Community Forum

Resolved
0 votes
Wanted to check if any one else is having this issue, I am working on enhancing my mail gateway fail2ban jail scripts and encountered an issue with a rule missing. I do not think it is related to my changes but you never know.

I boot my server, I have 6 jail configuration.

[root@mail ~]# fail2ban-client status
Status
|- Number of jail: 6
`- Jail list: cyrus-imap-services210, postfix-sasl, postfix-sasl-services210, sogo-auth, sshd, sshd-ddos
[root@mail ~]#


Output of iptables: (notice: --match-set f2b-sshd missing)

[root@mail ~]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N DROP-lan
-A INPUT -p tcp -m multiport --dports 25,465,587,220,993,110,995 -m set --match-set f2b-postfix-sasl-services210 src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 220,993 -m set --match-set f2b-cyrus-imap-services210 src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 25,465,587,220,993,110,995 -m set --match-set f2b-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set f2b-sogo-auth src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m set --match-set f2b-sshd-ddos src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
...


I reload: fail2ban-client
Output of iptables: (notice: --match-set f2b-sshd can now be found)

[root@mail ~]# /usr/bin/fail2ban-client reload
[root@mail ~]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N DROP-lan
-A INPUT -p tcp -m multiport --dports 25,465,587,220,993,110,995 -m set --match-set f2b-postfix-sasl-services210 src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 220,993 -m set --match-set f2b-cyrus-imap-services210 src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 25,465,587,220,993,110,995 -m set --match-set f2b-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set f2b-sogo-auth src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m set --match-set f2b-sshd-ddos src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
...


It appears to me that this occurs when we use the fail2ban action: iptables-ipset-proto6-allports in multiple jail activities such as: clearos-sshd.conf & clearos-sshd-ddos.conf

Anyone else noticed this problem?
Wednesday, September 13 2017, 07:06 PM
Share this post:

Accepted Answer

Wednesday, September 13 2017, 08:42 PM - #Permalink
Resolved
0 votes
My bug is 9541. It is not the initial bug but down towards the bottomof the report where a bad update has messed up the rules.

I've fired up my test box and I think I am getting the same issue as you and you can see it in the fail2ban log. At a guess it is a race condition where on first run, fail2ban (the underlying package) modprobes ip_set then creates its sets, but it is trying to create the first set before ip_set has loaded. Try creating a file /etc/sysconfig/modules/ip_set.modules and in it put:
modprobe ip_set
Give it root executable permissions then reboot. This will force ip_set to load much earlier in the boot process. If this works, please post back and I'll file a bug. The bug would really be a fail2ban bug but it should be easy for ClearOS to drop a configlet into /etc/sysconfig/modules as part of app-attack-detector.
The reply is currently minimized Show
Responses (4)
  • Accepted Answer

    Wednesday, September 13 2017, 09:07 PM - #Permalink
    Resolved
    0 votes
    Oops my bad, I double checked my change and found a typo. It is working :D :D Thanks a million
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, September 13 2017, 09:03 PM - #Permalink
    Resolved
    0 votes
    Nick, I did the change but sorry not working the ip_set is still not showing after booting. I agree with you, I also suspect a racing condition but not able to pin point a solution.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, September 13 2017, 08:16 PM - #Permalink
    Resolved
    0 votes
    Hello Nick,

    As requested:

    content of: clearos-sshd.conf
    # This file is controlled by the ClearOS API, please do not edit!
    # If you would like to customize parameters, add a new configlet file.
    [sshd]
    enabled = true
    bantime = 86400
    action = iptables-ipset-proto6-allports[name=sshd]


    content of: clearos-sshd-ddos.conf
    # This file is controlled by the ClearOS API, please do not edit!
    # If you would like to customize parameters, add a new configlet file.
    [sshd-ddos]
    enabled = true
    bantime = 86400
    action = iptables-ipset-proto6-allports[name=sshd-ddos]


    Straight after boot up, result of "lsmod | grep ip_set":
    [root@mail ~]# lsmod | grep ip_set
    ip_set_hash_ip 27260 5
    ip_set 36439 2 ip_set_hash_ip,xt_set
    nfnetlink 14696 1 ip_set


    Straight after /usr/bin/fail2ban-client reload, result of "lsmod | grep ip_set":
    [root@mail ~]# lsmod | grep ip_set
    ip_set_hash_ip 27260 6
    ip_set 36439 2 ip_set_hash_ip,xt_set
    nfnetlink 14696 1 ip_set
    [root@mail ~]#


    I think the bug you are referring to was that both the above jails actions where identified by the same name in the configuration. This would mess up the iptables: [name=sshd] but also note that they where using a different action at the time: iptables-allports[name=sshd] this was replaced by: iptables-ipset-proto6-allports[...]
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, September 13 2017, 07:26 PM - #Permalink
    Resolved
    0 votes
    Can you give the contents of /etc/fail2ban/jail.d/clearos-sshd.conf and /etc/fail2ban/jail.d/clearos-sshd-dos.conf. There is a bug if you had app-attack-detector installed before mid-May and I am suspecting another one which I need to investigate. Straight after you boot up, what the the result of "lsmod | grep ip_set"?
    The reply is currently minimized Show
Your Reply