Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#47 ERROR Invariant check failed. Trying to restore a sane envi

open
nobody
None
5
2009-09-30
2009-09-30
Jonathan Kamens
No

I am getting this on a somewhat regular basis in my logs:

Sep 30 06:52:50 jik2 fail2ban.actions: WARNING [ssh-iptables] Ban 60.190.176.116
Sep 30 06:52:50 jik2 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-SSH returned 100
Sep 30 06:52:50 jik2 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
Sep 30 06:52:50 jik2 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH#012iptables -F fail2ban-SSH#012iptables -X fail2ban-SSH returned 100
Sep 30 07:02:51 jik2 fail2ban.actions: WARNING [ssh-iptables] Unban 60.190.176.116

I'm not certain, but I think it might happen only the first time fail2ban tries to ban somebody after it starts up.

I have fail2ban 0.8.4.

Discussion

  • Mark Sapiro
    Mark Sapiro
    2009-10-10

    I have the same problem sometimes. It seems if you have a lot of jails (I have 6), there is a race condition of some kind between fail2ban and iptables that causes the

    iptables -I INPUT... -j fail2ban-<name>

    to fail because it executes before the

    iptables -N fail2ban-<name>
    iptables -A fail2ban-<name> -j RETURN

    have fully completed. I have worked around this with the following in /etc/fail2ban/action.d/iptables-allports.local (iptables-allports is the only action I use)

    [Definition]
    # add a sleep to try to avoid apparent race in iptables
    #
    actionstart = iptables -N fail2ban-<name>
    iptables -A fail2ban-<name> -j RETURN
    sleep 1
    iptables -I INPUT -p <protocol> -j fail2ban-<name>

     
  • Mark Sapiro
    Mark Sapiro
    2009-10-10

    In the previous comment, the lines following "actionstart =" should be indented (my leading spaces were stripped).

     
  • Fixed sleep in all jails would not resolve the issue reliably: you have to use variable duration for sleep.
    If you have bash for your shell -- add

    sleep ${RANDOM:0:1}.${RANDOM: -1:1}

    at the beginning of actionstart/actionstop

    See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=554162 for more information