Hi!
I have a server running CentOS 7.7 (1908) with all current patches installed.
I think this server should be a quite standard installation with no specialities
On this server I have fail2ban with an apache and openvpn configuration.
I'm using firewalld to manage the firewall rules.
Fail2an is configured to use firewalld:
[root@server ~]# ll /etc/fail2ban/jail.d/
insgesamt 12
-rw-r--r--. 1 root root 356 21. Jan 05:12 00-firewalld.conf
-rw-r--r--. 1 root root 610 15. Nov 19:55 apache.local
-rw-r--r--. 1 root root 115 15. Nov 19:10 openvpn.local
[root@server ~]# cat /etc/fail2ban/jail.d/00-firewalld.conf
# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions. You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-ipset[actiontype=<multiport>]
banaction_allports = firewallcmd-ipset[actiontype=<allports>]
A few days ago I noticed that on restart firewalld complains about a missing ipset:
[root@server ~]# systemctl restart firewalld
[root@server ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Do 2020-04-09 09:25:28 CEST; 5s ago
Docs: man:firewalld(1)
Main PID: 8324 (firewalld)
CGroup: /system.slice/firewalld.service
└─8324 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Apr 09 09:25:28 server.my.domain systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 09 09:25:28 server.my.domain systemd[1]: Started firewalld - dynamic firewall daemon.
Apr 09 09:25:30 server.my.domain firewalld[8324]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-apache doesn't exist.
Error occurred at line: 2...
Apr 09 09:25:30 server.my.domain firewalld[8324]: ERROR: COMMAND_FAILED: Direct: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-apache doesn't exist.
Error occurred at line: 2...
Hint: Some lines were ellipsized, use -l to show in full.
Indeed there is no ipset named "f2b-apache", there is no set configured at all:
[root@server ~]# ipset list
There is no error when restarting fail2ban:
[root@server ~]# systemctl restart fail2ban
[root@server ~]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Do 2020-04-09 09:26:13 CEST; 4s ago
Docs: man:fail2ban(1)
Process: 8539 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 8543 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 8545 (f2b/server)
CGroup: /system.slice/fail2ban.service
└─8545 /usr/bin/python -s /usr/bin/fail2ban-server -xf start
Apr 09 09:26:13 server.my.domain systemd[1]: Stopped Fail2Ban Service.
Apr 09 09:26:13 server.my.domain systemd[1]: Starting Fail2Ban Service...
Apr 09 09:26:13 server.my.domain systemd[1]: Started Fail2Ban Service.
Apr 09 09:26:13 server.my.domain fail2ban-server[8545]: Server ready
Fail2ban seems to be running fine:
[root@server ~]# fail2ban-client status
Status
|- Number of jail: 6
`- Jail list: apache, apache-badbots, apache-nohome, apache-noscript, apache-overflows, openvpn
No errors loged in fail2ban.log on restart:
[...]
2020-04-09 09:26:13,773 fail2ban.server [8545]: INFO Starting Fail2ban v0.10.5
2020-04-09 09:26:13,799 fail2ban.database [8545]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2020-04-09 09:26:13,801 fail2ban.jail [8545]: INFO Creating new jail 'apache-badbots'
2020-04-09 09:26:13,805 fail2ban.jail [8545]: INFO Jail 'apache-badbots' uses poller {}
2020-04-09 09:26:13,805 fail2ban.jail [8545]: INFO Initiated 'polling' backend
2020-04-09 09:26:13,838 fail2ban.filter [8545]: INFO maxRetry: 1
2020-04-09 09:26:13,838 fail2ban.filter [8545]: INFO encoding: UTF-8
2020-04-09 09:26:13,839 fail2ban.actions [8545]: INFO banTime: 172800
2020-04-09 09:26:13,839 fail2ban.filter [8545]: INFO findtime: 3600
2020-04-09 09:26:13,840 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766)
2020-04-09 09:26:13,840 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7)
2020-04-09 09:26:13,841 fail2ban.jail [8545]: INFO Creating new jail 'apache-noscript'
2020-04-09 09:26:13,843 fail2ban.jail [8545]: INFO Jail 'apache-noscript' uses poller {}
2020-04-09 09:26:13,843 fail2ban.jail [8545]: INFO Initiated 'polling' backend
2020-04-09 09:26:13,851 fail2ban.filter [8545]: INFO maxRetry: 3
2020-04-09 09:26:13,851 fail2ban.filter [8545]: INFO encoding: UTF-8
2020-04-09 09:26:13,851 fail2ban.actions [8545]: INFO banTime: 10800
2020-04-09 09:26:13,852 fail2ban.filter [8545]: INFO findtime: 3600
2020-04-09 09:26:13,853 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766)
2020-04-09 09:26:13,854 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7)
2020-04-09 09:26:13,855 fail2ban.jail [8545]: INFO Creating new jail 'apache-overflows'
2020-04-09 09:26:13,857 fail2ban.jail [8545]: INFO Jail 'apache-overflows' uses poller {}
2020-04-09 09:26:13,857 fail2ban.jail [8545]: INFO Initiated 'polling' backend
2020-04-09 09:26:13,863 fail2ban.filter [8545]: INFO maxRetry: 2
2020-04-09 09:26:13,863 fail2ban.filter [8545]: INFO encoding: UTF-8
2020-04-09 09:26:13,864 fail2ban.actions [8545]: INFO banTime: 10800
2020-04-09 09:26:13,864 fail2ban.filter [8545]: INFO findtime: 3600
2020-04-09 09:26:13,865 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766)
2020-04-09 09:26:13,865 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7)
2020-04-09 09:26:13,866 fail2ban.jail [8545]: INFO Creating new jail 'apache-nohome'
2020-04-09 09:26:13,867 fail2ban.jail [8545]: INFO Jail 'apache-nohome' uses poller {}
2020-04-09 09:26:13,868 fail2ban.jail [8545]: INFO Initiated 'polling' backend
2020-04-09 09:26:13,872 fail2ban.filter [8545]: INFO maxRetry: 2
2020-04-09 09:26:13,873 fail2ban.filter [8545]: INFO encoding: UTF-8
2020-04-09 09:26:13,873 fail2ban.actions [8545]: INFO banTime: 10800
2020-04-09 09:26:13,873 fail2ban.filter [8545]: INFO findtime: 3600
2020-04-09 09:26:13,874 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766)
2020-04-09 09:26:13,875 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7)
2020-04-09 09:26:13,876 fail2ban.jail [8545]: INFO Creating new jail 'apache'
2020-04-09 09:26:13,878 fail2ban.jail [8545]: INFO Jail 'apache' uses poller {}
2020-04-09 09:26:13,879 fail2ban.jail [8545]: INFO Initiated 'polling' backend
2020-04-09 09:26:13,898 fail2ban.filter [8545]: INFO maxRetry: 3
2020-04-09 09:26:13,899 fail2ban.filter [8545]: INFO encoding: UTF-8
2020-04-09 09:26:13,899 fail2ban.actions [8545]: INFO banTime: 10800
2020-04-09 09:26:13,900 fail2ban.filter [8545]: INFO findtime: 3600
2020-04-09 09:26:13,900 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766)
2020-04-09 09:26:13,901 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7)
2020-04-09 09:26:13,902 fail2ban.jail [8545]: INFO Creating new jail 'openvpn'
2020-04-09 09:26:13,931 fail2ban.jail [8545]: INFO Jail 'openvpn' uses systemd {}
2020-04-09 09:26:13,932 fail2ban.jail [8545]: INFO Initiated 'systemd' backend
2020-04-09 09:26:13,944 fail2ban.filtersystemd [8545]: INFO [openvpn] Added journal match for: '_SYSTEMD_UNIT=openvpn-server@xss.service + _COMM=openvpn'
2020-04-09 09:26:13,944 fail2ban.actions [8545]: INFO banTime: 10800
2020-04-09 09:26:13,944 fail2ban.filter [8545]: INFO maxRetry: 2
2020-04-09 09:26:13,944 fail2ban.filter [8545]: INFO encoding: UTF-8
2020-04-09 09:26:13,945 fail2ban.filter [8545]: INFO findtime: 3600
2020-04-09 09:26:13,949 fail2ban.jail [8545]: INFO Jail 'apache-badbots' started
2020-04-09 09:26:13,952 fail2ban.jail [8545]: INFO Jail 'apache-noscript' started
2020-04-09 09:26:13,954 fail2ban.jail [8545]: INFO Jail 'apache-overflows' started
2020-04-09 09:26:13,956 fail2ban.jail [8545]: INFO Jail 'apache-nohome' started
2020-04-09 09:26:13,961 fail2ban.jail [8545]: INFO Jail 'apache' started
2020-04-09 09:26:13,964 fail2ban.jail [8545]: INFO Jail 'openvpn' started
[...]
BUT: SELinux complains about fail2ban:
type=AVC msg=audit(1586413496.76:53507): avc: denied { read } for pid=1324 comm="f2b/f.apache" name="disable" dev="sysfs" ino=1481 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
So it seems somehow fail2ban does not add the required ip sets correctly.
From what I see in firewalld logfile it seems these problems started after the last updates on April 2nd.
On this day I did a "yum update" which executed without errors and installed:
augeas-libs-1.4.0-9.el7_7.1.x86_64 Do 02 Apr 2020 20:14:27 CEST
restic-0.9.6-1.el7.x86_64 Do 02 Apr 2020 20:14:25 CEST
python-perf-3.10.0-1062.18.1.el7.x86_64 Do 02 Apr 2020 20:14:23 CEST
python3-pip-9.0.3-7.el7_7.noarch Do 02 Apr 2020 20:14:23 CEST
borgbackup-1.1.11-1.el7.x86_64 Do 02 Apr 2020 20:14:19 CEST
libgudev1-219-67.el7_7.4.x86_64 Do 02 Apr 2020 20:14:18 CEST
kernel-tools-3.10.0-1062.18.1.el7.x86_64 Do 02 Apr 2020 20:14:16 CEST
pcp-4.3.2-5.el7_7.x86_64 Do 02 Apr 2020 20:14:01 CEST
kernel-3.10.0-1062.18.1.el7.x86_64 Do 02 Apr 2020 20:13:44 CEST
systemd-python-219-67.el7_7.4.x86_64 Do 02 Apr 2020 20:13:27 CEST
systemd-sysv-219-67.el7_7.4.x86_64 Do 02 Apr 2020 20:13:26 CEST
rsyslog-8.24.0-41.el7_7.4.x86_64 Do 02 Apr 2020 20:13:26 CEST
python2-certbot-apache-1.3.0-1.el7.noarch Do 02 Apr 2020 20:13:25 CEST
sssd-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:24 CEST
firewalld-0.6.3-2.el7_7.4.noarch Do 02 Apr 2020 20:13:24 CEST
sssd-proxy-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:23 CEST
sssd-krb5-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:23 CEST
sssd-ldap-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:22 CEST
sssd-ipa-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:22 CEST
sssd-ad-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:22 CEST
sssd-krb5-common-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:21 CEST
sssd-common-pac-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:21 CEST
sssd-common-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:20 CEST
http-parser-2.7.1-8.el7_7.2.x86_64 Do 02 Apr 2020 20:13:19 CEST
python-firewall-0.6.3-2.el7_7.4.noarch Do 02 Apr 2020 20:13:18 CEST
certbot-1.3.0-1.el7.noarch Do 02 Apr 2020 20:13:11 CEST
python2-certbot-1.3.0-1.el7.noarch Do 02 Apr 2020 20:13:10 CEST
python2-acme-1.3.0-1.el7.noarch Do 02 Apr 2020 20:13:09 CEST
python-requests-2.6.0-9.el7_7.noarch Do 02 Apr 2020 20:13:08 CEST
systemd-219-67.el7_7.4.x86_64 Do 02 Apr 2020 20:13:05 CEST
kmod-20-25.el7_7.1.x86_64 Do 02 Apr 2020 20:13:02 CEST
binutils-2.27-41.base.el7_7.3.x86_64 Do 02 Apr 2020 20:13:00 CEST
pcp-selinux-4.3.2-5.el7_7.x86_64 Do 02 Apr 2020 20:12:48 CEST
libsss_autofs-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:47 CEST
kernel-tools-libs-3.10.0-1062.18.1.el7.x86_64 Do 02 Apr 2020 20:12:46 CEST
python-sssdconfig-1.16.4-21.el7_7.3.noarch Do 02 Apr 2020 20:12:45 CEST
libsss_sudo-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:45 CEST
firewalld-filesystem-0.6.3-2.el7_7.4.noarch Do 02 Apr 2020 20:12:44 CEST
sssd-client-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:43 CEST
libsss_nss_idmap-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:42 CEST
libipa_hbac-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:42 CEST
pcp-libs-4.3.2-5.el7_7.x86_64 Do 02 Apr 2020 20:12:41 CEST
pcp-conf-4.3.2-5.el7_7.x86_64 Do 02 Apr 2020 20:12:41 CEST
kmod-libs-20-25.el7_7.1.x86_64 Do 02 Apr 2020 20:12:40 CEST
libsss_idmap-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:39 CEST
libsss_certmap-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:33 CEST
systemd-libs-219-67.el7_7.4.x86_64 Do 02 Apr 2020 20:12:32 CEST
The firewalld errors start exactly after the updates were installed.
Does anyone else see similar problems since the last updates?
I googled and found some older postings, but nothing matching the
problems I see exactly.
I have other CentOS 7 servers with fail2ban and firewalld which
should be updated soon, but before I do this I first want to solve
this issue.
Any idea?
Thanks!
- andreas
--
Andreas Haumer | mailto:andreas@xxxxxxxxx
*x Software + Systeme | http://www.xss.co.at/
Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0
A-1100 Vienna, Austria | Fax: +43-1-6060114-71
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
