Wanted to check if any one else is having this issue, I am working on enhancing my mail gateway fail2ban jail scripts and encountered an issue with a rule missing. I do not think it is related to my changes but you never know.
I boot my server, I have 6 jail configuration.
Output of iptables: (notice: --match-set f2b-sshd missing)
I reload: fail2ban-client
Output of iptables: (notice: --match-set f2b-sshd can now be found)
It appears to me that this occurs when we use the fail2ban action: iptables-ipset-proto6-allports in multiple jail activities such as: clearos-sshd.conf & clearos-sshd-ddos.conf
Anyone else noticed this problem?
I boot my server, I have 6 jail configuration.
[root@mail ~]# fail2ban-client status
Status
|- Number of jail: 6
`- Jail list: cyrus-imap-services210, postfix-sasl, postfix-sasl-services210, sogo-auth, sshd, sshd-ddos
[root@mail ~]#
Output of iptables: (notice: --match-set f2b-sshd missing)
[root@mail ~]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N DROP-lan
-A INPUT -p tcp -m multiport --dports 25,465,587,220,993,110,995 -m set --match-set f2b-postfix-sasl-services210 src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 220,993 -m set --match-set f2b-cyrus-imap-services210 src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 25,465,587,220,993,110,995 -m set --match-set f2b-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set f2b-sogo-auth src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m set --match-set f2b-sshd-ddos src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
...
I reload: fail2ban-client
Output of iptables: (notice: --match-set f2b-sshd can now be found)
[root@mail ~]# /usr/bin/fail2ban-client reload
[root@mail ~]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N DROP-lan
-A INPUT -p tcp -m multiport --dports 25,465,587,220,993,110,995 -m set --match-set f2b-postfix-sasl-services210 src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 220,993 -m set --match-set f2b-cyrus-imap-services210 src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 25,465,587,220,993,110,995 -m set --match-set f2b-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set f2b-sogo-auth src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m set --match-set f2b-sshd-ddos src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
...
It appears to me that this occurs when we use the fail2ban action: iptables-ipset-proto6-allports in multiple jail activities such as: clearos-sshd.conf & clearos-sshd-ddos.conf
Anyone else noticed this problem?
In Firewall
Share this post:
Accepted Answer
My bug is 9541. It is not the initial bug but down towards the bottomof the report where a bad update has messed up the rules.
I've fired up my test box and I think I am getting the same issue as you and you can see it in the fail2ban log. At a guess it is a race condition where on first run, fail2ban (the underlying package) modprobes ip_set then creates its sets, but it is trying to create the first set before ip_set has loaded. Try creating a file /etc/sysconfig/modules/ip_set.modules and in it put:
I've fired up my test box and I think I am getting the same issue as you and you can see it in the fail2ban log. At a guess it is a race condition where on first run, fail2ban (the underlying package) modprobes ip_set then creates its sets, but it is trying to create the first set before ip_set has loaded. Try creating a file /etc/sysconfig/modules/ip_set.modules and in it put:
modprobe ip_set
Give it root executable permissions then reboot. This will force ip_set to load much earlier in the boot process. If this works, please post back and I'll file a bug. The bug would really be a fail2ban bug but it should be easy for ClearOS to drop a configlet into /etc/sysconfig/modules as part of app-attack-detector. Responses (4)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Hello Nick,
As requested:
content of: clearos-sshd.conf
# This file is controlled by the ClearOS API, please do not edit!
# If you would like to customize parameters, add a new configlet file.
[sshd]
enabled = true
bantime = 86400
action = iptables-ipset-proto6-allports[name=sshd]
content of: clearos-sshd-ddos.conf
# This file is controlled by the ClearOS API, please do not edit!
# If you would like to customize parameters, add a new configlet file.
[sshd-ddos]
enabled = true
bantime = 86400
action = iptables-ipset-proto6-allports[name=sshd-ddos]
Straight after boot up, result of "lsmod | grep ip_set":
[root@mail ~]# lsmod | grep ip_set
ip_set_hash_ip 27260 5
ip_set 36439 2 ip_set_hash_ip,xt_set
nfnetlink 14696 1 ip_set
Straight after /usr/bin/fail2ban-client reload, result of "lsmod | grep ip_set":
[root@mail ~]# lsmod | grep ip_set
ip_set_hash_ip 27260 6
ip_set 36439 2 ip_set_hash_ip,xt_set
nfnetlink 14696 1 ip_set
[root@mail ~]#
I think the bug you are referring to was that both the above jails actions where identified by the same name in the configuration. This would mess up the iptables: [name=sshd] but also note that they where using a different action at the time: iptables-allports[name=sshd] this was replaced by: iptables-ipset-proto6-allports[...] -
Accepted Answer
Can you give the contents of /etc/fail2ban/jail.d/clearos-sshd.conf and /etc/fail2ban/jail.d/clearos-sshd-dos.conf. There is a bug if you had app-attack-detector installed before mid-May and I am suspecting another one which I need to investigate. Straight after you boot up, what the the result of "lsmod | grep ip_set"?
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »