Re: [Fail2ban-users] latest update package 0.11.1-9.el7.2 not recognized under CentOS 7

Nick Howitt Mon, 21 Sep 2020 09:53:46 -0700


On 21/09/2020 17:36, Mike wrote:

At 11:12 AM 9/21/2020, Kenneth Porter wrote:
--On Sunday, September 20, 2020 10:23 PM -0500 Mike <[email protected]> wrote:
I updated one of my CentOS 7 servers to Fail2ban  0.11.1-9.el7.2
fail2ban-0.11.1-10.el7.noarch is working fine for me on CentOS7.8.2003. I can list ipsets and the direct rules with your commands.
Check the XML for your rules and sets and try dumping the entirefirewall to the console with "iptables -L -v -n".
I am able to reboot the server and f2b starts and doesn't seem to throwany errors, but when I run ipset list or iptables -L INPUT_direct Istill get nothing. Here's the fail2ban log:
2020-09-21 11:19:49,650 fail2ban.server [978]: INFO StartingFail2ban v0.11.12020-09-21 11:19:49,652 fail2ban.observer [978]: INFO Observerstart...2020-09-21 11:19:49,684 fail2ban.database [978]: INFO Connectedto fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'2020-09-21 11:19:49,696 fail2ban.jail [978]: INFO Creatingnew jail 'sshd'2020-09-21 11:19:49,773 fail2ban.jail [978]: INFO Jail'sshd' uses systemd {}2020-09-21 11:19:49,774 fail2ban.jail [978]: INFO Initiated'systemd' backend2020-09-21 11:19:49,775 fail2ban.filter [978]: INFOmaxLines: 12020-09-21 11:19:49,776 fail2ban.filtersystemd [978]: INFO [sshd]Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'2020-09-21 11:19:49,815 fail2ban.filter [978]: INFOmaxRetry: 32020-09-21 11:19:49,815 fail2ban.filter [978]: INFOencoding: UTF-82020-09-21 11:19:49,816 fail2ban.filter [978]: INFOfindtime: 12002020-09-21 11:19:49,816 fail2ban.actions [978]: INFObanTime: 12096002020-09-21 11:19:49,816 fail2ban.jail [978]: INFO Creatingnew jail 'vsftpd'2020-09-21 11:19:49,826 fail2ban.jail [978]: INFO Jail'vsftpd' uses poller {}2020-09-21 11:19:49,827 fail2ban.jail [978]: INFO Initiated'polling' backend2020-09-21 11:19:49,832 fail2ban.filter [978]: INFOmaxRetry: 52020-09-21 11:19:49,832 fail2ban.filter [978]: INFOencoding: UTF-82020-09-21 11:19:49,832 fail2ban.filter [978]: INFOfindtime: 12002020-09-21 11:19:49,833 fail2ban.actions [978]: INFObanTime: 144002020-09-21 11:19:49,836 fail2ban.filter [978]: INFO Addedlogfile: '/var/log/vsftpd.log' (pos = 567, hash =fa62ff81162cd6dc23591183424fc4c2)2020-09-21 11:19:49,836 fail2ban.jail [978]: INFO Creatingnew jail 'postfix'2020-09-21 11:19:49,837 fail2ban.jail [978]: INFO Jail'postfix' uses systemd {}2020-09-21 11:19:49,837 fail2ban.jail [978]: INFO Initiated'systemd' backend2020-09-21 11:19:49,838 fail2ban.filtersystemd [978]: INFO [postfix]Added journal match for: '_SYSTEMD_UNIT=postfix.service'2020-09-21 11:19:49,846 fail2ban.filter [978]: INFOmaxRetry: 52020-09-21 11:19:49,846 fail2ban.filter [978]: INFOencoding: UTF-82020-09-21 11:19:49,846 fail2ban.filter [978]: INFOfindtime: 6002020-09-21 11:19:49,847 fail2ban.actions [978]: INFObanTime: 12002020-09-21 11:19:49,847 fail2ban.jail [978]: INFO Creatingnew jail 'dovecot'2020-09-21 11:19:49,847 fail2ban.jail [978]: INFO Jail'dovecot' uses systemd {}2020-09-21 11:19:49,847 fail2ban.jail [978]: INFO Initiated'systemd' backend2020-09-21 11:19:49,854 fail2ban.datedetector [978]: INFO datepattern `''`: `{^LN-BEG}TAI64N`2020-09-21 11:19:49,854 fail2ban.filtersystemd [978]: INFO [dovecot]Added journal match for: '_SYSTEMD_UNIT=dovecot.service'2020-09-21 11:19:49,854 fail2ban.filter [978]: INFOmaxRetry: 22020-09-21 11:19:49,855 fail2ban.filter [978]: INFOencoding: UTF-82020-09-21 11:19:49,855 fail2ban.filter [978]: INFOfindtime: 432002020-09-21 11:19:49,855 fail2ban.actions [978]: INFObanTime: 10368002020-09-21 11:19:49,855 fail2ban.jail [978]: INFO Creatingnew jail 'pam-generic'2020-09-21 11:19:49,855 fail2ban.jail [978]: INFO Jail'pam-generic' uses systemd {}2020-09-21 11:19:49,856 fail2ban.jail [978]: INFO Initiated'systemd' backend2020-09-21 11:19:49,856 fail2ban.jail [978]: INFO Initiated'systemd' backend2020-09-21 11:19:49,861 fail2ban.filter [978]: INFOmaxRetry: 42020-09-21 11:19:49,861 fail2ban.filter [978]: INFOencoding: UTF-82020-09-21 11:19:49,861 fail2ban.filter [978]: INFOfindtime: 432002020-09-21 11:19:49,862 fail2ban.actions [978]: INFObanTime: 10368002020-09-21 11:19:49,930 fail2ban.jail [978]: INFO Creatingnew jail 'manban'2020-09-21 11:19:49,930 fail2ban.jail [978]: INFO Jail'manban' uses poller {}2020-09-21 11:19:49,931 fail2ban.jail [978]: INFO Initiated'polling' backend2020-09-21 11:19:49,932 fail2ban.filter [978]: INFOmaxRetry: 12020-09-21 11:19:49,932 fail2ban.filter [978]: INFOencoding: UTF-82020-09-21 11:19:49,933 fail2ban.filter [978]: INFOfindtime: 36002020-09-21 11:19:49,933 fail2ban.actions [978]: INFObanTime: 21470002020-09-21 11:19:49,936 fail2ban.filter [978]: INFO Addedlogfile: '/var/log/manban.log' (pos = 167, hash =e0e7cee99a910096ae1616a07e6ba4f3)2020-09-21 11:19:49,949 fail2ban.jail [978]: INFO Jail'sshd' started2020-09-21 11:19:49,965 fail2ban.jail [978]: INFO Jail'vsftpd' started2020-09-21 11:19:49,972 fail2ban.jail [978]: INFO Jail'postfix' started2020-09-21 11:19:49,974 fail2ban.jail [978]: INFO Jail'dovecot' started2020-09-21 11:19:49,974 fail2ban.filtersystemd [978]: NOTICE Jailstarted without 'journalmatch' set. Jail regexs will be checked againstall journal entries, which is not advised for performance reasons.2020-09-21 11:19:50,012 fail2ban.jail [978]: INFO Jail'pam-generic' started2020-09-21 11:19:50,067 fail2ban.jail [978]: INFO Jail'manban' started2020-09-21 11:19:50,393 fail2ban.actions [978]: NOTICE [manban]Restore Ban 184.95.34.1462020-09-21 11:19:56,064 fail2ban.actions [978]: NOTICE [manban]Restore Ban 83.97.20.35
when I dump all the firewall rules it does show those two "manban" IPs,but I don't see an ipset list or any fail2ban rules in the firewall likeI do on my other servers:
# iptables -L -v -n

