Hi,
I encountered several errors and/or did some mistakes during my installation+configuration of Virtualmin on Debian 9.
I will gather a few of those that might somehow be related. This is a Virtualmin installation although it relates more to Webmin services, so I didn’t know where was the best place to post.
So, I decided to install the “minimal” version.
When I ran the install script for the first time, it stopped when installing “Fail2banFirewalld” module.
- I tried to resume the installation with “virtuamin-config-system” using “–exclude” to avoid running again the installation for already installed components.
It failed. I found out it was in “/usr/share/perl5/Virtualmin/Config.pm”, in subroutine “_gather_plugins”.
I think it was related to the way “@include” and “@exclude” are (de)referenced when requesting modules “include” and “exclude” attributes.
I now guess it was working for “include”, and maybe I could just use that, but I used “exclude”.
I did a modification that must be compatible with both expressions.
I can send it if you tell me how and where.
It’s been a long time I didn’t do Perl, so it is more of a guess, but I could proceed the installation of the leftover modules.
- Installation of “Fail2banFirewalld”
Then I came to the problem with “Fail2banFirewalld”.
It was stopping when creating the startup scripts.
However, I saw that it created the “S99fail2ban” scripts under “rc.d” directories.
The check that was causing a stop was in file “/usr/share/webmin/init/init-lib.pl”:
if ($init_mode eq “systemd” && (!-r “$config{‘init_dir’}/$[0]" ||
&is_systemd_service($unit))) {
# Create systemd unit if missing, as long as this isn’t an old-style
# init script
my $cfile = &get_systemd_root($[0]).”/".$unit;
if (!-r $cfile) {
# Need to create config
$[2] || &error("Systemd service $[0] cannot be created ".
“unless a command is given”);
&create_systemd_service($unit, $[1], $[2], $[3], undef,
$[5]->{‘fork’}, $[5]->{‘pidfile’},
$[5]->{‘exit’});
}
It was saying “Systemd service fail2ban cannot be created unless a command is given”.
There was indeed no parameter “$_[2]” passed by the caller.
But the conditional check was strange to me:
a) !-r “$config{‘init_dir’}/$_[0]”
was false because the S99fail2ban script indeed existed
b) &is_systemd_service($unit)
was true, so that whatever init script existed, it when into the “if” branch
I am not sure of the purpose of the test, but I thought:
- either it is systemd, and it must enter the “if”, for purposes I don’t know
- either it is not systemd and it must enter the “if” if no “init.d” already exist
So, I added a “!” in front of &is_systemd_service($unit)
, like if the “!” was indeed applying to the whole parenthesis expression (-r “$config{‘init_dir’}/$_[0]” || &is_systemd_service($unit))
But I am not sure of that, lacking of the intent of the test.
However, I could proceed to the installation that way.
Fail2ban got installed and its dependancy Firewalld reinstalled.
After some tweaking seen elsewhere on this forum (“imap3” being removed as a service in Debian), I could make it start manually.
- Fail2ban runs but does not start by itself at reboot, eventhough the rc.d script are there.
When activating the service in Webmin, “Start/Stop” works.
However, if I activate “Start at boot”, it toggles back from “Yes” to “No” by itself when pressing the button.
Besides that, it creates a new set of “S99fail2ban_1” files in rc.d directories.
I can imagine it is related to the error encountered in (2), above.
-
Fail2ban indeed took action for banning my own trial, I could see it in the log.
However:
a) I didn’t see a new iptables rule banning this IP, and I could still connect myself to the service
b) I don’t see any banning happening daily, although I was used to have several bans a day before because of ports scanning (on another server)
I can think of the firewall doing a better job, but there are still classic ports that are open, I am just surprised not to see any scanning -
The Firewalld webmin service is in error on the service page
Error - Perl execution failed
Can’t locate firewalld-lib.pl in @INC (@INC contains: /usr/share/webmin /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.24.1 /usr/local/share/perl/5.24.1 /usr/lib/x86_64-linux-gnu/perl5/5.24 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.24 /usr/share/perl/5.24 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/webmin/firewalld/index.cgi line 6.
I think it’s a core module, so I don’t know how to reinstall.
I reran “virtualmin-config-system” far later, which was not a very good idea, anyway it didn’t help.
I wonder if the fact that the ban are not effective is not related to this.
I don’t know by which mechanisms the rule update is triggered.
What I know is that the startup proceeds well, the initial rules are set.
Since I am not familiar with expressions like
REJECT tcp – anywhere anywhere multiport dports ssh match-set fail2ban-sshd src reject-with icmp-port-unreachable
I am not sure whether individual banned IPs must appear there, or it the rule is supposed to handle them as a whole.
However, the fact I was still able to establish a connection after banning myself is a clue that the setup is not fully operational.
- Thank you for having read this all long, I expect to find some answers, and I hope to bring stuff that might help consolidate this good piece of software !!