Description of problem: fail2ban package is failed to ban hosts for ssh service due to failing to executing ipset command. Version-Release number of selected component (if applicable): fail2ban-server-0.10.0-1.fc27.noarch fail2ban-firewalld-0.10.0-1.fc27.noarch fail2ban-sendmail-0.10.0-1.fc27.noarch fail2ban-0.10.0-1.fc27.noarch How reproducible: Always Steps to Reproduce: 1. add local.conf under /etc/fail2ban/jail.d. [DEFAULT] bantime = 604800 sender = root@localhost destemail = root action = %(action_)s [sshd] enabled = true port = all protocol = tcp filter = sshd 2. change the blocktype in iptables-common.conf and firewallcmd-common.conf to DROP as the original just blocks ICMP requests. blocktype = DROP 3. restart fail2ban.service via systemctl. Actual results: In /var/log/fail2ban.log, following error messages throws out: 2018-01-12 01:40:18,160 fail2ban.actions [626]: NOTICE [sshd] Ban 212.164.53.17 2018-01-12 01:40:18,161 fail2ban.action [626]: DEBUG ipset create f2b-sshd hash:ip timeout 604800 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports all -m set --match-set f2b-sshd src -j DROP 2018-01-12 01:40:23,110 fail2ban.utils [626]: Level 39 ffff94b6af10 -- exec: ipset create f2b-sshd hash:ip timeout 604800 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports all -m set --match-set f2b-sshd src -j DROP 2018-01-12 01:40:23,112 fail2ban.utils [626]: ERROR ffff94b6af10 -- stderr: 'ipset v6.32: Set cannot be created: set with the same name already exists' 2018-01-12 01:40:23,113 fail2ban.utils [626]: ERROR ffff94b6af10 -- stderr: '\x1b[91mError: COMMAND_FAILED\x1b[00m' 2018-01-12 01:40:23,114 fail2ban.utils [626]: ERROR ffff94b6af10 -- returned 13 2018-01-12 01:40:23,115 fail2ban.actions [626]: ERROR Failed to execute ban jail 'sshd' action 'firewallcmd-ipset' info 'ActionInfo({'ip': 212.164.53.17, 'family': 'inet4', 'ip-rev': '17.53.164.212.', 'ip-host': 'b-internet.212.164.53.17.nsk.rt.ru', 'fid': 212.164.53.17, 'failures': 8, 'time': 1515487826.247413, 'matches': '2018-01-09T03:50:08.896426rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:12.068387rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:14.351841rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:16.822032rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:23.866125rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:26.246369rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:26.247413rpiserver sshd[19448]: error: maximum authentication attempts exceeded for root from 212.164.53.17 port 36734 ssh2 [preauth]', 'restored': 0, 'F-*': {'matches': ['2018-01-09T03:50:08.896426rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2', '2018-01-09T03:50:12.068387rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2', '2018-01-09T03:50:14.351841rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2', '2018-01-09T03:50:16.822032rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2', '2018-01-09T03:50:23.866125rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2', '2018-01-09T03:50:26.246369rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2', '2018-01-09T03:50:26.247413rpiserver sshd[19448]: error: maximum authentication attempts exceeded for root from 212.164.53.17 port 36734 ssh2 [preauth]'], 'failures': 8, 'mlfid': 'rpiserver sshd[19448]: ', 'user': '', 'ip4': '212.164.53.17'}, 'ipmatches': '2018-01-09T03:50:08.896426rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:12.068387rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:14.351841rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:16.822032rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:23.866125rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:26.246369rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:26.247413rpiserver sshd[19448]: error: maximum authentication attempts exceeded for root from 212.164.53.17 port 36734 ssh2 [preauth]', 'ipjailmatches': '2018-01-09T03:50:08.896426rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:12.068387rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:14.351841rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:16.822032rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:23.866125rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:26.246369rpiserver sshd[19448]: Failed password for root from 212.164.53.17 port 36734 ssh2\n2018-01-09T03:50:26.247413rpiserver sshd[19448]: error: maximum authentication attempts exceeded for root from 212.164.53.17 port 36734 ssh2 [preauth]', 'ipfailures': 8, 'ipjailfailures': 8, 'fq-hostname': 'rpiserver', 'sh-hostname': 'rpiserver'})': Error starting action Jail('sshd')/firewallcmd-ipset Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/fail2ban/server/actions.py", line 404, in __checkBan action.ban(aInfo) File "/usr/lib/python3.6/site-packages/fail2ban/server/action.py", line 423, in ban self.start(family) File "/usr/lib/python3.6/site-packages/fail2ban/server/action.py", line 405, in start return self._executeOperation('<actionstart>', 'starting', family=family) File "/usr/lib/python3.6/site-packages/fail2ban/server/action.py", line 374, in _executeOperation raise RuntimeError("Error %s action %s/%s" % (operation, self._jail, self._name,)) RuntimeError: Error starting action Jail('sshd')/firewallcmd-ipset firewalld log reports: Jan 12 01:40:17 rpiserver firewalld[586]: WARNING: '/usr/sbin/iptables-restore --wait=2 -n' failed: Jan 12 01:40:17 rpiserver firewalld[586]: ERROR: COMMAND_FAILED Jan 12 01:40:22 rpiserver firewalld[586]: WARNING: '/usr/sbin/iptables-restore --wait=2 -n' failed: Jan 12 01:40:22 rpiserver firewalld[586]: ERROR: COMMAND_FAILED "ipset --list" shows: Name: f2b-sshd Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 604800 Size in memory: 88 References: 0 Number of entries: 0 Members: Expected results: IPs should be banned and no such errors. Additional info:
I'm seeing this on my x86_64 box too... I found: https://github.com/fail2ban/fail2ban/issues/1994 Which may or may not be relevant but looking at Fedora SCM there only seems to be an older patch which doesn't include everything in: https://github.com/fail2ban/fail2ban/commit/309a1cb337604e03f764bf50839bdd3cb8280757
Reverting to iptables-multiport works around the problem in the short term.
