alex sunny
alex sunny
0 votes

I am posting a copy of the issue I just posted in github fail2ban but is seems that the issue started with the last clearos update.

In the dashboard i see the last update was;
fail2ban-server-0.11.1-10.el7 Updated 2020 Sep 23, 04:58:58

It seems that action files stopped supporting "<bantime>" with this update, I just checked my f2b logs and it hasn't been working for the past few months, i have millions of errors on my log files like
2020-11-09 19:31:37,132 fail2ban.utils [17395]: ERROR 7f03602a0928 -- stderr: "/bin/sh: -c: line 0: syntax error near unexpected token `newline'"
2020-11-09 19:31:37,132 fail2ban.utils [17395]: ERROR 7f03602a0928 -- stderr: "/bin/sh: -c: line 0: `ipset create f2b-portprobe hash:ip --maxelem 1000000 timeout <bantime>'"
2020-11-09 19:31:37,132 fail2ban.utils [17395]: ERROR 7f03602a0928 -- returned 1
2020-11-09 19:31:37,133 fail2ban.actions [17395]: ERROR Failed to execute ban jail 'portprobe' action 'ipset-portprobe' info 'ActionInfo({'ip': '', 'fid': <function <lambda> at 0x7f0361c71f50>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7f0361c74578>})': Error starting action Jail('portprobe')/ipset-portprobe: 'Script error'

my action file contains
actionstart = ipset create <ipmset> hash:ip --maxelem 1000000 timeout <bantime><familyopt>

Replacing "<bantime>" with the actual bantime in seconds seems to work.
the action is specified in my jail as follows
action = ipset-portprobe[name=portprobe,bantime=2147483]

Friday, February 05 2021, 08:50 AM
Share this post:
Responses (1)
  • Accepted Answer

    Friday, February 05 2021, 09:42 AM - #Permalink
    0 votes
    That won't be a ClearOS error per se, as we use the upstream EPEL package. It must have been due to an upstream and/or source change. Have a look in /etc/fail2ban/action.d/iptables-ipset-proto6.conf to see how it is done now, using <default-timeout>. I have never tried it but you may be able to override it in your jail. If you use <bantime> in the actionban line, <default-timeout> becomes irrelevant and is only used where <bantime> is not specified in the actionban line.

    Also, why do you have a specific action ipset-portprobe. Why not just leave it on the default iptables-ipset-proto6.conf?
    The reply is currently minimized Show
Your Reply