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out sourcedestination 3247 399K ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 ctstate RELATED,ESTABLISHED 114 7691 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 137 24521 INPUT_direct all -- * * 0.0.0.0/00.0.0.0/0 137 24521 INPUT_ZONES_SOURCE all -- * *0.0.0.0/0 0.0.0.0/0 137 24521 INPUT_ZONES all -- * * 0.0.0.0/00.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 ctstate INVALID 118 23393 REJECT all -- * * 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out sourcedestination 0 0 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 0 0 FORWARD_direct all -- * *0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_IN_ZONES_SOURCE all -- * *0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_IN_ZONES all -- * *0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_OUT_ZONES all -- * *0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 ctstate INVALID 0 0 REJECT all -- * * 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 2714 packets, 4318K bytes)
pkts bytes target prot opt in out sourcedestination 236 33637 ACCEPT all -- * lo 0.0.0.0/00.0.0.0/0 3876 4438K OUTPUT_direct all -- * * 0.0.0.0/00.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out sourcedestination 0 0 FWDI_public all -- eth0 * 0.0.0.0/00.0.0.0/0 [goto] 0 0 FWDI_public all -- + * 0.0.0.0/00.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out sourcedestination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out sourcedestination 0 0 FWDO_public all -- * eth0 0.0.0.0/00.0.0.0/0 [goto] 0 0 FWDO_public all -- * + 0.0.0.0/00.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out sourcedestination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out sourcedestination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out sourcedestination 0 0 FWDI_public_log all -- * *0.0.0.0/0 0.0.0.0/0 0 0 FWDI_public_deny all -- * *0.0.0.0/0 0.0.0.0/0 0 0 FWDI_public_allow all -- * *0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out sourcedestination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out sourcedestination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out sourcedestination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out sourcedestination 0 0 FWDO_public_log all -- * *0.0.0.0/0 0.0.0.0/0 0 0 FWDO_public_deny all -- * *0.0.0.0/0 0.0.0.0/0 0 0 FWDO_public_allow all -- * *0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out sourcedestination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out sourcedestination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out sourcedestination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out sourcedestination 137 24521 IN_public all -- eth0 * 0.0.0.0/00.0.0.0/0 [goto] 0 0 IN_public all -- + * 0.0.0.0/00.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out sourcedestination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out sourcedestination
Chain IN_public (2 references)
pkts bytes target prot opt in out sourcedestination 137 24521 IN_public_log all -- * * 0.0.0.0/00.0.0.0/0 137 24521 IN_public_deny all -- * *0.0.0.0/0 0.0.0.0/0 137 24521 IN_public_allow all -- * *0.0.0.0/0 0.0.0.0/0 1 84 ACCEPT icmp -- * * 0.0.0.0/00.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out sourcedestination 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED 13 760 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:995 ctstate NEW,UNTRACKED 3 180 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:25 ctstate NEW,UNTRACKED 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:993 ctstate NEW,UNTRACKED 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED 1 52 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:110 ctstate NEW,UNTRACKED 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:465 ctstate NEW,UNTRACKED 1 52 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:922 ctstate NEW,UNTRACKED 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:587 ctstate NEW,UNTRACKED 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:143 ctstate NEW,UNTRACKED 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:53 ctstate NEW,UNTRACKED 0 0 ACCEPT udp -- * * 0.0.0.0/00.0.0.0/0 udp dpt:53 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out sourcedestination 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:25 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:465 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:587 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:143 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:220 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:993 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:110 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:995 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:1080 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 184.95.34.1460.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:25 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:465 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:587 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:143 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:220 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:993 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:110 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:995 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:1080 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable 0 0 REJECT tcp -- * * 83.97.20.350.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED reject-withicmp-port-unreachable
Chain IN_public_log (1 references)
pkts bytes target prot opt in out sourcedestination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out sourcedestination
On my other server that hasn't been patched, here's what I get:

