I am posting a copy of the issue I just posted in github fail2ban but is seems that the issue started with the last clearos update https://github.com/fail2ban/fail2ban/issues/2869
In the dashboard i see the last update was;
It seems that action files stopped supporting "<bantime>" with this update, I just checked my f2b logs and it hasn't been working for the past few months, i have millions of errors on my log files like
my action file contains
Replacing "<bantime>" with the actual bantime in seconds seems to work.
the action is specified in my jail as follows
In the dashboard i see the last update was;
fail2ban-server-0.11.1-10.el7 Updated 2020 Sep 23, 04:58:58It seems that action files stopped supporting "<bantime>" with this update, I just checked my f2b logs and it hasn't been working for the past few months, i have millions of errors on my log files like
2020-11-09 19:31:37,132 fail2ban.utils [17395]: ERROR 7f03602a0928 -- stderr: "/bin/sh: -c: line 0: syntax error near unexpected token `newline'"
2020-11-09 19:31:37,132 fail2ban.utils [17395]: ERROR 7f03602a0928 -- stderr: "/bin/sh: -c: line 0: `ipset create f2b-portprobe hash:ip --maxelem 1000000 timeout <bantime>'"
2020-11-09 19:31:37,132 fail2ban.utils [17395]: ERROR 7f03602a0928 -- returned 1
2020-11-09 19:31:37,133 fail2ban.actions [17395]: ERROR Failed to execute ban jail 'portprobe' action 'ipset-portprobe' info 'ActionInfo({'ip': '46.101.124.192', 'fid': <function <lambda> at 0x7f0361c71f50>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7f0361c74578>})': Error starting action Jail('portprobe')/ipset-portprobe: 'Script error'my action file contains
actionstart = ipset create <ipmset> hash:ip --maxelem 1000000 timeout <bantime><familyopt>Replacing "<bantime>" with the actual bantime in seconds seems to work.
the action is specified in my jail as follows
action = ipset-portprobe[name=portprobe,bantime=2147483]
Share this post:
Responses (6)
-
Accepted Answer
I had an issue with one of my custom jails as well but I cannot remember what it was. What is your full jail definition? Don't you put your bantime in your jail?
I do, however, find the hierarchical way parameters can be defined can be confuling and very hard to follow. One thing odd in your log is that an one end of one error line you have a ` and at the other end a '.
Before posting a bug at their github it may be worth using their mailing list -
Accepted Answer
Nick Howitt wrote:I had an issue with one of my custom jails as well but I cannot remember what it was. What is your full jail definition? Don't you put your bantime in your jail?
What do you mean by full definition? you want to full action conf file?
I do put my bantime in the jail but I also put it in my ipset (IIRC fail2ban did not support the length i required)
I do, however, find the hierarchical way parameters can be defined can be confuling and very hard to follow. One thing odd in your log is that an one end of one error line you have a ` and at the other end a '.
The backtick / single quote seems to be from the sh error output (seen it many times in different bash errors)
Point is this is a BUG this used to work fine, works fine on my other distros (most likely not the exact same version) but I don't know if this BUG was introduced by clearOS or by fail2ban. -
Accepted Answer
If it is a bug it is not introduced by ClearOS as we use the EPEL release directly without touching it. All I do is check the ClearOS jails for the Attack Detector work correctly before releasing it in to the ClearOS repos. I also check my own jails but they are of lesser importance.
I was after how the jail is defined (checking any .local files which may be in the hierarchy), but I guess the full action definition would be a good idea. -
Accepted Answer
Nick Howitt wrote:I was after how the jail is defined (checking any .local files which may be in the hierarchy), but I guess the full action definition would be a good idea.
Instead of uploading the files I will just link to them
jail file = https://github.com/srulikuk/c-f2b/blob/master/etc_files/fail2ban/jail.d/central.local
filter files = https://github.com/srulikuk/c-f2b/tree/master/etc_files/fail2ban/filter.d (ignore the example file)
action files = https://github.com/srulikuk/c-f2b/tree/master/etc_files/fail2ban/action.d
I have these configs working on 10+ machines (not ClearOS) and they are working fine, and as i noted these used to work fine on ClearOS before the last update.
As ClearOS does not change anything I guess it will be up to fail2ban to debug this.
Many thanks for your help Nick, -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:Are your other systems using the same or similar version of f2b? I know I had to make an adjustment to one of my jails with 0.11.1.
I believe none of my other systems are running this version, i will need to check tomorrow.
Also why are you running a custom action? Won't iptables-ipset-proto6-allports.conf do?
Because i am running a custom action after each ban
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »