Nick Howitt wrote:Are your other systems using the same or similar version of f2b? I know I had to make an adjustment to one of my jails with 0.11.1.
I believe none of my other systems are runni g this version, i will nedd to chwck tomorrow.
Also why are you running a custom action? Won't iptables-ipset-proto6-allports.conf do?
Because i am running a custom action after each ban
Nick Howitt wrote:I was after how the jail is defined (checking any .local files which may be in the hierarchy), but I guess the full action definition would be a good idea.
Instead of uploading the files I will just link to them
jail file = https://github.com/srulikuk/c-f2b/blob/master/etc_files/fail2ban/jail.d/central.local
filter files = https://github.com/srulikuk/c-f2b/tree/master/etc_files/fail2ban/filter.d (ignore the example file)
action files = https://github.com/srulikuk/c-f2b/tree/master/etc_files/fail2ban/action.d
I have these configs working on 10+ machines (not ClearOS) and they are working fine, and as i noted these used to work fine on ClearOS before the last update.
As ClearOS does not change anything I guess it will be up to fail2ban to debug this.
Many thanks for your help Nick,
Nick Howitt wrote:I had an issue with one of my custom jails as well but I cannot remember what it was. What is your full jail definition? Don't you put your bantime in your jail?
What do you mean by full definition? you want to full action conf file?
I do put my bantime in the jail but I also put it in my ipset (IIRC fail2ban did not support the length i required)
I do, however, find the hierarchical way parameters can be defined can be confuling and very hard to follow. One thing odd in your log is that an one end of one error line you have a ` and at the other end a '.
The backtick / single quote seems to be from the sh error output (seen it many times in different bash errors)
I am posting a copy of the issue I just posted in github fail2ban but is seems that the issue started with the last clearos update https://github.com/fail2ban/fail2ban/issues/2869
Fail2Ban v0.11.1 on ClearOS
It seems that action files stopped supporting "<bantime>" with this update, I just checked my f2b logs and it hasn't been working for the past few months, i have millions of errors on my log files like
my action file contains
Replacing `<bantime>` with the actual bantime in seconds seems to work.
the action is specified in my jail as follows
Thanks for that, adding the IPv4 block was important, was wondering why I the rules were added twice. thanks
(The script I run does not have static IP rules, instead it extracts all open ports from iptables and creates a rule to log all traffic excluding those open ports so I cannot use the clearos IPv4 block.
Here is the script I run https://github.com/srulikuk/c-f2b/blob/master/iptables/rules.sh)
I execute a script that adds a iptables logging rule for port-probing, to run it after each firewall restart I added the path to the script at the end of /etc/clearos/firewall.d/90-attack-detector, this worked fine but I noticed recently that these rules are no longer being added to iptables, it seems that 90-attack-detector might have been updated and therefore my path removed.
Where can I add a script to execute on each FW restart? does /etc/clearos/firewall.d/local get updated or is that safe?
(also I need the script to run after 90-attack-detector)