CentOS - Aug 2016 - What is broken with fail2ban

Hello List,

with CentOS 7.2 it is not longer possible to run fail2ban on a Server ?

I install a new CentOS 7.2 and the EPEL directory
yum install fail2ban

I don't change anything only I create a jail.local to enable the Filters
[sshd]
enabled = true
....
.....
When I start afterward fail2ban 
systemctl status fail2ban is clean

But systemctl status firewalld is broken

? firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor 
preset: enabled)
   Active: active (running) since Sa 2016-08-20 12:08:27 CEST; 4min 50s ago
 Main PID: 13158 (firewalld)
   CGroup: /system.slice/firewalld.service
           ??13158 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Aug 20 12:12:23 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:23 ERROR: 
NOT_ENABLED
Aug 20 12:12:24 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:24 ERROR: 
NOT_ENABLED
Aug 20 12:12:25 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:25 ERROR: 
NOT_ENABLED
Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27 ERROR: 
NOT_ENABLED
Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27 ERROR: 
NOT_ENABLED
Aug 20 12:12:28 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:28 ERROR: 
NOT_ENABLED
Aug 20 12:12:29 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:29 ERROR: 
NOT_ENABLED
Aug 20 12:12:30 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:30 ERROR: 
NOT_ENABLED
Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31 ERROR: 
NOT_ENABLED
Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31 ERROR: 
NOT_ENABLED

Have any a Idea what is broken ?

ipset, iptables, fail2ban ? 

-- 
mit freundlichen Gr??en / best regards,

  G?nther J. Niederwimmer

Am 20.08.2016 um 14:46 schrieb G?nther J. Niederwimmer:
> Hello List,
>
> with CentOS 7.2 it is not longer possible to run fail2ban on a Server ?
>
> I install a new CentOS 7.2 and the EPEL directory
> yum install fail2ban
No such issue on a clean test install.

[root at centos7 fail2ban]# rpm -qa fail2ban\*
fail2ban-sendmail-0.9.3-1.el7.noarch
fail2ban-firewalld-0.9.3-1.el7.noarch
fail2ban-0.9.3-1.el7.noarch
fail2ban-server-0.9.3-1.el7.noarch

Make sure you have fail2ban-firewalld installed as this provides the 
configuration to use firewallcmd-ipset as default banaction.

Plenty of reasons for the "ERROR: NOT_ENABLED" logging, see man 5 
firewalld.dbus.

Alexander

Hello,

Am Samstag, 20. August 2016, 16:05:48 schrieb Alexander
Dalloz:
> Am 20.08.2016 um 14:46 schrieb G?nther J. Niederwimmer:
> > Hello List,
> > 
> > with CentOS 7.2 it is not longer possible to run fail2ban on a Server
?
> > 
> > I install a new CentOS 7.2 and the EPEL directory
> > yum install fail2ban
> 
> No such issue on a clean test install.
> 
> [root at centos7 fail2ban]# rpm -qa fail2ban\*
> fail2ban-sendmail-0.9.3-1.el7.noarch
> fail2ban-firewalld-0.9.3-1.el7.noarch
> fail2ban-0.9.3-1.el7.noarch
> fail2ban-server-0.9.3-1.el7.noarch
on my Systems

 fail2ban-0.9.3-1.el7.noarch
fail2ban-firewalld-0.9.3-1.el7.noarch
fail2ban-server-0.9.3-1.el7.noarch
fail2ban-sendmail-0.9.3-1.el7.noarch
> Make sure you have fail2ban-firewalld installed as this provides the
> configuration to use firewallcmd-ipset as default banaction.
I have now install three Machines and 12 KVM Clients on my Systems but 
fail2ban is broken on all systems ???

 
> Plenty of reasons for the "ERROR: NOT_ENABLED" logging, see man 5
> firewalld.dbus.
I am not a Programmer and I search in the Internet, but I found nothing for 
this Problem.

Can you pleas help a little bit more

Thanks
-- 
mit freundlichen Gr??en / best regards,

  G?nther J. Niederwimmer

Hello,

Am Samstag, 20. August 2016, 16:05:48 schrieb Alexander
Dalloz:
> Am 20.08.2016 um 14:46 schrieb G?nther J. Niederwimmer:
> > Hello List,
> > 
> > with CentOS 7.2 it is not longer possible to run fail2ban on a Server
?
> > 
> > I install a new CentOS 7.2 and the EPEL directory
> > yum install fail2ban
> 
> No such issue on a clean test install.
> 
> [root at centos7 fail2ban]# rpm -qa fail2ban\*
> fail2ban-sendmail-0.9.3-1.el7.noarch
> fail2ban-firewalld-0.9.3-1.el7.noarch
> fail2ban-0.9.3-1.el7.noarch
> fail2ban-server-0.9.3-1.el7.noarch
> 
> Make sure you have fail2ban-firewalld installed as this provides the
> configuration to use firewallcmd-ipset as default banaction.
> 
> Plenty of reasons for the "ERROR: NOT_ENABLED" logging, see man 5
> firewalld.dbus.
??
this are the logs from fail2ban I mean we have a broken ipset and or iptables?
I have extra install a "old" CentOS 7 and Test before update, this is
working
I found the blocked IP's in iptables -L -n ???

