From: Arthur D. <mis...@bl...> - 2009-09-19 08:52:06
|
Hello all, I am now using the wonderful 0.8.4 version (from source) on my Fedora 11 machine. As F11 is still a relatively fresh distro there are frequent updates necessitating a reboot. I use an init.d script to start F2B, and now I find that on each reboot of the server I get the following errors in the F2B log and F2B fails to start: 2009-09-19 09:19:23,400 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH iptables -F fail2ban-SSH iptables -X fail2ban-SSH returned 100 2009-09-19 09:19:23,841 fail2ban.jail : INFO Jail 'ssh-iptables' stopped 2009-09-19 09:19:24,211 fail2ban.actions: WARNING [modsec] Unban 92.240.68.153 2009-09-19 09:19:24,240 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ModSec returned 100 2009-09-19 09:19:24,242 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment 2009-09-19 09:19:24,342 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-ModSec iptables -F fail2ban-ModSec iptables -X fail2ban-ModSec returned 100 2009-09-19 09:19:24,465 fail2ban.actions.action: ERROR iptables -D fail2ban-ModSec -s 92.240.68.153 -j DROP returned 100 2009-09-19 09:19:24,467 fail2ban.actions: WARNING [modsec] Unban 118.123.10.124 2009-09-19 09:19:24,530 fail2ban.actions.action: ERROR iptables -D fail2ban-ModSec -s 118.123.10.124 -j DROP returned 100 2009-09-19 09:19:24,533 fail2ban.actions: WARNING [modsec] Unban 211.140.199.86 2009-09-19 09:19:24,593 fail2ban.actions.action: ERROR iptables -D fail2ban-ModSec -s 211.140.199.86 -j DROP returned 100 2009-09-19 09:19:24,598 fail2ban.actions: WARNING [modsec] Unban 222.73.231.132 2009-09-19 09:19:24,659 fail2ban.actions.action: ERROR iptables -D fail2ban-ModSec -s 222.73.231.132 -j DROP returned 100 2009-09-19 09:19:24,817 fail2ban.jail : INFO Jail 'modsec' stopped 2009-09-19 09:19:25,212 fail2ban.actions: WARNING [scriptkiddie] Unban 86.145.163.155 2009-09-19 09:19:25,239 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ScriptKiddie returned 100 2009-09-19 09:19:25,241 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment 2009-09-19 09:19:25,291 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-ScriptKiddie iptables -F fail2ban-ScriptKiddie iptables -X fail2ban-ScriptKiddie returned 100 2009-09-19 09:19:25,403 fail2ban.actions.action: ERROR iptables -D fail2ban-ScriptKiddie -s 86.145.163.155 -j DROP returned 100 2009-09-19 09:19:25,406 fail2ban.actions: WARNING [scriptkiddie] Unban 118.70.126.62 2009-09-19 09:19:25,467 fail2ban.actions.action: ERROR iptables -D fail2ban-ScriptKiddie -s 118.70.126.62 -j DROP returned 100 2009-09-19 09:19:25,470 fail2ban.actions: WARNING [scriptkiddie] Unban 222.73.231.132 2009-09-19 09:19:25,531 fail2ban.actions.action: ERROR iptables -D fail2ban-ScriptKiddie -s 222.73.231.132 -j DROP returned 100 2009-09-19 09:19:25,685 fail2ban.jail : INFO Jail 'scriptkiddie' stopped 2009-09-19 09:19:25,764 fail2ban.server : INFO Exiting Fail2ban Simply starting F2B again (with the same init.d script - in Fedora 11 using the command "service fail2ban start") starts F2B with no problems whatsoever. I am not sure therefore whether this is actually a F2B problem or a Fedora problem. It is however a bit frustrating to have to remember to restart F2B each time I reboot the server... Does anyone have any suggestions? Thanks in advance Mark |
From: Yaroslav H. <li...@on...> - 2009-09-22 21:50:00
|
errors you mentioned point to 'failed stop' not 'failed start'... it seems to fail since (my guess) firewall was stopped first and wiped out iptables cleanly... what is the order of start/stop of your firewall/fail2ban? ;-) On Sat, 19 Sep 2009, Arthur Dent wrote > Hello all, > I am now using the wonderful 0.8.4 version (from source) on my Fedora 11 > machine. > As F11 is still a relatively fresh distro there are frequent updates > necessitating a reboot. I use an init.d script to start F2B, and now I > find that on each reboot of the server I get the following errors in the > F2B log and F2B fails to start: > 2009-09-19 09:19:23,400 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH > iptables -F fail2ban-SSH > iptables -X fail2ban-SSH returned 100 > 2009-09-19 09:19:23,841 fail2ban.jail : INFO Jail 'ssh-iptables' stopped > 2009-09-19 09:19:24,211 fail2ban.actions: WARNING [modsec] Unban 92.240.68.153 > 2009-09-19 09:19:24,240 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ModSec returned 100 > 2009-09-19 09:19:24,242 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment > 2009-09-19 09:19:24,342 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-ModSec > iptables -F fail2ban-ModSec > iptables -X fail2ban-ModSec returned 100 > 2009-09-19 09:19:24,465 fail2ban.actions.action: ERROR iptables -D fail2ban-ModSec -s 92.240.68.153 -j DROP returned 100 > 2009-09-19 09:19:24,467 fail2ban.actions: WARNING [modsec] Unban 118.123.10.124 > 2009-09-19 09:19:24,530 fail2ban.actions.action: ERROR iptables -D fail2ban-ModSec -s 118.123.10.124 -j DROP returned 100 > 2009-09-19 09:19:24,533 fail2ban.actions: WARNING [modsec] Unban 211.140.199.86 > 2009-09-19 09:19:24,593 fail2ban.actions.action: ERROR iptables -D fail2ban-ModSec -s 211.140.199.86 -j DROP returned 100 > 2009-09-19 09:19:24,598 fail2ban.actions: WARNING [modsec] Unban 222.73.231.132 > 2009-09-19 09:19:24,659 fail2ban.actions.action: ERROR iptables -D fail2ban-ModSec -s 222.73.231.132 -j DROP returned 100 > 2009-09-19 09:19:24,817 fail2ban.jail : INFO Jail 'modsec' stopped > 2009-09-19 09:19:25,212 fail2ban.actions: WARNING [scriptkiddie] Unban 86.145.163.155 > 2009-09-19 09:19:25,239 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ScriptKiddie returned 100 > 2009-09-19 09:19:25,241 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment > 2009-09-19 09:19:25,291 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-ScriptKiddie > iptables -F fail2ban-ScriptKiddie > iptables -X fail2ban-ScriptKiddie returned 100 > 2009-09-19 09:19:25,403 fail2ban.actions.action: ERROR iptables -D fail2ban-ScriptKiddie -s 86.145.163.155 -j DROP returned 100 > 2009-09-19 09:19:25,406 fail2ban.actions: WARNING [scriptkiddie] Unban 118.70.126.62 > 2009-09-19 09:19:25,467 fail2ban.actions.action: ERROR iptables -D fail2ban-ScriptKiddie -s 118.70.126.62 -j DROP returned 100 > 2009-09-19 09:19:25,470 fail2ban.actions: WARNING [scriptkiddie] Unban 222.73.231.132 > 2009-09-19 09:19:25,531 fail2ban.actions.action: ERROR iptables -D fail2ban-ScriptKiddie -s 222.73.231.132 -j DROP returned 100 > 2009-09-19 09:19:25,685 fail2ban.jail : INFO Jail 'scriptkiddie' stopped > 2009-09-19 09:19:25,764 fail2ban.server : INFO Exiting Fail2ban > Simply starting F2B again (with the same init.d script - in Fedora 11 > using the command "service fail2ban start") starts F2B with no problems > whatsoever. > I am not sure therefore whether this is actually a F2B problem or a > Fedora problem. It is however a bit frustrating to have to remember to > restart F2B each time I reboot the server... > Does anyone have any suggestions? > Thanks in advance > Mark > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Arturo 'B. B. <bu...@bu...> - 2009-09-22 22:02:21
