Definite failure of Fail2ban

Hi there,

I posted this in another thread ( https://www.virtualmin.com/node/39797 ) in the Virtualmin forum where someone else had an unrelated issue with Fail2ban, but at the time it seemed like it made sense to post there rather than start another thread. However, that poster seems to have figured out his issue and I’m going to pronounce that thread dead. Plus, since Fail2ban is actually under Webmin, perhaps it makes more sense to post this in the Webmin forum anyway.

One response to my post was, “Is everything else on your server running ok?” To my knowledge everything was, but I’ve been putting it through its paces for the last ten days or so, testing Virtualmin GPL before making a decision on buying the Pro version, so it’s possible I broke something; unlikely, but possible. So I set up a new VPS with a fresh install of CentOS 7, updated it and installed Virtualmin GPL. Then I installed Fail2ban according to the instructions at https://www.virtualmin.com/documentation/security/Fail2ban , although this time I did everything at the command line, whereas last time I installed EPEL at the command line and completed the installation of Fail2ban inside Webmin. (One noticeable difference between doing the installation at the command line and doing it inside Webmin is that Fail2ban remains listed under “Un-used Modules” when the installation is done at the command line, rather than being moved under “Networking” as happens when it’s done inside Webmin. This seems like an oversight to me. I did try logging out of Webmin/Virtualmin to see if that would trigger a correction, but it didn’t.)

Anyway, the result was exactly the same. To summarise:

  • I cannot configure Fail2ban to start on boot, and
  • I cannot enable any of the filter actions.

Here’s a longer description from my previous post:

I clicked through to the now active Fail2ban module and started Fail2ban. According to “ps” this appears to have been successful. Then I attempted to configure it to start at boot. Each time the page refreshed, “No” was still selected. So I moved on.

Contrary to the documentation linked to above, the SSH monitoring shows as disabled under “Filter Action Jails”. When I tried to enable it I got the following error:

Failed to save jail : All log files must be absolute paths or patterns

All I did was click “Yes” next to “Currently enabled?” and then the “Save” button, leaving all of the default settings in place. Am I supposed to change the default settings? Which ones?

I tried activating a couple of other jails in the same way and received exactly the same error each time. Something is not working.

Back at the full list of jails, while one can select multiple jails, there doesn’t seem to be a way to activate them at the same time. Do I really have to activate them one at a time?! Regardless, I’m getting the above error when I try anyway.

Simply put, Fail2ban doesn’t seem to be working on my server. I can’t configure it (through Webmin anyway) to start on boot, and I cannot activate any of the filter actions.

The installation transcript is below for reference, especially as I wonder if a couple of the dependencies installed might have screwed something up.

And here’s the information for my VPS:

  • CentOS Linux 7.2.1511
  • Webmin 1.782
  • Linux 4.4.0-x86_64-linode63 on x86_64

Anyone have any ideas? Thanks.

Craig

[root@host ~]# yum install epel-release Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.linode.com * extras: mirrors.linode.com * updates: mirrors.linode.com Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:7-5 will be installed --> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================================================================================================================================
Package Arch Version Repository Size

Installing:
epel-release noarch 7-5 extras 14 k

Transaction Summary

Install 1 Package

Total download size: 14 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-5.noarch.rpm | 14 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-5.noarch 1/1
Verifying : epel-release-7-5.noarch 1/1

Installed:
epel-release.noarch 0:7-5

Complete!
[root@host ~]# yum install fail2ban
Loaded plugins: fastestmirror
epel/x86_64/metalink | 18 kB 00:00:00
epel | 4.3 kB 00:00:00
(1/3): epel/x86_64/group_gz | 169 kB 00:00:00
(2/3): epel/x86_64/updateinfo | 498 kB 00:00:00
(3/3): epel/x86_64/primary_db | 3.9 MB 00:00:01
Loading mirror speeds from cached hostfile

  • base: mirrors.linode.com
  • epel: mirror.imt-systems.com
  • extras: mirrors.linode.com
  • updates: mirrors.linode.com
    Resolving Dependencies
    –> Running transaction check
    —> Package fail2ban.noarch 0:0.9.3-1.el7 will be installed
    –> Processing Dependency: fail2ban-server = 0.9.3-1.el7 for package: fail2ban-0.9.3-1.el7.noarch
    –> Processing Dependency: fail2ban-sendmail = 0.9.3-1.el7 for package: fail2ban-0.9.3-1.el7.noarch
    –> Processing Dependency: fail2ban-firewalld = 0.9.3-1.el7 for package: fail2ban-0.9.3-1.el7.noarch
    –> Running transaction check
    —> Package fail2ban-firewalld.noarch 0:0.9.3-1.el7 will be installed
    —> Package fail2ban-sendmail.noarch 0:0.9.3-1.el7 will be installed
    —> Package fail2ban-server.noarch 0:0.9.3-1.el7 will be installed
    –> Processing Dependency: systemd-python for package: fail2ban-server-0.9.3-1.el7.noarch
    –> Processing Dependency: ipset for package: fail2ban-server-0.9.3-1.el7.noarch
    –> Running transaction check
    —> Package ipset.x86_64 0:6.19-4.el7 will be installed
    –> Processing Dependency: ipset-libs = 6.19-4.el7 for package: ipset-6.19-4.el7.x86_64
    –> Processing Dependency: libipset.so.3(LIBIPSET_3.0)(64bit) for package: ipset-6.19-4.el7.x86_64
    –> Processing Dependency: libipset.so.3(LIBIPSET_2.0)(64bit) for package: ipset-6.19-4.el7.x86_64
    –> Processing Dependency: libipset.so.3(LIBIPSET_1.0)(64bit) for package: ipset-6.19-4.el7.x86_64
    –> Processing Dependency: kernel for package: ipset-6.19-4.el7.x86_64
    –> Processing Dependency: libipset.so.3()(64bit) for package: ipset-6.19-4.el7.x86_64
    —> Package systemd-python.x86_64 0:219-19.el7_2.4 will be installed
    –> Running transaction check
    —> Package ipset-libs.x86_64 0:6.19-4.el7 will be installed
    —> Package kernel.x86_64 0:3.10.0-327.10.1.el7 will be installed
    –> Processing Dependency: linux-firmware >= 20150904-43 for package: kernel-3.10.0-327.10.1.el7.x86_64
    –> Processing Dependency: grubby >= 8.28-2 for package: kernel-3.10.0-327.10.1.el7.x86_64
    –> Processing Dependency: /usr/sbin/new-kernel-pkg for package: kernel-3.10.0-327.10.1.el7.x86_64
    –> Processing Dependency: /usr/sbin/new-kernel-pkg for package: kernel-3.10.0-327.10.1.el7.x86_64
    –> Running transaction check
    —> Package grubby.x86_64 0:8.28-17.el7 will be installed
    —> Package linux-firmware.noarch 0:20150904-43.git6ebf5d5.el7 will be installed
    –> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================================================================================================================================
Package Arch Version Repository Size

Installing:
fail2ban noarch 0.9.3-1.el7 epel 9.7 k
Installing for dependencies:
fail2ban-firewalld noarch 0.9.3-1.el7 epel 9.9 k
fail2ban-sendmail noarch 0.9.3-1.el7 epel 13 k
fail2ban-server noarch 0.9.3-1.el7 epel 395 k
grubby x86_64 8.28-17.el7 base 65 k
ipset x86_64 6.19-4.el7 base 36 k
ipset-libs x86_64 6.19-4.el7 base 46 k
kernel x86_64 3.10.0-327.10.1.el7 updates 33 M
linux-firmware noarch 20150904-43.git6ebf5d5.el7 base 24 M
systemd-python x86_64 219-19.el7_2.4 updates 98 k

Transaction Summary

Install 1 Package (+9 Dependent packages)

Total download size: 58 M
Installed size: 207 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
warning: /var/cache/yum/x86_64/7/epel/packages/fail2ban-0.9.3-1.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for fail2ban-0.9.3-1.el7.noarch.rpm is not installed
(1/10): fail2ban-0.9.3-1.el7.noarch.rpm | 9.7 kB 00:00:00
(2/10): fail2ban-firewalld-0.9.3-1.el7.noarch.rpm | 9.9 kB 00:00:00
(3/10): fail2ban-sendmail-0.9.3-1.el7.noarch.rpm | 13 kB 00:00:00
(4/10): ipset-6.19-4.el7.x86_64.rpm | 36 kB 00:00:00
(5/10): grubby-8.28-17.el7.x86_64.rpm | 65 kB 00:00:00
(6/10): ipset-libs-6.19-4.el7.x86_64.rpm | 46 kB 00:00:00
(7/10): fail2ban-server-0.9.3-1.el7.noarch.rpm | 395 kB 00:00:00
(8/10): systemd-python-219-19.el7_2.4.x86_64.rpm | 98 kB 00:00:00
(9/10): linux-firmware-20150904-43.git6ebf5d5.el7.noarch.rpm | 24 MB 00:00:00
(10/10): kernel-3.10.0-327.10.1.el7.x86_64.rpm | 33 MB 00:00:00

Total 45 MB/s | 58 MB 00:00:01
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : “Fedora EPEL (7) epel@fedoraproject.org
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-5.noarch (@extras)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : grubby-8.28-17.el7.x86_64 1/10
Installing : systemd-python-219-19.el7_2.4.x86_64 2/10
Installing : linux-firmware-20150904-43.git6ebf5d5.el7.noarch 3/10
Installing : kernel-3.10.0-327.10.1.el7.x86_64 4/10
Installing : ipset-libs-6.19-4.el7.x86_64 5/10
Installing : ipset-6.19-4.el7.x86_64 6/10
Installing : fail2ban-server-0.9.3-1.el7.noarch 7/10
Installing : fail2ban-firewalld-0.9.3-1.el7.noarch 8/10
Installing : fail2ban-sendmail-0.9.3-1.el7.noarch 9/10
Installing : fail2ban-0.9.3-1.el7.noarch 10/10
Verifying : fail2ban-firewalld-0.9.3-1.el7.noarch 1/10
Verifying : ipset-libs-6.19-4.el7.x86_64 2/10
Verifying : linux-firmware-20150904-43.git6ebf5d5.el7.noarch 3/10
Verifying : ipset-6.19-4.el7.x86_64 4/10
Verifying : fail2ban-0.9.3-1.el7.noarch 5/10
Verifying : systemd-python-219-19.el7_2.4.x86_64 6/10
Verifying : fail2ban-server-0.9.3-1.el7.noarch 7/10
Verifying : fail2ban-sendmail-0.9.3-1.el7.noarch 8/10
Verifying : kernel-3.10.0-327.10.1.el7.x86_64 9/10
Verifying : grubby-8.28-17.el7.x86_64 10/10

Installed:
fail2ban.noarch 0:0.9.3-1.el7

Dependency Installed:
fail2ban-firewalld.noarch 0:0.9.3-1.el7 fail2ban-sendmail.noarch 0:0.9.3-1.el7 fail2ban-server.noarch 0:0.9.3-1.el7 grubby.x86_64 0:8.28-17.el7 ipset.x86_64 0:6.19-4.el7
ipset-libs.x86_64 0:6.19-4.el7 kernel.x86_64 0:3.10.0-327.10.1.el7 linux-firmware.noarch 0:20150904-43.git6ebf5d5.el7 systemd-python.x86_64 0:219-19.el7_2.4

Complete!
[root@host ~]#

Ah, I found the “Refresh Modules” option, and that moved “Fail2Ban Intrusion Detector” from “Un-used Modules” to “Networking”. Didn’t fix anything else, mind you. :slight_smile:

Craig

To start fail2ban automatically, you need to write a startup script or simply run

chkconfig fail2ban on

This will only work if you can run fail2ban

Hi Coder,

Thanks, but this post was 99% about Fail2ban and Webmin. Getting something running using the command line defeats the purpose of having a control panel.

I haven’t had time to get back to this issue anyway, but when I do I will set up Fail2ban at the command line if it’s still not working as I described under Webmin.

Craig

the problem was pretty simple, put the log file path on the fail2ban log field.

for example for postfix fail2ban… instead of the predefined path that takes arguments, i inserted my logfile which is /log/maillog

you can see all your log files in “system log”

Hi Coder,

Thanks. I’ll have to set up a test server to check this out, as I haven’t had time to get back to this issue and Fail2ban is disabled (was never actually enabled) on the production server as a result. I don’t remember what the individual configuration pages for each service looked like, but I’m sure I would have noticed an odd log path if it was present. Perhaps that field was blank by default.

Anyway, appreciate your further feedback on this. I’m sure it will be helpful when I finally get back to it.

Craig

the default looks like %path%%maillog%… at least on my machine on fresh install.
webmin also have a bug with the settings of fail2ban and it is on the “severity” entry. This is the one causing the fail2ban module to break on auto restart.
to narrow down the issue, i am using authentic theme… i don’t know if the theme was the one causing the issue or it is webmin.