Bug 1525134
Summary: | Banned IPv6 address not getting added to ipset | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | dan |
Component: | fail2ban | Assignee: | Orion Poplawski <orion> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | athmanem, axel.thimm, dan, joe, jpopelka, orion, twoerner, vonsch |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | fail2ban-0.10.1-3.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-01-10 02:04:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
dan
2017-12-12 16:40:11 UTC
From fail2ban.log after another test, IP changed to ficticious value and reverse IP redacted for brevity: 017-12-12 13:09:44,861 fail2ban.filter [1392]: INFO [sshd] Found 2622:3c23::d03c:95ff:fe33:2467 - 2017-12-12 13:09:44 2017-12-12 13:09:47,066 fail2ban.filter [1392]: INFO [sshd] Found 2622:3c23::d03c:95ff:fe33:2467 - 2017-12-12 13:09:46 2017-12-12 13:09:47,369 fail2ban.actions [1392]: NOTICE [sshd] Ban 2622:3c23::d03c:95ff:fe33:2467 2017-12-12 13:09:47,688 fail2ban.utils [1392]: Level 39 7ffb59530870 -- exec: ipset create f2b-sshd6 hash:ip timeout 86400 firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd6 src -j REJECT --reject-with icmp6-port-unreachable 2017-12-12 13:09:47,689 fail2ban.utils [1392]: ERROR 7ffb59530870 -- stderr: 'ipset v6.32: Set cannot be created: set with the same name already exists' 2017-12-12 13:09:47,689 fail2ban.utils [1392]: ERROR 7ffb59530870 -- stderr: '\x1b[91mError: COMMAND_FAILED\x1b[00m' 2017-12-12 13:09:47,689 fail2ban.utils [1392]: ERROR 7ffb59530870 -- returned 13 2017-12-12 13:09:47,689 fail2ban.actions [1392]: ERROR Failed to execute ban jail 'sshd' action 'firewallcmd-ipset' info 'ActionInfo({'ip': 2622:3c23::d03c:95ff:fe33:2467, 'family': 'inet6', 'ip-rev': 'redacted reverse ip', 'ip-host': 'other.myhost.com', 'fid': 2622:3c23::d03c:95ff:fe33:2467, 'failures': 3, 'time': 1513102186.719978, 'matches': '2017-12-12T11:31:44.483292myhost.com sshd[3844]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33414 ssh2\n2017-12-12T13:09:46.719978myhost.com sshd[9365]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33462 ssh2', 'restored': 0, 'F-*': {'matches': [('', '2017-12-12T11:31:44.483292', 'myhost.com sshd[3844]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33414 ssh2'), '2017-12-12T13:09:46.719978myhost.com sshd[9365]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33462 ssh2'], 'failures': 3, 'mlfid': 'myhost.com sshd[3844]: ', 'user': 'dan', 'ip6': '2622:3c23::d03c:95ff:fe33:2467'}, 'ipmatches': '2017-12-12T11:31:44.483292myhost.com sshd[3844]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33414 ssh2\n2017-12-12T13:09:46.719978myhost.com sshd[9365]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33462 ssh2', 'ipjailmatches': '2017-12-12T11:31:44.483292myhost.com sshd[3844]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33414 ssh2\n2017-12-12T13:09:46.719978myhost.com sshd[9365]: Failed password for dan from 2622:3c23::d03c:95ff:fe33:2467 port 33462 ssh2', 'ipfailures': 3, 'ipjailfailures': 3, 'fq-hostname': 'ears.private', 'sh-hostname': 'myhost.com'})': Error starting action Jail('sshd')/firewallcmd-ipset This seems to go back to firewall-cmd. Manually trying: sudo firewall-cmd --direct --add-rule ipv6 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd6 src -j REJECT --reject-with icmp6-port-unreachable It logs: Dec 13 13:22:56 myhost.com firewalld[1026]: WARNING: '/usr/sbin/ip6tables-restore --wait=2 -n' failed: Dec 13 13:22:56 myhost.com firewalld[1026]: ERROR: COMMAND_FAILED Perhaps this should be transferred to the firewalld team? Seem to relate to this upstream issue on fail2ban: https://github.com/fail2ban/fail2ban/issues/1990 Hi, I'm also affected by this issue, and I can confirm this is the aforementionned upstream issue 1990 ip6tables-restore is presenting the error only because it acts as a backend of firewalld in this case (that explains the apparent difference with the upstream issue). I'm not sure what Fedora policy says in that case, but either packaging a future 0.10.2 or backporting the upstream maintainer's very simple fix would solve the present issue. To back this up, here are my investigations (done before getting knowledge of the upstream bug). By turning on firewalld debug log at level >=3, one can see what it tried to load with ip6tables-restore: 2017-12-15 02:31:08 DEBUG1: direct.addRule('ipv6', 'filter', 'INPUT', 0, '-p','tcp','-m','multiport','--dports','ssh','-m','set','--match-set','f2b-sshd6','src','-j','REJECT','--reject-with','icmp6-port-unreachable') 2017-12-15 02:31:08 DEBUG2: <class 'firewall.core.ipXtables.ip6tables'>: /usr/sbin/ip6tables-restore /run/firewalld/temp.pxn873ip: 146 1: *filter 2: -I INPUT_direct 1 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd6 src -j REJECT --reject-with icmp6-port-unreachable 3: COMMIT Now I tried the same directly to get a grasp : $ sudo ip6tables -I INPUT_direct 1 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd6 src -j REJECT --reject-with icmp6-port-unreachable ip6tables v1.6.1: The protocol family of set f2b-sshd6 is IPv4, which is not applicable. And indeed : $ sudo ipset list Name: f2b-sshd6 Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 600 Size in memory: 88 References: 0 Number of entries: 0 Members: fail2ban-0.10.1-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d1257bf9ca Seems to resolve this issue. An IPv6 was correctly added to the ipset and blocked as expected. fail2ban-0.10.1-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d1257bf9ca *** Bug 1525065 has been marked as a duplicate of this bug. *** fail2ban-0.10.1-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |