, but
> only
> with CentOS 7.0 (????), but after update it is broken why???
>
> this is my jail.local
> #
> [DEFAULT]
> bantime = 2592000
> findtime = 3600
> ignoreip = 127.0.0.1/8 192.168.55.0/24 192.168.100.0/24
> maxretry = 2
>
> #
> [sshd-ddos]
> enabled = true
>
> [sshd]
> enabled = true
>
> [selinux-ssh]
> enabled = true
>
> and this thousands off Errors
> 2016-08-21 11:09:33,565 fail2ban.actions [2066]: ERROR Failed
> to
> execute ban jail 'sshd' action 'firewallcmd-ipset' info
> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8baa0>,
> 'matches': '2016-06-18T13:12:13.154635 yyy.xxxxx.com sshd[3705]:
> Invalid
> user john from 95.211.190.210\n2016-06-18T13:12:13.590404 yyy.xxxxx.com
> sshd[3707]: Invalid user nagios from 95.211.190.210', 'ip':
> '95.211.190.210', 'ipmatches': <function <lambda> at 0x7f19e1d8ba28>,
> 'ipfailures': <function <lambda> at 0x7f19e1d8b9b0>, 'time':
> 1471770573.462379, 'failures': 2, 'ipjailfailures': <function <lambda>
> at
> 0x7f19e1d8b938>})': Error banning 95.211.190.210 2016-08-21
> 11:09:33,565
> fail2ban.actions [2066]: NOTICE [sshd] Ban 97.74.232.35
> 2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset
> add
> fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- stdout: ''
> 2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset
> add
> fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- stderr: 'ipset
> v6.19:
> The set with the given name does not exist\n'
> 2016-08-21 11:09:33,668 fail2ban.action [2066]: ERROR ipset
> add
> fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- returned 1
> 2016-08-21 11:09:33,668 fail2ban.actions [2066]: ERROR Failed
> to
> execute ban jail 'sshd' action 'firewallcmd-ipset' info
> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8b9b0>,
> 'matches': '2016-08-14T16:19:53.289264 yyy.xxxxx.com sshd[24915]:
> Invalid
> user guest from 97.74.232.35\n2016-08-14T16:19:54.661401 yyy.xxxxx.com
> sshd[24917]: Invalid user pi from 97.74.232.35', 'ip': '97.74.232.35',
> 'ipmatches': <function <lambda> at 0x7f19e1d8b938>, 'ipfailures':
> <function <lambda> at 0x7f19e1d8ba28>, 'time': 1471770573.565505,
> 'failures': 2, 'ipjailfailures': <function <lambda> at
> 0x7f19e1d8baa0>})': Error banning 97.74.232.35 2016-08-21 11:09:33,668
> fail2ban.actions [2066]: NOTICE [sshd] Ban 98.142.52.44
> 2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset
> add
> fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- stdout: ''
> 2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset
> add
> fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- stderr: 'ipset
> v6.19:
> The set with the given name does not exist\n'
> 2016-08-21 11:09:33,771 fail2ban.action [2066]: ERROR ipset
> add
> fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- returned 1
> 2016-08-21 11:09:33,771 fail2ban.actions [2066]: ERROR Failed
> to
> execute ban jail 'sshd' action 'firewallcmd-ipset' info
> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8ba28>,
> 'matches': '2016-06-08T15:27:16.145465 yyy.xxxxx.com sshd[20294]:
> Invalid
> user a from 98.142.52.44\n2016-06-08T15:27:19.797928 yyy.xxxxx.com
> sshd[20297]: Invalid user ajay from 98.142.52.44', 'ip':
> '98.142.52.44',
> 'ipmatches': <function <lambda> at 0x7f19e1d8baa0>, 'ipfailures':
> <function <lambda> at 0x7f19e1d8b938>, 'time': 1471770573.668562,
> 'failures': 2, 'ipjailfailures': <function <lambda> at
> 0x7f19e1d8b9b0>})': Error banning 98.142.52.44 2016-08-21 11:09:33,771
> fail2ban.actions [2066]: NOTICE [sshd] Ban 98.254.171.195
> 2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset
> add
> fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- stdout: ''
> 2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset
> add
> fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- stderr: 'ipset
> v6.19: The set with the given name does not exist\n'
> 2016-08-21 11:09:33,874 fail2ban.action [2066]: ERROR ipset
> add
> fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- returned 1
> 2016-08-21 11:09:33,874 fail2ban.actions [2066]: ERROR Failed
> to
> execute ban jail 'sshd' action 'firewallcmd-ipset' info
> 'CallingMap({'ipjailmatches': <function <lambda> at 0x7f19e1d8b938>,
> 'matches': '2016-06-01T03:21:56.504682 yyy.xxxxx.com sshd[8392]:
> Invalid
> user ubnt from 98.254.171.195\n2016-06-01T03:22:42.468330 yyy.xxxxx.com
> sshd[8473]: Invalid user pi from 98.254.171.195', 'ip':
> '98.254.171.195',
> 'ipmatches': <function <lambda> at 0x7f19e1d8b9b0>, 'ipfailures':
> <function <lambda> at 0x7f19e1d8baa0>, 'time': 1471770573.771765,
> 'failures': 2, 'ipjailfailures': <function <lambda> at
> 0x7f19e1d8ba28>})': Error banning 98.254.171.195
>
>
> is ipset broken v6.19 or iptables v1.4.21 and or
>
> fail2ban-sendmail-0.9.3-1.el7.noarch
> fail2ban-firewalld-0.9.3-1.el7.noarch
> fail2ban-0.9.3-1.el7.noarch
> fail2ban-server-0.9.3-1.el7.noarch
>
> I mean this is not only my problem :-((.
>
> Às 11:31 de 20-08-2016, Günther J. Niederwimmer escreveu:
> Hello,
>
> I mean I have a big Problem with fail2ban :-(
> when I make a restart / reload or reboot from fail2ban afterward my
> firewalld status found this
>
> ● firewalld.service - firewalld - dynamic firewall daemon
>
> Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
> enabled;
> vendor
>
> preset: enabled)
>
> Active: active (running) since Sa 2016-08-20 12:08:27 CEST;
> 4min
> 50s
> ago
>
> Main PID: 13158 (firewalld)
>
> CGroup: /system.slice/firewalld.service
>
> └─13158 /usr/bin/python -Es /usr/sbin/firewalld
> --nofork
> --nopid
>
> Aug 20 12:12:23 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:23
> ERROR:
> NOT_ENABLED
> Aug 20 12:12:24 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:24
> ERROR:
> NOT_ENABLED
> Aug 20 12:12:25 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:25
> ERROR:
> NOT_ENABLED
> Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27
> ERROR:
> NOT_ENABLED
> Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27
> ERROR:
> NOT_ENABLED
> Aug 20 12:12:28 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:28
> ERROR:
> NOT_ENABLED
> Aug 20 12:12:29 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:29
> ERROR:
> NOT_ENABLED
> Aug 20 12:12:30 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:30
> ERROR:
> NOT_ENABLED
> Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31
> ERROR:
> NOT_ENABLED
> Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31
> ERROR:
> NOT_ENABLED
>
> fail2ban is working "normal" no errors
>
> This is a installation from EPEL with all Updates ???
>
> I don't change nothing only I make a jail.local for enabling filters
>
> I found no way to have a working fail2ban :-((.
>
> Thanks for any help
> --------------------------------------------------------------------------
> ---- _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