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Yaroslav Halchenko wrote: > errors you mentioned point to 'failed stop' not 'failed start'... it > seems to fail since (my guess) firewall was stopped first and wiped out > iptables cleanly... what is the order of start/stop of your > firewall/fail2ban? ;-) That's what I thought. Maybe we could add some sort of message to those errors, like "fail2ban stopped after iptables rules have been flushed? DON'T!" - -- Arturo "Buanzo" Busleiman / Arturo Busleiman @ 4:900/107 Independent Linux and Security Consultant - SANS - OISSG - OWASP http://www.buanzo.com.ar/pro/eng.html Mailing List Archives at http://archiver.mailfighter.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEAREKAAYFAkq5SVgACgkQAlpOsGhXcE3CgQCcCnr//KgMpdbVDvh05xXu5x+K aT4An3/YRstA8mGc2c5sL9A2UIv1uyc9 =NTUw -----END PGP SIGNATURE----- |
From: Arthur D. <mis...@bl...> - 2009-09-23 12:50:58
|
On Tue, Sep 22, 2009 at 05:49:41PM -0400, Yaroslav Halchenko wrote: > errors you mentioned point to 'failed stop' not 'failed start'... it > seems to fail since (my guess) firewall was stopped first and wiped out > iptables cleanly... what is the order of start/stop of your > firewall/fail2ban? ;-) I'm sorry but I really don't know... All I can say is that I use a Fedora 11 system and an init.d script for starting and stopping F2B. I presume Fedora takes care of which order these get run in - but I don't know how to determine that order... My feature request (that F2B maintains its jail states through a reboot) notwithstanding, why should the fact that F2B did not shut down cleanly prevent a clean start up after the reboot? I presume this is because there is a sock or a lock file left hanging around somewhere? Thanks for looking at this... Mark |
From: René B. <rb...@ca...> - 2009-09-23 21:46:33
|
Arthur Dent wrote: > On Tue, Sep 22, 2009 at 05:49:41PM -0400, Yaroslav Halchenko wrote: >> errors you mentioned point to 'failed stop' not 'failed start'... it >> seems to fail since (my guess) firewall was stopped first and wiped out >> iptables cleanly... what is the order of start/stop of your >> firewall/fail2ban? ;-) > > I'm sorry but I really don't know... All I can say is that I use a Fedora 11 > system and an init.d script for starting and stopping F2B. I presume Fedora > takes care of which order these get run in - but I don't know how to determine > that order... Where did the init script come from? How was it installed? The order, in Fedora 11 like in many other Unix like systems, is set by symlinks on the rc?.d directories, for instance: # ll /etc/rc2.d/S08iptables lrwxrwxrwx. 1 root root 18 2009-06-04 12:05 /etc/rc2.d/S08iptables -> ../init.d/iptables Of course as Yaroslav Halchenko pointed out you should be interested in the stop order, which are: # ls /etc/rc?.d/K*tables /etc/rc0.d/K92ip6tables /etc/rc1.d/K92ip6tables /etc/rc6.d/K92ip6tables /etc/rc0.d/K92iptables /etc/rc1.s/K92iptables /etc/rc6.d/K92iptables To allow f2b to work as intended you need its kill scripts to be a lower number (to run before iptables is shut down). > My feature request (that F2B maintains its jail states through a reboot) > notwithstanding, why should the fact that F2B did not shut down cleanly > prevent a clean start up after the reboot? I presume this is because there is > a sock or a lock file left hanging around somewhere? Its normal operation, if f2b is not shutdown the socket is left, if the socket is still there it is in /var/run/fail2ban/ (unless the -s parameter was used). A good init.d script should check that situation. There's even an option to force start (-x) which is what a good script would use (or just delete the socket after checking that f2b is not running and start)... and no, you shouldn't always use -x since that would allow running f2b more than once. -- René Berber |
From: Arthur D. <mis...@bl...> - 2009-09-26 13:11:14
|
On Wed, 2009-09-23 at 16:23 -0500, René Berber wrote: > Arthur Dent wrote: > > > On Tue, Sep 22, 2009 at 05:49:41PM -0400, Yaroslav Halchenko wrote: > >> errors you mentioned point to 'failed stop' not 'failed start'... it > >> seems to fail since (my guess) firewall was stopped first and wiped out > >> iptables cleanly... what is the order of start/stop of your > >> firewall/fail2ban? ;-) > > > > I'm sorry but I really don't know... All I can say is that I use a Fedora 11 > > system and an init.d script for starting and stopping F2B. I presume Fedora > > takes care of which order these get run in - but I don't know how to determine > > that order... > > Where did the init script come from? How was it installed? Well I originally installed F2b by rpm (via yum) this put dropped an init.d script into place. When 0.8.4 came out I decided to install using the source tarball (mainly because the rpm version seems to generate a whole pile of selinux denials). I just kept the rpm init.d script (see below). > > The order, in Fedora 11 like in many other Unix like systems, is set by > symlinks on the rc?.d directories, for instance: > > # ll /etc/rc2.d/S08iptables > lrwxrwxrwx. 1 root root 18 2009-06-04 12:05 /etc/rc2.d/S08iptables -> > ../init.d/iptables > > Of course as Yaroslav Halchenko pointed out you should be interested in > the stop order, which are: > > # ls /etc/rc?.d/K*tables > /etc/rc0.d/K92ip6tables /etc/rc1.d/K92ip6tables /etc/rc6.d/K92ip6tables > /etc/rc0.d/K92iptables /etc/rc1.s/K92iptables /etc/rc6.d/K92iptables For me: # ls -la /etc/rc?.d/K*tables lrwxrwxrwx. 1 root root 19 2009-08-12 09:12 /etc/rc0.d/K92ip6tables -> ../init.d/ip6tables lrwxrwxrwx. 1 root root 18 2009-08-11 16:15 /etc/rc0.d/K92iptables -> ../init.d/iptables lrwxrwxrwx. 1 root root 19 2009-08-12 09:12 /etc/rc1.d/K92ip6tables -> ../init.d/ip6tables lrwxrwxrwx. 1 root root 18 2009-08-11 16:15 /etc/rc1.d/K92iptables -> ../init.d/iptables lrwxrwxrwx. 1 root root 19 2009-08-12 09:12 /etc/rc2.d/K92ip6tables -> ../init.d/ip6tables lrwxrwxrwx. 1 root root 19 2009-08-12 09:12 /etc/rc3.d/K92ip6tables -> ../init.d/ip6tables lrwxrwxrwx. 1 root root 19 2009-08-12 09:12 /etc/rc4.d/K92ip6tables -> ../init.d/ip6tables lrwxrwxrwx. 1 root root 19 2009-08-12 09:12 /etc/rc5.d/K92ip6tables -> ../init.d/ip6tables lrwxrwxrwx. 1 root root 19 2009-08-12 09:12 /etc/rc6.d/K92ip6tables -> ../init.d/ip6tables lrwxrwxrwx. 1 root root 18 2009-08-11 16:15 /etc/rc6.d/K92iptables -> ../init.d/iptables Doesn't mean much to me I'm afraid... > To allow f2b to work as intended you need its kill scripts to be a lower > number (to run before iptables is shut down). > > > My feature request (that F2B maintains its jail states through a reboot) > > notwithstanding, why should the fact that F2B did not shut down cleanly > > prevent a clean start up after the reboot? I presume this is because there is > > a sock or a lock file left hanging around somewhere? > > Its normal operation, if f2b is not shutdown the socket is left, if the > socket is still there it is in /var/run/fail2ban/ (unless the -s > parameter was used). > > A good init.d script should check that situation. There's even an > option to force start (-x) which is what a good script would use (or > just delete the socket after checking that f2b is not running and > start)... and no, you shouldn't always use -x since that would allow > running f2b more than once. Here is the init.d script... # cat /etc/init.d/fail2ban #!