Now with 7.2 I have only Errors ??

2016-08-21 11:09:33,565 fail2ban.actions        [2066]: ERROR   Failed to 
execute ban jail 'sshd' action 'firewallcmd-ipset' info 
'CallingMap({'ipjailmatches': <function <lambda> at
0x7f19e1d8baa0>,
'matches': '2016-06-18T13:12:13.154635 yyy.xxxxx.com sshd[3705]:
Invalid user
john from 95.211.190.210\n2016-06-18T13:12:13.590404 yyy.xxxxx.com sshd[3707]: 
Invalid user nagios from 95.211.190.210', 'ip':
'95.211.190.210', 'ipmatches':
<function <lambda> at 0x7f19e1d8ba28>, 'ipfailures':
<function <lambda> at
0x7f19e1d8b9b0>, 'time': 1471770573.462379, 'failures': 2,
'ipjailfailures':
<function <lambda> at 0x7f19e1d8b938>})': Error banning
95.211.190.210
2016-08-21 11:09:33,565 fail2ban.actions        [2066]: NOTICE  [sshd] Ban 
97.74.232.35
2016-08-21 11:09:33,668 fail2ban.action         [2066]: ERROR   ipset add 
fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- stdout: ''
2016-08-21 11:09:33,668 fail2ban.action         [2066]: ERROR   ipset add 
fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- stderr: 'ipset v6.19:
The
set with the given name does not exist\n'
2016-08-21 11:09:33,668 fail2ban.action         [2066]: ERROR   ipset add 
fail2ban-sshd 97.74.232.35 timeout 7776000 -exist -- returned 1
2016-08-21 11:09:33,668 fail2ban.actions        [2066]: ERROR   Failed to 
execute ban jail 'sshd' action 'firewallcmd-ipset' info 
'CallingMap({'ipjailmatches': <function <lambda> at
0x7f19e1d8b9b0>,
'matches': '2016-08-14T16:19:53.289264 yyy.xxxxx.com sshd[24915]:
Invalid user
guest from 97.74.232.35\n2016-08-14T16:19:54.661401 yyy.xxxxx.com sshd[24917]: 
Invalid user pi from 97.74.232.35', 'ip': '97.74.232.35',
'ipmatches':
<function <lambda> at 0x7f19e1d8b938>, 'ipfailures':
<function <lambda> at
0x7f19e1d8ba28>, 'time': 1471770573.565505, 'failures': 2,
'ipjailfailures':
<function <lambda> at 0x7f19e1d8baa0>})': Error banning
97.74.232.35
2016-08-21 11:09:33,668 fail2ban.actions        [2066]: NOTICE  [sshd] Ban 
98.142.52.44
2016-08-21 11:09:33,771 fail2ban.action         [2066]: ERROR   ipset add 
fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- stdout: ''
2016-08-21 11:09:33,771 fail2ban.action         [2066]: ERROR   ipset add 
fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- stderr: 'ipset v6.19:
The
set with the given name does not exist\n'
2016-08-21 11:09:33,771 fail2ban.action         [2066]: ERROR   ipset add 
fail2ban-sshd 98.142.52.44 timeout 7776000 -exist -- returned 1
2016-08-21 11:09:33,771 fail2ban.actions        [2066]: ERROR   Failed to 
execute ban jail 'sshd' action 'firewallcmd-ipset' info 
'CallingMap({'ipjailmatches': <function <lambda> at
0x7f19e1d8ba28>,
'matches': '2016-06-08T15:27:16.145465 yyy.xxxxx.com sshd[20294]:
Invalid user
a from 98.142.52.44\n2016-06-08T15:27:19.797928 yyy.xxxxx.com sshd[20297]: 
Invalid user ajay from 98.142.52.44', 'ip': '98.142.52.44',
'ipmatches':
<function <lambda> at 0x7f19e1d8baa0>, 'ipfailures':
<function <lambda> at
0x7f19e1d8b938>, 'time': 1471770573.668562, 'failures': 2,
'ipjailfailures':
<function <lambda> at 0x7f19e1d8b9b0>})': Error banning
98.142.52.44
2016-08-21 11:09:33,771 fail2ban.actions        [2066]: NOTICE  [sshd] Ban 
98.254.171.195
2016-08-21 11:09:33,874 fail2ban.action         [2066]: ERROR   ipset add 
fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- stdout: ''
2016-08-21 11:09:33,874 fail2ban.action         [2066]: ERROR   ipset add 
fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- stderr: 'ipset v6.19:
The set with the given name does not exist\n'
2016-08-21 11:09:33,874 fail2ban.action         [2066]: ERROR   ipset add 
fail2ban-sshd 98.254.171.195 timeout 7776000 -exist -- returned 1
2016-08-21 11:09:33,874 fail2ban.actions        [2066]: ERROR   Failed to 
execute ban jail 'sshd' action 'firewallcmd-ipset' info 
'CallingMap({'ipjailmatches': <function <lambda> at
0x7f19e1d8b938>,
'matches': '2016-06-01T03:21:56.504682 yyy.xxxxx.com sshd[8392]:
Invalid user
ubnt from 98.254.171.195\n2016-06-01T03:22:42.468330 yyy.xxxxx.com sshd[8473]: 
Invalid user pi from 98.254.171.195', 'ip':
'98.254.171.195', 'ipmatches':
<function <lambda> at 0x7f19e1d8b9b0>, 'ipfailures':
<function <lambda> at
0x7f19e1d8baa0>, 'time': 1471770573.771765, 'failures': 2,
'ipjailfailures':
<function <lambda> at 0x7f19e1d8ba28>})': Error banning
98.254.171.195

this is my Jail.local
#
[DEFAULT]
bantime = 2592000
findtime = 3600
ignoreip = 127.0.0.1/8 192.168.55.0/24 192.168.100.0/24
maxretry = 2

#
[sshd-ddos]
enabled = true

[sshd]
enabled = true

[selinux-ssh]
enabled = true

-- 
mit freundlichen Gr??en / best regards,

  G?nther J. Niederwimmer

on my one system I see something even weirder...

setroubleshoot[58420]: SELinux is preventing 
/usr/bin/python2.7 from getattr access on the file 
/usr/bin/rpm. For complete SELinux messages. run sealert -l 
892542a6-b3ea-48eb-b76f-cadffdbdbb84
Nov 02 22:21:27 rider.private.ccnr.ceb.private.cam.ac.uk 
python[58420]: SELinux is preventing /usr/bin/python2.7 from 
getattr access on the file /usr/bin/rpm.

Source Context                
system_u:system_r:fail2ban_client_t:s0
Target Context                system_u:object_r:rpm_exec_t:s0
Target Objects                /usr/bin/rpm [ file ]
Source                        fail2ban-client
Source Path                   /usr/bin/python2.7

fail2ban wants to run rpm ???
unless some binaries I have mislabelled this would be 
suspicious, no??


On 20/08/16 13:46, G?nther J. Niederwimmer wrote:
> Hello List,
>
> with CentOS 7.2 it is not longer possible to run fail2ban on a Server ?
>
> I install a new CentOS 7.2 and the EPEL directory
> yum install fail2ban
>
> I don't change anything only I create a jail.local to enable the
Filters
> [sshd]
> enabled = true
> ....
> .....
> When I start afterward fail2ban
> systemctl status fail2ban is clean
>
> But systemctl status firewalld is broken
>
> ? firewalld.service - firewalld - dynamic firewall daemon
>     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled;
vendor
> preset: enabled)
>     Active: active (running) since Sa 2016-08-20 12:08:27 CEST; 4min 50s
ago
>   Main PID: 13158 (firewalld)
>     CGroup: /system.slice/firewalld.service
>             ??13158 /usr/bin/python -Es /usr/sbin/firewalld --nofork
--nopid
>
> Aug 20 12:12:23 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:23 ERROR:
> NOT_ENABLED
> Aug 20 12:12:24 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:24 ERROR:
> NOT_ENABLED
> Aug 20 12:12:25 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:25 ERROR:
> NOT_ENABLED
> Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27 ERROR:
> NOT_ENABLED
> Aug 20 12:12:27 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:27 ERROR:
> NOT_ENABLED
> Aug 20 12:12:28 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:28 ERROR:
> NOT_ENABLED
> Aug 20 12:12:29 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:29 ERROR:
> NOT_ENABLED
> Aug 20 12:12:30 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:30 ERROR:
> NOT_ENABLED
> Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31 ERROR:
> NOT_ENABLED
> Aug 20 12:12:31 yyyy.xxxxxx.at firewalld[13158]: 2016-08-20 12:12:31 ERROR:
> NOT_ENABLED
>
> Have any a Idea what is broken ?
>
> ipset, iptables, fail2ban ?
>