On Sun, Sep 27, 2020 at 04:44:09PM +0200, Tom Hendrikx wrote:
> On 26-09-2020 23:29, Chris Green wrote:
> > I have just installed fail2ban on a virtual server I run on Gandi
> > Internet in France.
> >
> > The virtual server runs Ubuntu 8.04.5 LTS and I installed fail2ban
> > from the standard repositories, version 0.10.2-2.
> >
> > I haven't changed the configuration at all, I just went with what 'apt
> > install fai2ban' did for me.
> >
> > It seems to be working (I installed it because I'm seeing crazy
> > numbers of attempted ssh logins) but I'm getting CRITICAL errors when
> > it tries to unban someone. As follows:-
> >
> >
> > 2020-09-26 16:24:54,491 fail2ban.actions [1563]: NOTICE [sshd]
> > Unban 51.68.44.154
> > 2020-09-26 16:24:54,530 fail2ban.utils [1563]: Level 39 7f20226c35e0
> -- exec: iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]'
> > 2020-09-26 16:24:54,531 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
> stderr: 'modprobe: FATAL: Module ip_tables not found in directory
> /lib/modules/3.10.107-xenU-36-37a7b05-x86_64'
>
> > 2020-09-26 16:24:54,531 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
> stderr: "iptables v1.6.1: can't initialize iptables table `filter': Table
> does not exist (do you need to insmod?)"
> > 2020-09-26 16:24:54,531 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
> stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
> > 2020-09-26 16:24:54,531 fail2ban.utils [1563]: ERROR
> > 7f20226c35e0 -- returned 1
> > 2020-09-26 16:24:54,532 fail2ban.CommandAction [1563]: ERROR Invariant
> check failed. Trying to restore a sane environment
> > 2020-09-26 16:24:54,576 fail2ban.utils [1563]: Level 39 7f20226c35e0
> -- exec: iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]'
> > 2020-09-26 16:24:54,577 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
> stderr: 'modprobe: FATAL: Module ip_tables not found in directory
> /lib/modules/3.10.107-xenU-36-37a7b05-x86_64'
>
> > 2020-09-26 16:24:54,577 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
> stderr: "iptables v1.6.1: can't initialize iptables table `filter': Table
> does not exist (do you need to insmod?)"
> > 2020-09-26 16:24:54,578 fail2ban.utils [1563]: ERROR 7f20226c35e0 --
> stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
> > 2020-09-26 16:24:54,578 fail2ban.utils [1563]: ERROR
> > 7f20226c35e0 -- returned 1
> > 2020-09-26 16:24:54,578 fail2ban.CommandAction [1563]: CRITICAL Unableto
> > restore environment
> > 2020-09-26 16:24:54,578 fail2ban.actions [1563]: ERROR Failed to execute
> unban jail 'sshd' action 'iptables-multiport' info 'ActionInfo({'ip':
> '51.68.44.154',
> 'family': 'inet4', 'ip-rev': '154.44.68.51.', 'ip-host':
> '154.ip-51-68-44.eu',
> 'fid': '51.68.44.154', 'failures': 5, 'time': 1601129694.0, 'matches':
> 'Sep 26 16:06:35 isbdGandi sshd[3573]: Failedpassword for invalid user
> escaner from 51.68.44.154 port 55371 ssh2\nSep26 16:14:54 isbdGandi
> sshd[3800]:
> Failed password for invalid user r00t from 51.68.44.154 port 38711 ssh2',
> 'restored': 0, 'F-*': {'matches': ['Sep 26 16:06:35 isbdGandi sshd[3573]:
> Failed password for invalid user escaner from 51.68.44.154 port 55371 ssh2',
> 'Sep 26 16:14:54 isbdGandi sshd[3800]: Failed password for invalid user
> r00t from 51.68.44.154 port 38711ssh2'], 'failures': 5, 'mlfid': ' isbdGandi
> sshd[3573]: ', 'user': 'escaner', 'ip4': '51.68.44.154'}, 'ipmatches':
> 'Sep 26 15:05:48 isbdGandi sshd[2730]: Failed password for invalid user
> rohit fro
> > m 51.68.44.154 port 53114 ssh2\nSep 26 15:09:54 isbdGandi sshd[2813]:Failed
> password for invalid user esadmin from 51.68.44.154 port 58900 ssh2\nSep
> 26 15:17:47 isbdGandi sshd[2918]: Failed password for invalid user anonymous
> from 51.68.44.154 port 42243 ssh2\nSep 26 15:25:55 isbdGandi sshd[3030]:
> Failed password for invalid user tibero from 51.68.44.154 port 53972
> ssh2\nSep
> 26 15:42:10 isbdGandi sshd[3270]: Failed password for invalid user admin
> from 51.68.44.154 port 48886 ssh2\nSep 26 15:46:16 isbdGandi sshd[3302]:
> Failed password for invalid user martin from 51.68.44.154 port 54672
> ssh2\nSep
> 26 15:54:21 isbdGandi sshd[3408]: Failed passwordfor invalid user jeff
> from 51.68.44.154 port 38013 ssh2\nSep 26 16:02:30isbdGandi sshd[3506]:
> Failed password for invalid user user1 from 51.68.44.154 port 49586 ssh2\nSep
> 26 16:06:35 isbdGandi sshd[3573]: Failed password for invalid user escaner
> from 51.68.44.154 port 55371 ssh2\nSep 26 16:14:54 isbdGandi sshd[3800]:
> Failed password for in
> > valid user r00t from 51.68.44.154 port 38711 ssh2', 'ipjailmatches':
> 'Sep 26 15:05:48 isbdGandi sshd[2730]: Failed password for invalid user
> rohit from 51.68.44.154 port 53114 ssh2\nSep 26 15:09:54 isbdGandi
> sshd[2813]:
> Failed password for invalid user esadmin from 51.68.44.154 port 58900
> ssh2\nSep
> 26 15:17:47 isbdGandi sshd[2918]: Failed password for invaliduser anonymous
> from 51.68.44.154 port 42243 ssh2\nSep 26 15:25:55 isbdGandi sshd[3030]:
> Failed password for invalid user tibero from 51.68.44.154port 53972 ssh2\nSep
> 26 15:42:10 isbdGandi sshd[3270]: Failed password for invalid user admin
> from 51.68.44.154 port 48886 ssh2\nSep 26 15:46:16 isbdGandi sshd[3302]:
> Failed password for invalid user martin from 51.68.44.154 port 54672
> ssh2\nSep
> 26 15:54:21 isbdGandi sshd[3408]: Failed password for invalid user jeff
> from 51.68.44.154 port 38013 ssh2\nSep 26 16:02:30 isbdGandi sshd[3506]:
> Failed password for invalid user user1 from 51.68.44.154 port 49586 ssh2\nSep
> 26 16:06:35 isbdGand
> > i sshd[3573]: Failed password for invalid user escaner from 51.68.44.154
> port 55371 ssh2\nSep 26 16:14:54 isbdGandi sshd[3800]: Failed password
> for invalid user r00t from 51.68.44.154 port 38711 ssh2', 'ipfailures':25,
> 'ipjailfailures': 25})': Error unbanning 51.68.44.154
> >
> >
> > It carries on running OK but obviously there's something rather wrong
> > somwhere.
> >
> >
> > So can someone point me in the right direction please, maybe I need to
> > install something else as well or maybe I simply need to tweak the
> > fail2ban configuration somewhere.
> >
> > I'm a total newbie where fail2ban is concerned though I'm fairly OK
> > with basic Linux system administration.
> >
> > Oh, the virtual server doesn't have many ports open, just 22/ssh and
> > 443/https, it's really only the ssh port I seem to need to protect.
> >
> Your virtual machine seems to be a xen DomU VM, based on the path to the
> kernel modules directory as listed in:
>
> 2020-09-26 16:24:54,531 fail2ban.utils [1563]: ERROR 7f20226c35e0 -- stderr:
> 'modprobe: FATAL: Module ip_tables not found in directory
> /lib/modules/3.10.107-xenU-36-37a7b05-x86_64'
>
> The last time I looked at Xen virtualization (some years ago), it used a
> kernel that was setup outside of the xen container. The actual kernel image
> and the related modules are not part of the distribution you're running. The
> path to the kernel modules is setup in the kernel, and all modulesare loaded
> outside of the boot process of your distribution.
> This means that your VM vendor (gandhi) should load the iptables modules for
> you, and you can't do it yourself within the container. Maybe they provide
> you with some config panel where you can alter the kernel setup a bit, or
> their support team can help you out.
>
Yes, absolutely right, it an issue with the xen kernel. I've raised a
support question with Gandi about this.
> More probable is that they allow you to administer the firewall through
> their config panel (and the firewall is ran outside your VM, on the VM
> host), which means that fail2ban can't issue any firewall management
> commands at all. Your use for fail2ban is thereby limited to
> application-level blocking techniques (f.i hostsdeny) and mail alerts. As
> far as protecting your ssh port to all the attacks you;re seeing, I would
> say that your best shot is running sshd on an alternative port, and be done
> with it. Or find a different virtualisation host.
>
There's very little in the way of a 'config panel', just control of
drives, memory, etc. and an emergency console if you break it really
badly.
Moving to a different port may well be a sensible way to handle this
though, just reducing the number of hits is all I need to do, to
reduce the 'noise'. Security isn't a big issue, there's nothing of
great consequence/privacy on the machine, it's mostly a proxy between
the outside world and my home machines.
Thanks! :-)
--
Chris Green
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