/bin/bash # # chkconfig: - 92 08 # description: Fail2ban daemon # http://fail2ban.sourceforge.net/wiki/index.php/Main_Page # process name: fail2ban-server # # # Author: Tyler Owen # # Source function library. . /etc/init.d/functions # Check that the config file exists [ -f /etc/fail2ban/fail2ban.conf ] || exit 0 FAIL2BAN="/usr/bin/fail2ban-client" RETVAL=0 getpid() { pid=`ps -eo pid,comm | grep fail2ban- | awk '{ print $1 }'` } start() { echo -n $"Starting fail2ban: " getpid if [ -z "$pid" ]; then $FAIL2BAN -x start > /dev/null RETVAL=$? fi if [ $RETVAL -eq 0 ]; then touch /var/lock/subsys/fail2ban echo_success else echo_failure fi echo return $RETVAL } stop() { echo -n $"Stopping fail2ban: " getpid RETVAL=$? if [ -n "$pid" ]; then $FAIL2BAN stop > /dev/null sleep 1 getpid if [ -z "$pid" ]; then rm -f /var/lock/subsys/fail2ban echo_success else echo_failure fi else echo_failure fi echo return $RETVAL } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) getpid if [ -n "$pid" ]; then echo "Fail2ban (pid $pid) is running..." $FAIL2BAN status else RETVAL=1 echo "Fail2ban is stopped" fi ;; restart) stop start ;; *) echo $"Usage: $0 {start|stop|status|restart}" exit 1 ;; esac exit $RETVAL |
From: René B. <rb...@ca...> - 2009-09-26 21:19:13
|
Arthur Dent wrote: >> Where did the init script come from? How was it installed? > > Well I originally installed F2b by rpm (via yum) this put dropped an > init.d script into place. OK. > When 0.8.4 came out I decided to install using the source tarball > (mainly because the rpm version seems to generate a whole pile of > selinux denials). I just kept the rpm init.d script (see below). That's fine. > For me: > # ls -la /etc/rc?.d/K*tables > lrwxrwxrwx. 1 root root 19 2009-08-12 09:12 /etc/rc0.d/K92ip6tables -> ../init.d/ip6tables > lrwxrwxrwx. 1 root root 18 2009-08-11 16:15 /etc/rc0.d/K92iptables -> ../init.d/iptables ... > Doesn't mean much to me I'm afraid... The important part is the order of shutdown, which is given by the file name of the actual script executed (the K script). > Here is the init.d script... > > # cat /etc/init.d/fail2ban > #!/bin/bash > # > # chkconfig: - 92 08 This defines how the script is installed, its number 92 on kill (the same as iptables) and 08 on startup). Since both f2b and iptables have the same number, the order is the alphabetic order... so f2b should come just before iptables... unless they are executed in parallel (I'm not sure if that could happen when you have a multi-core or multi-cpu machine and kernel). You could change that order, by renaming the files (links) or editing the script and using a lower number 91, 90, 80, whatever. > # description: Fail2ban daemon > # http://fail2ban.sourceforge.net/wiki/index.php/Main_Page > # process name: fail2ban-server > # > # > # Author: Tyler Owen > # > > # Source function library. > . /etc/init.d/functions > > # Check that the config file exists > [ -f /etc/fail2ban/fail2ban.conf ] || exit 0 > > FAIL2BAN="/usr/bin/fail2ban-client" > > RETVAL=0 > > getpid() { > pid=`ps -eo pid,comm | grep fail2ban- | awk '{ print $1 }'` > } > > start() { > echo -n $"Starting fail2ban: " > getpid > if [ -z "$pid" ]; then > $FAIL2BAN -x start > /dev/null Interesting, its using the -x parameter... so the socket is not an issue, its deleting it at startup (if it was left). > RETVAL=$? > fi > if [ $RETVAL -eq 0 ]; then > touch /var/lock/subsys/fail2ban > echo_success > else > echo_failure > fi > echo > return $RETVAL > } > > stop() { > echo -n $"Stopping