Andreas Haumer
2020-Apr-09 07:48 UTC
[CentOS] fail2ban firewalld problems with current CentOS 7
Hi! I have a server running CentOS 7.7 (1908) with all current patches installed. I think this server should be a quite standard installation with no specialities On this server I have fail2ban with an apache and openvpn configuration. I'm using firewalld to manage the firewall rules. Fail2an is configured to use firewalld: [root at server ~]# ll /etc/fail2ban/jail.d/ insgesamt 12 -rw-r--r--. 1 root root 356 21. Jan 05:12 00-firewalld.conf -rw-r--r--. 1 root root 610 15. Nov 19:55 apache.local -rw-r--r--. 1 root root 115 15. Nov 19:10 openvpn.local [root at server ~]# cat /etc/fail2ban/jail.d/00-firewalld.conf # This file is part of the fail2ban-firewalld package to configure the use of # the firewalld actions as the default actions. You can remove this package # (along with the empty fail2ban meta-package) if you do not use firewalld [DEFAULT] banaction = firewallcmd-ipset[actiontype=<multiport>] banaction_allports = firewallcmd-ipset[actiontype=<allports>] A few days ago I noticed that on restart firewalld complains about a missing ipset: [root at server ~]# systemctl restart firewalld [root at server ~]# systemctl status firewalld ? firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Do 2020-04-09 09:25:28 CEST; 5s ago Docs: man:firewalld(1) Main PID: 8324 (firewalld) CGroup: /system.slice/firewalld.service ??8324 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid Apr 09 09:25:28 server.my.domain systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 09 09:25:28 server.my.domain systemd[1]: Started firewalld - dynamic firewall daemon. Apr 09 09:25:30 server.my.domain firewalld[8324]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-apache doesn't exist. Error occurred at line: 2... Apr 09 09:25:30 server.my.domain firewalld[8324]: ERROR: COMMAND_FAILED: Direct: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-apache doesn't exist. Error occurred at line: 2... Hint: Some lines were ellipsized, use -l to show in full. Indeed there is no ipset named "f2b-apache", there is no set configured at all: [root at server ~]# ipset list There is no error when restarting fail2ban: [root at server ~]# systemctl restart fail2ban [root at server ~]# systemctl status fail2ban ? fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Do 2020-04-09 09:26:13 CEST; 4s ago Docs: man:fail2ban(1) Process: 8539 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 8543 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 8545 (f2b/server) CGroup: /system.slice/fail2ban.service ??8545 /usr/bin/python -s /usr/bin/fail2ban-server -xf start Apr 09 09:26:13 server.my.domain systemd[1]: Stopped Fail2Ban Service. Apr 09 09:26:13 server.my.domain systemd[1]: Starting Fail2Ban Service... Apr 09 09:26:13 server.my.domain systemd[1]: Started Fail2Ban Service. Apr 09 09:26:13 server.my.domain fail2ban-server[8545]: Server ready Fail2ban seems to be running fine: [root at server ~]# fail2ban-client status Status |- Number of jail: 6 `- Jail list: apache, apache-badbots, apache-nohome, apache-noscript, apache-overflows, openvpn No errors loged in fail2ban.log on restart: [...] 2020-04-09 09:26:13,773 fail2ban.server [8545]: INFO Starting Fail2ban v0.10.5 2020-04-09 09:26:13,799 fail2ban.database [8545]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2020-04-09 09:26:13,801 fail2ban.jail [8545]: INFO Creating new jail 'apache-badbots' 2020-04-09 09:26:13,805 fail2ban.jail [8545]: INFO Jail 'apache-badbots' uses poller {} 2020-04-09 09:26:13,805 fail2ban.jail [8545]: INFO Initiated 'polling' backend 2020-04-09 09:26:13,838 fail2ban.filter [8545]: INFO maxRetry: 1 2020-04-09 09:26:13,838 fail2ban.filter [8545]: INFO encoding: UTF-8 2020-04-09 09:26:13,839 fail2ban.actions [8545]: INFO banTime: 172800 2020-04-09 09:26:13,839 fail2ban.filter [8545]: INFO findtime: 3600 2020-04-09 09:26:13,840 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766) 2020-04-09 09:26:13,840 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7) 2020-04-09 09:26:13,841 fail2ban.jail [8545]: INFO Creating new jail 'apache-noscript' 2020-04-09 09:26:13,843 fail2ban.jail [8545]: INFO Jail 'apache-noscript' uses poller {} 2020-04-09 09:26:13,843 fail2ban.jail [8545]: INFO Initiated 'polling' backend 2020-04-09 09:26:13,851 fail2ban.filter [8545]: INFO maxRetry: 3 2020-04-09 09:26:13,851 fail2ban.filter [8545]: INFO encoding: UTF-8 2020-04-09 09:26:13,851 fail2ban.actions [8545]: INFO banTime: 10800 2020-04-09 09:26:13,852 fail2ban.filter [8545]: INFO findtime: 3600 2020-04-09 09:26:13,853 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766) 2020-04-09 09:26:13,854 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7) 2020-04-09 09:26:13,855 fail2ban.jail [8545]: INFO Creating new jail 'apache-overflows' 2020-04-09 09:26:13,857 fail2ban.jail [8545]: INFO Jail 'apache-overflows' uses poller {} 2020-04-09 09:26:13,857 fail2ban.jail [8545]: INFO Initiated 'polling' backend 2020-04-09 09:26:13,863 fail2ban.filter [8545]: INFO maxRetry: 2 2020-04-09 09:26:13,863 fail2ban.filter [8545]: INFO encoding: UTF-8 2020-04-09 09:26:13,864 fail2ban.actions [8545]: INFO banTime: 10800 2020-04-09 09:26:13,864 fail2ban.filter [8545]: INFO findtime: 3600 2020-04-09 09:26:13,865 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766) 2020-04-09 09:26:13,865 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7) 2020-04-09 09:26:13,866 fail2ban.jail [8545]: INFO Creating new jail 'apache-nohome' 2020-04-09 09:26:13,867 fail2ban.jail [8545]: INFO Jail 'apache-nohome' uses poller {} 2020-04-09 09:26:13,868 fail2ban.jail [8545]: INFO Initiated 'polling' backend 2020-04-09 09:26:13,872 fail2ban.filter [8545]: INFO maxRetry: 2 2020-04-09 09:26:13,873 fail2ban.filter [8545]: INFO encoding: UTF-8 2020-04-09 09:26:13,873 fail2ban.actions [8545]: INFO banTime: 10800 2020-04-09 09:26:13,873 fail2ban.filter [8545]: INFO findtime: 3600 2020-04-09 09:26:13,874 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766) 2020-04-09 09:26:13,875 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7) 2020-04-09 09:26:13,876 fail2ban.jail [8545]: INFO Creating new jail 'apache' 2020-04-09 09:26:13,878 fail2ban.jail [8545]: INFO Jail 'apache' uses poller {} 2020-04-09 09:26:13,879 fail2ban.jail [8545]: INFO Initiated 'polling' backend 2020-04-09 09:26:13,898 fail2ban.filter [8545]: INFO maxRetry: 3 2020-04-09 09:26:13,899 fail2ban.filter [8545]: INFO encoding: UTF-8 2020-04-09 09:26:13,899 fail2ban.actions [8545]: INFO banTime: 10800 2020-04-09 09:26:13,900 fail2ban.filter [8545]: INFO findtime: 3600 2020-04-09 09:26:13,900 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766) 2020-04-09 09:26:13,901 fail2ban.filter [8545]: INFO Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7) 2020-04-09 09:26:13,902 fail2ban.jail [8545]: INFO Creating new jail 'openvpn' 2020-04-09 09:26:13,931 fail2ban.jail [8545]: INFO Jail 'openvpn' uses systemd {} 2020-04-09 09:26:13,932 fail2ban.jail [8545]: INFO Initiated 'systemd' backend 2020-04-09 09:26:13,944 fail2ban.filtersystemd [8545]: INFO [openvpn] Added journal match for: '_SYSTEMD_UNIT=openvpn-server at xss.service + _COMM=openvpn' 2020-04-09 09:26:13,944 fail2ban.actions [8545]: INFO banTime: 10800 2020-04-09 09:26:13,944 fail2ban.filter [8545]: INFO maxRetry: 2 2020-04-09 09:26:13,944 fail2ban.filter [8545]: INFO encoding: UTF-8 2020-04-09 09:26:13,945 fail2ban.filter [8545]: INFO findtime: 3600 2020-04-09 09:26:13,949 fail2ban.jail [8545]: INFO Jail 'apache-badbots' started 2020-04-09 09:26:13,952 fail2ban.jail [8545]: INFO Jail 'apache-noscript' started 2020-04-09 09:26:13,954 fail2ban.jail [8545]: INFO Jail 'apache-overflows' started 2020-04-09 09:26:13,956 fail2ban.jail [8545]: INFO Jail 'apache-nohome' started 2020-04-09 09:26:13,961 fail2ban.jail [8545]: INFO Jail 'apache' started 2020-04-09 09:26:13,964 fail2ban.jail [8545]: INFO Jail 'openvpn' started [...] BUT: SELinux complains about fail2ban: type=AVC msg=audit(1586413496.76:53507): avc: denied { read } for pid=1324 comm="f2b/f.apache" name="disable" dev="sysfs" ino=1481 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 So it seems somehow fail2ban does not add the required ip sets correctly. From what I see in firewalld logfile it seems these problems started after the last updates on April 2nd. On this day I did a "yum update" which executed without errors and installed: augeas-libs-1.4.0-9.el7_7.1.x86_64 Do 02 Apr 2020 20:14:27 CEST restic-0.9.6-1.el7.x86_64 Do 02 Apr 2020 20:14:25 CEST python-perf-3.10.0-1062.18.1.el7.x86_64 Do 02 Apr 2020 20:14:23 CEST python3-pip-9.0.3-7.el7_7.noarch Do 02 Apr 2020 20:14:23 CEST borgbackup-1.1.11-1.el7.x86_64 Do 02 Apr 2020 20:14:19 CEST libgudev1-219-67.el7_7.4.x86_64 Do 02 Apr 2020 20:14:18 CEST kernel-tools-3.10.0-1062.18.1.el7.x86_64 Do 02 Apr 2020 20:14:16 CEST pcp-4.3.2-5.el7_7.x86_64 Do 02 Apr 2020 20:14:01 CEST kernel-3.10.0-1062.18.1.el7.x86_64 Do 02 Apr 2020 20:13:44 CEST systemd-python-219-67.el7_7.4.x86_64 Do 02 Apr 2020 20:13:27 CEST systemd-sysv-219-67.el7_7.4.x86_64 Do 02 Apr 2020 20:13:26 CEST rsyslog-8.24.0-41.el7_7.4.x86_64 Do 02 Apr 2020 20:13:26 CEST python2-certbot-apache-1.3.0-1.el7.noarch Do 02 Apr 2020 20:13:25 CEST sssd-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:24 CEST firewalld-0.6.3-2.el7_7.4.noarch Do 02 Apr 2020 20:13:24 CEST sssd-proxy-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:23 CEST sssd-krb5-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:23 CEST sssd-ldap-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:22 CEST sssd-ipa-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:22 CEST sssd-ad-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:22 CEST sssd-krb5-common-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:21 CEST sssd-common-pac-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:21 CEST sssd-common-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:13:20 CEST http-parser-2.7.1-8.el7_7.2.x86_64 Do 02 Apr 2020 20:13:19 CEST python-firewall-0.6.3-2.el7_7.4.noarch Do 02 Apr 2020 20:13:18 CEST certbot-1.3.0-1.el7.noarch Do 02 Apr 2020 20:13:11 CEST python2-certbot-1.3.0-1.el7.noarch Do 02 Apr 2020 20:13:10 CEST python2-acme-1.3.0-1.el7.noarch Do 02 Apr 2020 20:13:09 CEST python-requests-2.6.0-9.el7_7.noarch Do 02 Apr 2020 20:13:08 CEST systemd-219-67.el7_7.4.x86_64 Do 02 Apr 2020 20:13:05 CEST kmod-20-25.el7_7.1.x86_64 Do 02 Apr 2020 20:13:02 CEST binutils-2.27-41.base.el7_7.3.x86_64 Do 02 Apr 2020 20:13:00 CEST pcp-selinux-4.3.2-5.el7_7.x86_64 Do 02 Apr 2020 20:12:48 CEST libsss_autofs-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:47 CEST kernel-tools-libs-3.10.0-1062.18.1.el7.x86_64 Do 02 Apr 2020 20:12:46 CEST python-sssdconfig-1.16.4-21.el7_7.3.noarch Do 02 Apr 2020 20:12:45 CEST libsss_sudo-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:45 CEST firewalld-filesystem-0.6.3-2.el7_7.4.noarch Do 02 Apr 2020 20:12:44 CEST sssd-client-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:43 CEST libsss_nss_idmap-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:42 CEST libipa_hbac-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:42 CEST pcp-libs-4.3.2-5.el7_7.x86_64 Do 02 Apr 2020 20:12:41 CEST pcp-conf-4.3.2-5.el7_7.x86_64 Do 02 Apr 2020 20:12:41 CEST kmod-libs-20-25.el7_7.1.x86_64 Do 02 Apr 2020 20:12:40 CEST libsss_idmap-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:39 CEST libsss_certmap-1.16.4-21.el7_7.3.x86_64 Do 02 Apr 2020 20:12:33 CEST systemd-libs-219-67.el7_7.4.x86_64 Do 02 Apr 2020 20:12:32 CEST The firewalld errors start exactly after the updates were installed. Does anyone else see similar problems since the last updates? I googled and found some older postings, but nothing matching the problems I see exactly. I have other CentOS 7 servers with fail2ban and firewalld which should be updated soon, but before I do this I first want to solve this issue. Any idea? Thanks! - andreas -- Andreas Haumer | mailto:andreas at xss.co.at *x Software + Systeme | http://www.xss.co.at/ Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0 A-1100 Vienna, Austria | Fax: +43-1-6060114-71 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20200409/086b7d1a/attachment.sig>
Rob Kampen
2020-Apr-09 08:07 UTC
[CentOS] fail2ban firewalld problems with current CentOS 7
On 9/04/20 7:48 pm, Andreas Haumer wrote:> Hi! > > I have a server running CentOS 7.7 (1908) with all current patches installed. > I think this server should be a quite standard installation with no specialities > > On this server I have fail2ban with an apache and openvpn configuration. > I'm using firewalld to manage the firewall rules. > > Fail2an is configured to use firewalld: > > <snip> > > The firewalld errors start exactly after the updates were installed. > Does anyone else see similar problems since the last updates? > > I googled and found some older postings, but nothing matching the > problems I see exactly. > > I have other CentOS 7 servers with fail2ban and firewalld which > should be updated soon, but before I do this I first want to solve > this issue. > > Any idea?I too had fail2ban fail after an otherwise successful yum update. Mine occurred in Feb when my versions of firewalld etc were updated to the versions you show. Thus far I have not had the opportunity to sort the problem. Lockdown has been quite busy so far, hopefully some slower times coming next week.> > Thanks! > > - andreas > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
Andreas Haumer
2020-Apr-09 12:31 UTC
[CentOS] fail2ban firewalld problems with current CentOS 7
Hi! Am 09.04.20 um 10:07 schrieb Rob Kampen: [...]> I too had fail2ban fail after an otherwise successful yum update. Mine occurred in Feb when my versions of firewalld etc were updated to the versions you show. Thus far I have not had the opportunity to sort the problem. Lockdown has been quite busy so far, hopefully some slower times coming next week.Yeah, those pesky real-life biological virus keeps all of us busy just like the virtual ones... ;-) (Just yesterday I found the following article mentioned on Slashdot: https://www.bloomberg.com/news/articles/2020-04-08/are-you-finally-thankful-for-your-it-person-now Made me smile... :-) Anyway, I digged into the fail2ban problem today and it looks like something changed regarding selinux and fail2ban. After several iterations with fail2ban restart, ausearch and audit2allow like this: ausearch -c 'f2b/server' --raw | audit2allow -M f2b-addon I came up with a SELinux module like that: module f2b-addon 1.0; require { type sysctl_net_t; type sysfs_t; type fail2ban_t; class file { getattr open read }; class dir search; } #============= fail2ban_t ============= #!!!! This avc is allowed in the current policy allow fail2ban_t sysctl_net_t:dir search; #!!!! This avc is allowed in the current policy allow fail2ban_t sysctl_net_t:file { getattr open read }; #!!!! This avc is allowed in the current policy allow fail2ban_t sysfs_t:file { getattr open read }; When I load this new module I can restart fail2ban and it finally is able to create a working ipset: [root at camus ~]# ipset list Name: f2b-apache Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 10800 Size in memory: 408 References: 1 Number of entries: 3 Members: 223.167.32.161 timeout 10149 93.174.93.143 timeout 10149 5.164.24.192 timeout 10149 I'm neither a fail2ban nor a SELinux expert, but it seems the standard fail2ban SELinux policy as provided by CentOS 7 is not sufficient anymore and the recent updates did not correctly update the required SELinux policies. I could report this as bug, but where does such a bugreport belong to in the first place? - andreas -- Andreas Haumer | mailto:andreas at xss.co.at *x Software + Systeme | http://www.xss.co.at/ Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0 A-1100 Vienna, Austria | Fax: +43-1-6060114-71 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20200409/33d7abf9/attachment.sig>
Maybe Matching Threads
- fail2ban firewalld problems with current CentOS 7
- fail2ban firewalld problems with current CentOS 7
- [SOLVED] fail2ban firewalld problems with current CentOS 7
- [SOLVED] fail2ban firewalld problems with current CentOS 7
- fail2ban firewalld problems with current CentOS 7