I have just upgraded from 0.10.x to 0.11.1 using EPEL's f2b package. I
had my own jail with bantime set to 2147483 for an
iptables-ipset-proto6.conf type of action. My only modification to the
original iptables-ipset-proto6.conf is to add a /24 after the <ip> in
the actionban to block a subnet, so irrelevant to this issue.
The bantime is set to the maximum value accepted by ipset (in
Centos/ClearOS). On upgrade this failed with:
2020-09-04 11:19:25,437 fail2ban.utils [15738]: ERROR
7fa84ba98e40 -- exec: ipset create f2b-postfix-no-ptr hash:net
timeout <bantime>
iptables -w -I INPUT -p tcp -m multiport --dports ssh -m set
--match-set f2b-postfix-no-ptr src -j DROP
2020-09-04 11:19:25,437 fail2ban.utils [15738]: ERROR
7fa84ba98e40 -- stderr: "/bin/sh: -c: line 0: syntax error near
unexpected token `newline'"
2020-09-04 11:19:25,438 fail2ban.utils [15738]: ERROR
7fa84ba98e40 -- stderr: "/bin/sh: -c: line 0: `ipset create
f2b-postfix-no-ptr hash:net timeout <bantime>'"
2020-09-04 11:19:25,438 fail2ban.utils [15738]: ERROR
7fa84ba98e40 -- returned 1
2020-09-04 11:19:25,438 fail2ban.actions [15738]: ERROR
Failed to execute ban jail 'postfix-no-ptr' action
'iptables-ipset-proto6-subnet' info 'ActionInfo({'ip':
'77.40.2.234', 'fid': <function <lambda> at 0x7fa84bb36aa0>,
'family': 'inet4', 'raw-ticket': <function <lambda> at
0x7fa84bb370c8>})': Error starting action
Jail('postfix-no-ptr')/iptables-ipset-proto6-subnet: 'Script error'
The key failure is the "ipset create". As that failed the iptables
failed as the set did not exist. If I reduced the bantime to 86400, the
jail would work. I then set about finding what the maximum value of
bantime that would work and it turns out to be somewhat indeterminate
but around 610000. Using a halving the interval approach I ended up
around here but then it went weird. If I bracketed say 610500 (pass) and
610600 (fail) and tried halving the interval, I'd end up with 601600
passing when it had previously failed. So I then try 610700 which fails.
Then trying halving the interval again, 610700 would end up passing.
This has happened multiple times now so I cannot determine the limit for
this value.
The postfix-no-ptr jail is:
[postfix-no-ptr]
enabled = true
logpath = %(syslog_mail)s
maxretry = 1
bantime = 610700
findtime = 108000
port = smtp
action = iptables-ipset-proto6-subnet[name=postfix-no-ptr]
What is going on here and what is the maximum timeout I can use?
Thanks,
Nick
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