fail2ban: " > getpid > RETVAL=$? > if [ -n "$pid" ]; then > $FAIL2BAN stop > /dev/null > sleep 1 > getpid > if [ -z "$pid" ]; then > rm -f /var/lock/subsys/fail2ban > echo_success > else > echo_failure > fi > else > echo_failure > fi > echo > return $RETVAL > } > > # See how we were called. > case "$1" in > start) > start > ;; > stop) > stop > ;; > status) > getpid > if [ -n "$pid" ]; then > echo "Fail2ban (pid $pid) is running..." > $FAIL2BAN status > else > RETVAL=1 > echo "Fail2ban is stopped" > fi > ;; > restart) > stop > start > ;; > *) > echo $"Usage: $0 {start|stop|status|restart}" > exit 1 > ;; > esac > > exit $RETVAL Everything looks fine. Have you look into Cyril's comment? If something else is flushing the rules, then that is the problem. -- René Berber |
From: René B. <rb...@ca...> - 2009-09-26 21:36:16
|
René Berber wrote: >> # chkconfig: - 92 08 ... > You could change that order, by renaming the files (links) or editing > the script and using a lower number 91, 90, 80, whatever. Sorry, I left out the part about running chkconfig after editing the script as described. -- René Berber |
From: Arthur D. <mis...@bl...> - 2009-10-04 11:20:54
|
On Sat, 2009-09-26 at 16:35 -0500, René Berber wrote: > René Berber wrote: > > >> # chkconfig: - 92 08 > ... > > You could change that order, by renaming the files (links) or editing > > the script and using a lower number 91, 90, 80, whatever. > > Sorry, I left out the part about running chkconfig after editing the > script as described. Update: ======= OK - I'm a little confused now... A kernel update has just been issued by Fedora - so a reboot of the server was required. Before doing so I changed the above init.d script to read: # chkconfig: - 91 08 I re-ran chkconfig (chkconfig fail2ban on) and rebooted. This time F2B restarted itself fine on the reboot (success!), but on checking the log I found the same errors still present on shutdown! 2009-10-04 11:48:05,058 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH iptables -F fail2ban-SSH iptables -X fail2ban-SSH returned 100 2009-10-04 11:48:05,340 fail2ban.jail : INFO Jail 'ssh-iptables' stopped 2009-10-04 11:48:05,895 fail2ban.actions: WARNING [modsec] Unban 219.153.66.61 2009-10-04 11:48:05,923 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ModSec returned 100 2009-10-04 11:48:05,925 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment 2009-10-04 11:48:06,008 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-ModSec iptables -F fail2ban-ModSec iptables -X fail2ban-ModSec returned 100 2009-10-04 11:48:06,125 fail2ban.actions.action: ERROR iptables -D fail2ban-ModSec -s 219.153.66.61 -j DROP returned 100 2009-10-04 11:48:06,128 fail2ban.actions: WARNING [modsec] Unban 92.240.68.152 2009-10-04 11:48:06,187 fail2ban.actions.action: ERROR iptables -D fail2ban-ModSec -s 92.240.68.152 -j DROP returned 100 2009-10-04 11:48:06,350 fail2ban.jail : INFO Jail 'modsec' stopped 2009-10-04 11:48:06,911 fail2ban.actions: WARNING [scriptkiddie] Unban 86.145.162.173 2009-10-04 11:48:06,938 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ScriptKiddie returned 100 2009-10-04 11:48:06,941 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment 2009-10-04 11:48:06,990 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-ScriptKiddie iptables -F fail2ban-ScriptKiddie iptables -X fail2ban-ScriptKiddie returned 100 2009-10-04 11:48:07,098 fail2ban.actions.action: ERROR iptables -D fail2ban-ScriptKiddie -s 86.145.162.173 -j DROP returned 100 2009-10-04 11:48:07,370 fail2ban.jail : INFO Jail 'scriptkiddie' stopped 2009-10-04 11:48:07,424 fail2ban.server : INFO Exiting Fail2ban 2009-10-04 12:07:59,441 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4 2009-10-04 12:07:59,454 fail2ban.jail : INFO Creating new jail 'ssh-iptables' 2009-10-04 12:07:59,496 fail2ban.jail : INFO Jail 'ssh-iptables' uses Gamin 2009-10-04 12:07:59,980 fail2ban.filter : INFO Added logfile = /var/log/secure 2009-10-04 12:07:59,988 fail2ban.filter : INFO Set maxRetry = 5 2009-10-04 12:08:00,022 fail2ban.filter : INFO Set findtime = 600 2009-10-04 12:08:00,052 fail2ban.actions: INFO Set banTime = 600 2009-10-04 12:08:00,921 fail2ban.jail : INFO Creating new jail 'modsec' 2009-10-04 12:08:00,923 fail2ban.jail : INFO Jail 'modsec' uses Gamin 2009-10-04 12:08:00,957 fail2ban.filter : INFO Added logfile = /var/log/httpd/modsec_audit.log 2009-10-04 12:08:00,965 fail2ban.filter : INFO Set maxRetry = 1 2009-10-04 12:08:01,014 fail2ban.filter : INFO Set findtime = 600 2009-10-04 12:08:01,029 fail2ban.actions: INFO Set banTime = 1209600 2009-10-04 12:08:01,235 fail2ban.jail : INFO Creating new jail 'scriptkiddie' 2009-10-04 12:08:01,237 fail2ban.jail : INFO Jail 'scriptkiddie' uses Gamin 2009-10-04 12:08:01,254 fail2ban.filter : INFO Added logfile = /var/log/httpd/error_log 2009-10-04 12:08:01,274 fail2ban.filter : INFO Set maxRetry = 3 2009-10-04 12:08:01,322 fail2ban.filter : INFO Set findtime = 600 2009-10-04 12:08:01,340 fail2ban.actions: INFO Set banTime = 1209600 2009-10-04 12:08:01,719 fail2ban.jail : INFO Jail 'ssh-iptables' started 2009-10-04 12:08:01,793 fail2ban.jail : INFO Jail 'modsec' started 2009-10-04 12:08:01,880 fail2ban.jail : INFO Jail 'scriptkiddie' started I guess I can live with this, but I'd still like to know what's causing the errors? Thanks for all the help so far... Mark |
From: Michael G. <ge...@mg...> - 2009-10-04 11:58:18
|
> On Sat, 2009-09-26 at 16:35 -0500, René Berber wrote: >> René Berber wrote: >> >>>> # chkconfig: - 92 08 >> ... >>> You could change that order, by renaming the files (links) or editing >>> the script and using a lower number 91, 90, 80, whatever. >> Sorry, I left out the part about running chkconfig after editing the >> script as described. > > Update: > ======= > > OK - I'm a little confused now... > > A kernel update has just been issued by Fedora - so a reboot of the > server was required. Before doing so I changed the above init.d script > to read: > # chkconfig: - 91 08 > > I re-ran chkconfig (chkconfig fail2ban on) and rebooted. This time F2B > restarted itself fine on the reboot (success!), but on checking the log > I found the same errors still present on shutdown! > > 2009-10-04 11:48:05,058 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH > iptables -F fail2ban-SSH > iptables -X fail2ban-SSH returned 100 > 2009-10-04 11:48:05,340 fail2ban.jail : INFO Jail 'ssh-iptables' stopped > 2009-10-04 11:48:05,895 fail2ban.actions: WARNING [modsec] Unban 219.153.66.61 > 2009-10-04 11:48:05,923 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ModSec returned 100 > 2009-10-04 11:48:05,925 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment > 2009-10-04 11:48:06,008 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-ModSec > iptables -F fail2ban-ModSec > iptables -X fail2ban-ModSec returned 100 > 2009-10-04 11:48:06,125 fail2ban.actions.action: ERROR iptables -D fail2ban-ModSec -s 219.153.66.61 -j DROP returned 100 > 2009-10-04 11:48:06,128 fail2ban.actions: WARNING [modsec] Unban 92.240.68.152 > 2009-10-04 11:48:06,187 fail2ban.actions.action: ERROR iptables -D fail2ban-ModSec -s 92.240.68.152 -j DROP returned 100 > 2009-10-04 11:48:06,350 