Any plan to address this? I tried looking upstream and found a patch that differed from the one you applied and gave up.
fail2ban-0.10.2-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5eaf74dad4
fail2ban-0.10.2-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-37f01b2610
fail2ban-0.10.2-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-37f01b2610
fail2ban-0.10.2-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5eaf74dad4
fail2ban-0.10.2-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
fail2ban-0.10.2-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Just upgraded to fail2ban-0.10.3.1-2.fc27 the problem still persists: On start with action set to firewalld-ipset, it complains about the ip set cannot be created, although if I givet the commant it is created. The INPUT_direct rules are missing too. On stop it is in vica-versa the ipset is not flushed and not deleted. journal: aug 24 11:00:47 XXXXXXXX firewalld[1115]: WARNING: '/usr/sbin/iptables-restore --wait=2 -n' failed: aug 24 11:00:47 XXXXXXXX firewalld[1115]: ERROR: COMMAND_FAILED aug 24 11:00:47 XXXXXXXX fail2ban-server[20102]: fail2ban.utils [20102]: Level 39 7f4fe4026030 -- exec: ipset create f2b-sshd hash:ip timeout 7200 firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd src -j DROP aug 24 11:00:47 XXXXXXXX fail2ban-server[20102]: fail2ban.utils [20102]: ERROR 7f4fe4026030 -- stderr: '\x1b[91mError: COMMAND_FAILED\x1b[00m' aug 24 11:00:47 XXXXXXXX fail2ban-server[20102]: fail2ban.utils [20102]: ERROR 7f4fe4026030 -- returned 13 aug 24 11:00:47 XXXXXXXX sshd[20096]: Failed password for root from 198.244.101.169 port 55894 ssh2 aug 24 11:00:47 XXXXXXXX fail2ban-server[20102]: fail2ban.actions [20102]: ERROR Failed to execute ban jail 'sshd' action
This does not appear to be "fixed"... I'm getting this in my journal: Dec 26 08:46:45 firewalld[1114]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): Set fail2ban-> Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Dec 26 08:46:45 firewalld[1114]: ERROR: COMMAND_FAILED: Direct: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0> Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. I have narrowed this down to a change in the fail2ban config with ipset. The set name was changed from "fail2ban-<jail>" to "f2b-<jail>" but even when I fix this in /etc/firewalld/direct.xml it still fails because the ipset "f2b-sshd" is not always created. I've run "ipset list" multiple times while trying to troubleshoot this and I have only seen the set "f2b-sshd" once. My /etc/fail2ban/jail.d/sshd.local: # cat sshd.local [DEFAULT] bantime = 3600 [sshd] enabled = true
Is fail2ban being restarted after firewalld is? Need more fail2ban log output as well showing the stderr output of the commands that fail.
I have a thread of just me replying to myself as I figured things out in the devel list detailing some of it. From what I can tell fail2ban doesn't always call "ipset create" when starting. My current assumption is that perhaps it doesn't create the set until it has an IP to add to it? But it does always call the firewalld --direct command which specifies the ipset set name which it chokes on because it doesn't exist.
There is a problem that needs to be fixed in firewalld though.. It looks for the set to be named fail2ban-<jail> but at some point fail2ban changed the prefix f2b-<jail>.
Also, I highly recommend filing issues upstream as well.