# iptables -L INPUT_direct
Chain INPUT_direct (1 references)
target     prot opt source               destination
REJECT tcp -- anywhere anywhere multiport dportssmtp,urd,submission match-set f2b-postfix src reject-withicmp-port-unreachableREJECT tcp -- anywhere anywhere multiport dportsssh,ftp,ftp-data,ftps,ftps-data,http,https,922,smtp,saft match-setf2b-sshd src reject-with icmp-port-unreachableREJECT tcp -- anywhere anywhere multiport dportspop3,pop3s,smtp,imap,imaps,submission,urd,sieve,http,https match-setf2b-dovecot src reject-with icmp-port-unreachableREJECT tcp -- anywhere anywhere multiport dportssmtp,submission,imap,imap3,imaps,pop3,pop3s,http,https,ftp,922 match-setf2b-manban src reject-with icmp-port-unreachableREJECT tcp -- anywhere anywhere multiport dportsftp,ftp-data,ftps,ftps-data match-set f2b-vsftpd src reject-withicmp-port-unreachableREJECT tcp -- anywhere anywhere match-setf2b-pam-generic src reject-with icmp-port-unreachable
Boths servers are basically identically configured but one was recentlypatched with yum update and updated f2b.
Any ideas. fail2ban appears to be running but there are no ipset listson the new server.
On the patched server:

# ipset list
# ipset list f2b-manban
ipset v7.1: The set with the given name does not exist

I don't get it.

I don't think you get any firewall rules or ipset sets until you have aban. Try using fail2ban-client to manually ban an IP and see if thecorresponding firewall items then appear.


Nick



_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] latest update package 0.11.1-9.el7.2 not recognized under CentOS 7

Reply via email to