fail2ban.jail : INFO Jail 'modsec' stopped > 2009-10-04 11:48:06,911 fail2ban.actions: WARNING [scriptkiddie] Unban 86.145.162.173 > 2009-10-04 11:48:06,938 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ScriptKiddie returned 100 > 2009-10-04 11:48:06,941 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment > 2009-10-04 11:48:06,990 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-ScriptKiddie > iptables -F fail2ban-ScriptKiddie > iptables -X fail2ban-ScriptKiddie returned 100 > 2009-10-04 11:48:07,098 fail2ban.actions.action: ERROR iptables -D fail2ban-ScriptKiddie -s 86.145.162.173 -j DROP returned 100 > 2009-10-04 11:48:07,370 fail2ban.jail : INFO Jail 'scriptkiddie' stopped > 2009-10-04 11:48:07,424 fail2ban.server : INFO Exiting Fail2ban > 2009-10-04 12:07:59,441 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4 > 2009-10-04 12:07:59,454 fail2ban.jail : INFO Creating new jail 'ssh-iptables' > 2009-10-04 12:07:59,496 fail2ban.jail : INFO Jail 'ssh-iptables' uses Gamin > 2009-10-04 12:07:59,980 fail2ban.filter : INFO Added logfile = /var/log/secure > 2009-10-04 12:07:59,988 fail2ban.filter : INFO Set maxRetry = 5 > 2009-10-04 12:08:00,022 fail2ban.filter : INFO Set findtime = 600 > 2009-10-04 12:08:00,052 fail2ban.actions: INFO Set banTime = 600 > 2009-10-04 12:08:00,921 fail2ban.jail : INFO Creating new jail 'modsec' > 2009-10-04 12:08:00,923 fail2ban.jail : INFO Jail 'modsec' uses Gamin > 2009-10-04 12:08:00,957 fail2ban.filter : INFO Added logfile = /var/log/httpd/modsec_audit.log > 2009-10-04 12:08:00,965 fail2ban.filter : INFO Set maxRetry = 1 > 2009-10-04 12:08:01,014 fail2ban.filter : INFO Set findtime = 600 > 2009-10-04 12:08:01,029 fail2ban.actions: INFO Set banTime = 1209600 > 2009-10-04 12:08:01,235 fail2ban.jail : INFO Creating new jail 'scriptkiddie' > 2009-10-04 12:08:01,237 fail2ban.jail : INFO Jail 'scriptkiddie' uses Gamin > 2009-10-04 12:08:01,254 fail2ban.filter : INFO Added logfile = /var/log/httpd/error_log > 2009-10-04 12:08:01,274 fail2ban.filter : INFO Set maxRetry = 3 > 2009-10-04 12:08:01,322 fail2ban.filter : INFO Set findtime = 600 > 2009-10-04 12:08:01,340 fail2ban.actions: INFO Set banTime = 1209600 > 2009-10-04 12:08:01,719 fail2ban.jail : INFO Jail 'ssh-iptables' started > 2009-10-04 12:08:01,793 fail2ban.jail : INFO Jail 'modsec' started > 2009-10-04 12:08:01,880 fail2ban.jail : INFO Jail 'scriptkiddie' started > > I guess I can live with this, but I'd still like to know what's causing > the errors? > > Thanks for all the help so far... > > Mark Hi Mark, try this patch: <http://sourceforge.net/tracker/?func=detail&aid=2857096&group_id=121032&atid=689046> I had the same errors on startup ... Greetings Michael |
From: Cyril J. <cyr...@fa...> - 2009-09-23 22:49:05
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > 2009-09-19 09:19:25,241 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment fail2ban has "actioncheck" which is executed before "actionban" and probably at some other points (I should check the code again). If the check fails, fail2ban tries to restore a sane environment by running "actionstop" and "actionstart". So even if another tool modifies the firewall rules (like flushing all the rules), fail2ban should be able to restore an initial setup. I also strongly suspect that something flushed the rules on shutdown. fail2ban tries to unban some IPs but these are not there anymore. Regards, Cyril -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkq6pcsACgkQlYy8cEwUMaQ66ACfazyYa3w61qVvruH163K0ZFQn C9MAnRgWbj73bphIlaGmJXxO90QqvPgk =uZu5 -----END PGP SIGNATURE----- |