I'm trying to configure fail2ban and it appears as if it is correctly identifying addresses to ban however it doesn't appear to be successful in banning hosts:
2017-09-24 16:01:46,073 fail2ban.actions [3591]: NOTICE [sshd] Ban 91.210.178.96 2017-09-24 16:01:46,494 fail2ban.action [3591]: ERROR ipset add fail2ban-sshd 91.210.178.96 timeout 31536000 -exist -- stdout: b'' 2017-09-24 16:01:46,494 fail2ban.action [3591]: ERROR ipset add fail2ban-sshd 91.210.178.96 timeout 31536000 -exist -- stderr: b'ipset v6.29: The set with the given name does not exist\n' 2017-09-24 16:01:46,495 fail2ban.action [3591]: ERROR ipset add fail2ban-sshd 91.210.178.96 timeout 31536000 -exist -- returned 1 2017-09-24 16:01:46,495 fail2ban.actions [3591]: ERROR Failed to execute ban jail 'sshd' action 'firewallcmd-ipset' info 'CallingMap({'ip': '91.210.178.96', 'failures': 25, 'time': 1506283306.0737438, 'matches': '2017-09-24T12:50:33.918187xyzzy.bubble.org sshd[31335]: Invalid user admin from 91.210.178.96 port 51448\n2017-09-24T12:50:35.229995xyzzy.bubble.org sshd[31337]: Invalid user admin from 91.210.178.96 port 51456\n2017-09-24T12:50:36.520259xyzzy.bubble.org sshd[31339]: Invalid user admin from 91.210.178.96 port 51461\n2017-09-24T12:50:37.869954xyzzy.bubble.org sshd[31343]:
{removed part of the very long line showing all the matches in fail2 ban}
91.210.178.96 port 51705', 'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f3ed78c7950>, 'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f3ed78c7c80>, 'ipfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f3ed78c7d90>, 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f3ed78c7d08>})': Error banning 91.210.178.96 2017-09-24 16:01:46,909 fail2ban.actions [3591]: NOTICE [sshd] 91.210.178.96 already banned 2017-09-24 16:01:47,911 fail2ban.actions [3591]: NOTICE [sshd] 91.210.178.96 already banned
This is Fedora 26
/etc/fail2ban/fail2ban.conf is set to distribution default /etc/fail2ban/jail.conf is set to distribution default
I've added in to fail2ban.d/local.conf
[fail2ban] enabled = true filter = fail2ban action = iptables-allports[name=fail2ban] logpath = /var/log/fail2ban.log # findtime: 1 day findtime = 86400 # bantime: 1 year bantime = 31536000 maxretry = 5
to jail.d/00-firewalld.conf
[DEFAULT] banaction = firewallcmd-ipset sender = fail2ban@example.com destemail = root action = %(action_mwl)s
to jaild/10-sshd.conf
[sshd] enabled=true # findtime: 1 day findtime = 86400 # bantime: 1 year bantime = 31536000
and yes the system is currently setup to accept only public/private key authentication for SSH, I'm assuming that once I get ssh figured out I can get the other services figured out.
Thanks, Jeff
Looks like your ipset wasn't created or something caused it to be deleted. ipset v6.29: The set with the given name does not exist
Do you find the named ipset with: ipset -L -n
Also, your default action (firewallcmd-allports.conf) doesn't use ipset. Somehow your jail is using firewallcmd-ipset.conf. Use fail2ban-client -d to figure out how fail2ban is configured.
Bill
On 9/24/2017 4:26 PM, Jeffrey Ross wrote:
I'm trying to configure fail2ban and it appears as if it is correctly identifying addresses to ban however it doesn't appear to be successful in banning hosts:
2017-09-24 16:01:46,073 fail2ban.actions [3591]: NOTICE [sshd] Ban 91.210.178.96 2017-09-24 16:01:46,494 fail2ban.action [3591]: ERROR ipset add fail2ban-sshd 91.210.178.96 timeout 31536000 -exist -- stdout: b'' 2017-09-24 16:01:46,494 fail2ban.action [3591]: ERROR ipset add fail2ban-sshd 91.210.178.96 timeout 31536000 -exist -- stderr: b'ipset v6.29: The set with the given name does not exist\n' 2017-09-24 16:01:46,495 fail2ban.action [3591]: ERROR ipset add fail2ban-sshd 91.210.178.96 timeout 31536000 -exist -- returned 1 2017-09-24 16:01:46,495 fail2ban.actions [3591]: ERROR Failed to execute ban jail 'sshd' action 'firewallcmd-ipset' info 'CallingMap({'ip': '91.210.178.96', 'failures': 25, 'time': 1506283306.0737438, 'matches': '2017-09-24T12:50:33.918187xyzzy.bubble.org sshd[31335]: Invalid user admin from 91.210.178.96 port 51448\n2017-09-24T12:50:35.229995xyzzy.bubble.org sshd[31337]: Invalid user admin from 91.210.178.96 port 51456\n2017-09-24T12:50:36.520259xyzzy.bubble.org sshd[31339]: Invalid user admin from 91.210.178.96 port 51461\n2017-09-24T12:50:37.869954xyzzy.bubble.org sshd[31343]:
{removed part of the very long line showing all the matches in fail2 ban}
91.210.178.96 port 51705', 'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f3ed78c7950>, 'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f3ed78c7c80>, 'ipfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f3ed78c7d90>, 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f3ed78c7d08>})': Error banning 91.210.178.96 2017-09-24 16:01:46,909 fail2ban.actions [3591]: NOTICE [sshd] 91.210.178.96 already banned 2017-09-24 16:01:47,911 fail2ban.actions [3591]: NOTICE [sshd] 91.210.178.96 already banned
This is Fedora 26
/etc/fail2ban/fail2ban.conf is set to distribution default /etc/fail2ban/jail.conf is set to distribution default
I've added in to fail2ban.d/local.conf
[fail2ban] enabled = true filter = fail2ban action = iptables-allports[name=fail2ban] logpath = /var/log/fail2ban.log # findtime: 1 day findtime = 86400 # bantime: 1 year bantime = 31536000 maxretry = 5
to jail.d/00-firewalld.conf
[DEFAULT] banaction = firewallcmd-ipset sender = fail2ban@example.com destemail = root action = %(action_mwl)s
to jaild/10-sshd.conf
[sshd] enabled=true # findtime: 1 day findtime = 86400 # bantime: 1 year bantime = 31536000
and yes the system is currently setup to accept only public/private key authentication for SSH, I'm assuming that once I get ssh figured out I can get the other services figured out.
