Hello,
fail2ban 0.10.3
linux 4.12.14-lp150.12.7-default x86_64
Fail2ban went unsane today. See the log sample below; there were many
more of those in the log file.
Restarting fail2ban cleared the mess.
I cannot decide if this is a fail2ban or iptables failure.
----[ sample error block ]----
2018-08-13 03:18:19,016 fail2ban.actions [27944]: NOTICE
[suricata] Unban 106.198.116.73
2018-08-13 03:18:19,036 fail2ban.utils [27944]: Level 39
7f0b0406f510 -- exec: iptables -w -n -L INPUT | grep -q 'f2b-suricata[ \t]'
2018-08-13 03:18:19,037 fail2ban.utils [27944]: ERROR
7f0b0406f510 -- returned 1
2018-08-13 03:18:19,038 fail2ban.CommandAction [27944]: ERROR
Invariant check failed. Trying to restore a sane environment
2018-08-13 03:18:19,052 fail2ban.utils [27944]: Level 39
7f0b040792d0 -- exec: iptables -w -D INPUT -p tcp -m multiport --dports
smtp -j f2b-suricata
iptables -w -F f2b-suricata
iptables -w -X f2b-suricata
2018-08-13 03:18:19,052 fail2ban.utils [27944]: ERROR
7f0b040792d0 -- stderr: "iptables v1.6.2: Couldn't load target
`f2b-suricata':No such file or directory"
2018-08-13 03:18:19,052 fail2ban.utils [27944]: ERROR
7f0b040792d0 -- stderr: ''
2018-08-13 03:18:19,053 fail2ban.utils [27944]: ERROR
7f0b040792d0 -- stderr: "Try `iptables -h' or 'iptables --help' for more
information."
2018-08-13 03:18:19,053 fail2ban.utils [27944]: ERROR
7f0b040792d0 -- stderr: 'iptables: No chain/target/match by that name.'
2018-08-13 03:18:19,053 fail2ban.utils [27944]: ERROR
7f0b040792d0 -- stderr: 'iptables: No chain/target/match by that name.'
2018-08-13 03:18:19,053 fail2ban.utils [27944]: ERROR
7f0b040792d0 -- returned 1
2018-08-13 03:18:19,064 fail2ban.utils [27944]: Level 39
7f0b0406f510 -- exec: iptables -w -n -L INPUT | grep -q 'f2b-suricata[ \t]'
2018-08-13 03:18:19,064 fail2ban.utils [27944]: ERROR
7f0b0406f510 -- returned 1
2018-08-13 03:18:19,065 fail2ban.CommandAction [27944]: CRITICAL Unable
to restore environment
2018-08-13 03:18:19,065 fail2ban.actions [27944]: ERROR Failed
to execute unban jail 'suricata' action 'iptables-multiport' info
'ActionInfo({'ipfailures': 1, 'ip-rev': '73.116.198.106.', 'family':
'inet4', 'ipmatches': '08/06/2018-03:18:18.891064 [Drop] [**]
[1:2220008:1] SURICATA SMTP data command rejected [**] [Classification:
Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.69.246:25
-> 106.198.116.73:16769', 'matches': '08/06/2018-03:18:18.891064 [Drop]
[**] [1:2220008:1] SURICATA SMTP data command rejected [**]
[Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
192.168.69.246:25 -> 106.198.116.73:16769', 'ip': '106.198.116.73',
'ipjailmatches': '08/06/2018-03:18:18.891064 [Drop] [**] [1:2220008:1]
SURICATA SMTP data command rejected [**] [Classification: Generic
Protocol Command Decode] [Priority: 3] {TCP} 192.168.69.246:25 ->
106.198.116.73:16769', 'ipjailfailures': 1, 'F-*': {'matches': [['',
'08/06/2018-03:18:18', '.891064 [Drop] [**] [1:2220008:1] SURICATA SMTP
data command rejected [**] [Classification: Generic Protocol Command
Decode] [Priority: 3] {TCP} 192.168.69.246:25 ->
106.198.116.73:16769']], 'failures': 1, 'ip4': '106.198.116.73'}, 'fid':
'106.198.116.73', 'time': 1533836081.667342, 'failures': 1, 'restored':
1, 'ip-host': None})': Error unbanning 106.198.116.73
----[ end ]----
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
