[Python-modules-team] Bug#960646: Never mind

[Allan Wind]

This can be closed as an user error.

fail2ban is executing two statements and I was able to reproduce 
the non-descriptive error message "Could not process rule: No such 
file or directory'" by running:


nft add set inet filter f2b-sshd \{ type ipv4_addr\; \}

Then I ran the above command with ip instead of inet and it 
worked, and blocked ips were being added chains as verified

by :

nft list table inet filter

On a subsequent restart, fail2ban was now failing with the same
error message but now using ip instead of inet so I reverted the 
change I suggested initially and I was able to run the first 
command as is.


Then I ran the 2nd command:

nft insert rule inet filter INPUT meta l4proto tcp ip saddr @f2b-sshd
reject

and got the same useless error message as before.  I noticed 
earlier that `nft list table inet filter` had the chain
as lowercase input, so I tried that and it worked.  This the 
relevant jail.conf configuration:


[DEFAULT]
chain = input

Previously, I used chain = INPUT with iptables.  Hopefully this 
helps someone else as it had me stumped.


___
Python-modules-team mailing list
Python-modules-team@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team

[Python-modules-team] Bug#960646: fail2ban: nftables fails with Error: Could not process rule: No such file or directory

[Allan Wind]

Package: fail2ban
Version: 0.10.2-2.1
Severity: normal

Dear Maintainer,

I have been using fail2ban for a long time with iptables-allports:

banaction = iptables-allports
banaction = iptables-allports

With over 50k+ IPs being banned I figured that I might benefit from the
perceived lower overhead of nftables so changed it to:

banaction = nftables-allports
banaction_allports = nftables-allports

fail2ban was immediately reporting errors when I started it:

2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils  [21504]: Level 39 7f227a456760 -- exec: nft add 
set inet filter f2b-sshd \{ type ipv4_addr\; \}
nft insert rule inet filter INPUT meta l4proto tcp ip saddr @f2b-sshd 
reject
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils  [21504]: ERROR   7f227a456760 -- stderr: 'Error: 
Could not process rule: No such file or directory'
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils  [21504]: ERROR   7f227a456760 -- stderr: 'add 
set inet filter f2b-sshd { type ipv4_addr; }'
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils  [21504]: ERROR   7f227a456760 -- stderr: ' 
^^'
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils  [21504]: ERROR   7f227a456760 -- stderr: 'Error: 
Could not process rule: No such file or directory'
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils  [21504]: ERROR   7f227a456760 -- stderr: 'insert 
rule inet filter INPUT meta l4proto tcp ip saddr @f2b-sshd reject'
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils  [21504]: ERROR   7f227a456760 -- stderr: '  
   
^^'
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils  [21504]: ERROR   7f227a456760 -- returned 1

I found, through trial and error, that the issue appears to be
nftables_family = inet so I added action.d/nftables-common.local
file with:

[Init]
nftables_family = ip

Which seem to work.

Looked at the current upstream version and it's configuration file
is significantly different to the one that ships it buster to easily 
compare.  It does appear though, that they set to inet so not sure
what the deal is.

Happy to help,


/Allan

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (990, 'stable-updates'), (990, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/24 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fail2ban depends on:
ii  lsb-base  10.2019051400
ii  python3   3.7.3-1

Versions of packages fail2ban recommends:
ii  iptables   1.8.2-4
ii  nftables   0.9.0-2
ii  python 2.7.16-1
ii  python3-pyinotify  0.9.6-1
ii  python3-systemd234-2+b1
ii  whois  5.4.3

Versions of packages fail2ban suggests:
ii  mailutils [mailx]   1:3.5-3
pn  monit   
ii  sqlite3 3.27.2-3
ii  syslog-ng-core [system-log-daemon]  3.19.1-5

-- Configuration Files:
/etc/fail2ban/fail2ban.conf changed:
[Definition]
loglevel = INFO
logtarget = SYSLOG
syslogsocket = auto
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 1d

/etc/fail2ban/filter.d/apache-common.conf changed:
[INCLUDES]
after = apache-common.local
[DEFAULT]

/etc/fail2ban/filter.d/postfix.conf changed:
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/(submission/)?smtpd
failregex =
^%(__prefix_line)simproper command pipelining after \S+ from 
[^[]*\[\]:?$
^%(__prefix_line)slost connection after (AUTH|CONNECT) from 
.+\[\]$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 
: Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 
.*$
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[\]: 550 5\.1\.1 
.*$
^%(__prefix_line)sSSL_accept error from .+\[\]: (-1|0)
^%(__prefix_line)swarning: .*\[\]: SASL LOGIN authentication 
failed: Invalid authentication mechanism
^%(__prefix_line)swarning: .+\[\]: SASL PLAIN authentication 
failed: Connection lost to authentication server
^%(__prefix_line)swarning: Connection concurrency limit exceeded: 
[0-9]+ from .+\[\] for service smtp$
^%(__prefix_line)swarning: non-SMTP command from.+\[\]:
^%(__prefix_line)swarning: numeric hostname: $
ignoreregex = 
 ^%(__prefix_line)slost connection after CONNECT from unknown\[unknown\]

/etc/fail2ban/filter.d/sshd.conf changed:
[IN