Thanks, Jeff
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
On 2017-09-25 00:33, Bill Shirley wrote:
Looks like your ipset wasn't created or something caused it to be deleted. ipset v6.29: The set with the given name does not exist
Do you find the named ipset with: ipset -L -n
Also, your default action (firewallcmd-allports.conf) doesn't use ipset. Somehow your jail is using firewallcmd-ipset.conf. Use fail2ban-client -d to figure out how fail2ban is configured.
Bill
On 9/24/2017 4:26 PM, Jeffrey Ross wrote: I'm trying to configure fail2ban and it appears as if it is correctly identifying addresses to ban however it doesn't appear to be successful in banning hosts:
2017-09-24 16:01:46,073 fail2ban.actions [3591]: NOTICE [sshd] Ban 91.210.178.96 2017-09-24 16:01:46,494 fail2ban.action [3591]: ERROR ipset add fail2ban-sshd 91.210.178.96 timeout 31536000 -exist -- stdout: b'' 2017-09-24 16:01:46,494 fail2ban.action [3591]: ERROR ipset add fail2ban-sshd 91.210.178.96 timeout 31536000 -exist -- stderr: b'ipset v6.29: The set with the given name does not exist\n' 2017-09-24 16:01:46,495 fail2ban.action [3591]: ERROR ipset add fail2ban-sshd 91.210.178.96 timeout 31536000 -exist -- returned 1 2017-09-24 16:01:46,495 fail2ban.actions [3591]: ERROR Failed to execute ban jail 'sshd' action 'firewallcmd-ipset' info 'CallingMap({'ip': '91.210.178.96', 'failures': 25, 'time': 1506283306.0737438, 'matches': '2017-09-24T12:50:33.918187xyzzy.bubble.org sshd[31335]: Invalid user admin from 91.210.178.96 port 51448\n2017-09-24T12:50:35.229995xyzzy.bubble.org sshd[31337]: Invalid user admin from 91.210.178.96 port 51456\n2017-09-24T12:50:36.520259xyzzy.bubble.org sshd[31339]: Invalid user admin from 91.210.178.96 port 51461\n2017-09-24T12:50:37.869954xyzzy.bubble.org sshd[31343]:
{removed part of the very long line showing all the matches in fail2 ban}
91.210.178.96 port 51705', 'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f3ed78c7950>, 'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f3ed78c7c80>, 'ipfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f3ed78c7d90>, 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f3ed78c7d08>})': Error banning 91.210.178.96 2017-09-24 16:01:46,909 fail2ban.actions [3591]: NOTICE [sshd] 91.210.178.96 already banned 2017-09-24 16:01:47,911 fail2ban.actions [3591]: NOTICE [sshd] 91.210.178.96 already banned
This is Fedora 26
/etc/fail2ban/fail2ban.conf is set to distribution default /etc/fail2ban/jail.conf is set to distribution default
I've added in to fail2ban.d/local.conf [fail2ban] enabled = true filter = fail2ban action = iptables-allports[name=fail2ban] logpath = /var/log/fail2ban.log # findtime: 1 day findtime = 86400 # bantime: 1 year bantime = 31536000 maxretry = 5
to jail.d/00-firewalld.conf
[DEFAULT] banaction = firewallcmd-ipset sender = fail2ban@example.com destemail = root action = %(action_mwl)s
to jaild/10-sshd.conf
[sshd] enabled=true # findtime: 1 day findtime = 86400 # bantime: 1 year bantime = 31536000
and yes the system is currently setup to accept only public/private key authentication for SSH, I'm assuming that once I get ssh figured out I can get the other services figured out.
Thanks, Jeff
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
"ipset -L -n" returns nothing, no output, nor any error, and what should I be looking for with "fail2ban-client -d" as it returns a large amount of "stuff"
Jeff
So your ipset is not getting created or has been deleted by another jail if it shares the same name.
With fail2ban-client -d, look at your sshd jail, specifically the ['set', 'sshd', 'action', 'my_ipset_ip', 'name', 'IPv4-ip'] make sure the name is different that all the other jails. (Disregard that my action, 'my_ipset_ip', is different than yours.)
Bill
On 09/25/2017 09:09 PM, Bill Shirley wrote:
So your ipset is not getting created or has been deleted by another jail if it shares the same name.
With fail2ban-client -d, look at your sshd jail, specifically the ['set', 'sshd', 'action', 'my_ipset_ip', 'name', 'IPv4-ip'] make sure the name is different that all the other jails. (Disregard that my action, 'my_ipset_ip', is different than yours.)
Bill
I think I figured it out, I modified jail.d/00-firewalld and added "banaction = firewallcmd-rich-rules" that seems to do it, at least for ssh.
Jeff