On Mon, 13 Aug 2018 at 20:26, James Moe via Fail2ban-users <
[email protected]> wrote:
> Hello,
> fail2ban 0.10.3
> linux 4.12.14-lp150.12.7-default x86_64
>
> Fail2ban went unsane today. See the log sample below; there were many
> more of those in the log file.
> Restarting fail2ban cleared the mess.
> I cannot decide if this is a fail2ban or iptables failure.
>
> ----[ sample error block ]----
> 2018-08-13 03:18:19,016 fail2ban.actions [27944]: NOTICE
> [suricata] Unban 106.198.116.73
> 2018-08-13 03:18:19,036 fail2ban.utils [27944]: Level 39
> 7f0b0406f510 -- exec: iptables -w -n -L INPUT | grep -q 'f2b-suricata[ \t]'
> 2018-08-13 03:18:19,037 fail2ban.utils [27944]: ERROR
> 7f0b0406f510 -- returned 1
> 2018-08-13 03:18:19,038 fail2ban.CommandAction [27944]: ERROR
> Invariant check failed. Trying to restore a sane environment
> 2018-08-13 03:18:19,052 fail2ban.utils [27944]: Level 39
> 7f0b040792d0 -- exec: iptables -w -D INPUT -p tcp -m multiport --dports
> smtp -j f2b-suricata
> iptables -w -F f2b-suricata
> iptables -w -X f2b-suricata
> 2018-08-13 03:18:19,052 fail2ban.utils [27944]: ERROR
> 7f0b040792d0 -- stderr: "iptables v1.6.2: Couldn't load target
> `f2b-suricata':No such file or directory"
> 2018-08-13 03:18:19,052 fail2ban.utils [27944]: ERROR
> 7f0b040792d0 -- stderr: ''
> 2018-08-13 03:18:19,053 fail2ban.utils [27944]: ERROR
> 7f0b040792d0 -- stderr: "Try `iptables -h' or 'iptables --help' for more
> information."
> 2018-08-13 03:18:19,053 fail2ban.utils [27944]: ERROR
> 7f0b040792d0 -- stderr: 'iptables: No chain/target/match by that name.'
> 2018-08-13 03:18:19,053 fail2ban.utils [27944]: ERROR
> 7f0b040792d0 -- stderr: 'iptables: No chain/target/match by that name.'
> 2018-08-13 03:18:19,053 fail2ban.utils [27944]: ERROR
> 7f0b040792d0 -- returned 1
> 2018-08-13 03:18:19,064 fail2ban.utils [27944]: Level 39
> 7f0b0406f510 -- exec: iptables -w -n -L INPUT | grep -q 'f2b-suricata[ \t]'
> 2018-08-13 03:18:19,064 fail2ban.utils [27944]: ERROR
> 7f0b0406f510 -- returned 1
> 2018-08-13 03:18:19,065 fail2ban.CommandAction [27944]: CRITICAL Unable
> to restore environment
> 2018-08-13 03:18:19,065 fail2ban.actions [27944]: ERROR Failed
> to execute unban jail 'suricata' action 'iptables-multiport' info
> 'ActionInfo({'ipfailures': 1, 'ip-rev': '73.116.198.106.', 'family':
> 'inet4', 'ipmatches': '08/06/2018-03:18:18.891064 [Drop] [**]
> [1:2220008:1] SURICATA SMTP data command rejected [**] [Classification:
> Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.69.246:25
> -> 106.198.116.73:16769', 'matches': '08/06/2018-03:18:18.891064 [Drop]
> [**] [1:2220008:1] SURICATA SMTP data command rejected [**]
> [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
> 192.168.69.246:25 -> 106.198.116.73:16769', 'ip': '106.198.116.73',
> 'ipjailmatches': '08/06/2018-03:18:18.891064 [Drop] [**] [1:2220008:1]
> SURICATA SMTP data command rejected [**] [Classification: Generic
> Protocol Command Decode] [Priority: 3] {TCP} 192.168.69.246:25 ->
> 106.198.116.73:16769', 'ipjailfailures': 1, 'F-*': {'matches': [['',
> '08/06/2018-03:18:18', '.891064 [Drop] [**] [1:2220008:1] SURICATA SMTP
> data command rejected [**] [Classification: Generic Protocol Command
> Decode] [Priority: 3] {TCP} 192.168.69.246:25 ->
> 106.198.116.73:16769']], 'failures': 1, 'ip4': '106.198.116.73'}, 'fid':
> '106.198.116.73', 'time': 1533836081.667342, 'failures': 1, 'restored':
> 1, 'ip-host': None})': Error unbanning 106.198.116.73
> ----[ end ]----
>
Earlier than the logs you posted fail2ban had failed to create the iptables
chain f2b-suricata, and this caused all the problems that follow. Note that
fail2ban's chains are created on-the-fly for 0.10+. Why the chain creation
failed is hard to say (though might be apparent from earlier logs), but if
it just happened once and is now ok, I wouldn't worry about it.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
