Failed to execute ban about fail2ban HOT 8 CLOSED

2533526 implements now new parameter ipsettype to support setting of set type...
One can simply use this action instead (if the fail2ban version is at least v.1.0).

For instance:

# for multiport:
banaction = iptables-ipset[type=multiport, ipsettype=hash:net]
# for allports:
banaction = iptables-ipset[type=allports, ipsettype=hash:net]

Important: for action.d/firewallcmd-ipset.conf old parameter ipsettype initially added in #2620 for an ipset-backend renamed now to ipsetbackend, because new parameter ipsettype will be used for the real set type

from fail2ban.

Possibly related bug of firewalld:

What appears to happen when you try to put in something like 1.2.3.4/8 
is that the entire address space attempts to be expanded. 

# firewall-cmd --permanent --new-ipset=test --type=hash:ip
success

# firewall-cmd --permanent --ipset=test --add-entry=1.2.3.4/8
success

# firewall-cmd --reload
Error: COMMAND_FAILED: '/usr/sbin/ipset restore' failed: ipset v7.1: Error in line 3: Hash is full, cannot add more elements

source: https://bugzilla.redhat.com/show_bug.cgi?id=1777909

from fail2ban.

ipset v7.17: Hash is full, cannot add more elements

It is clearly a "bug" of ipset (or your action possibly), so my question is - why you're trying to post it here?

Anyway, it is clearly the restriction of itpset - the error simply means that the ipset elements limit is exceeded.
We have nothing to do with that.
However related to this article (did not verified that):
The ipset size is hardcoded in the Imunify360 source code and currently, it is equal to a 100K IPs limit.

So your attempt to increase it with maxelem 1000000 may fail.
However, I guess it may depend on kernel version or some kernel module...

By the way, I don't think you'll really ban 1M subnets... It is too heavy and looks superfluous for hash:net.

hash:net seems to be ignored and the jail gets hash:ip instead) [would prefer this one jail to use hash:net for banning subnets in CIDR format

I don't think so. What do you see with ipset list f2b-manual?

If I try it with your list, I see this after all:

# while read ip; do; echo "$ip"; fail2ban-client set manual banip "$ip"; done </tmp/net-list.txt
# ipset list f2b-manual
Name: f2b-manual
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 1000000 timeout 0 bucketsize 12 initval 0xa9941845
Size in memory: 7944
References: 0
Number of entries: 124
Members:
... a lot of subnets ...

If you mean fail2ban makes something wrong (e. g. with actionstart) please provide an excerpt for:

fail2ban-client -d | grep manual

from fail2ban.

If you previously changed

- actionstart = ipset -exist create <ipmset> hash:ip ...
+ actionstart = ipset -exist create <ipmset> hash:net ...

in the config, please ensure you restart (not just reload) fail2ban or the jail, in order to recreate the action and reban everything.
Without restart, the jail would hold previously created action (and therefore doesn't invoke actionstart, doesn't reban), so ipset may remain hash:ip. And then indeed ipset would expand subnet to a lot of IPs.

So the solution could be:

?sudo? fail2ban-client restart manual

from fail2ban.

ipset list f2b-manual --terse

Name: f2b-manual
Type: hash:ip
Revision: 5
Header: family inet hashsize 1048576 maxelem 1000000 timeout 0 bucketsize 12 initval 0x142aae92
Size in memory: 46316208
References: 1
Number of entries: 1000000

fail2ban-client -d | grep manual

['add', 'manual', 'auto']
['set', 'manual', 'usedns', 'warn']
['set', 'manual', 'maxretry', 2]
['set', 'manual', 'maxmatches', 2]
['set', 'manual', 'findtime', '2h']
['set', 'manual', 'bantime', '-1']
['set', 'manual', 'bantime.overalljails', True]
['set', 'manual', 'ignorecommand', '']
['set', 'manual', 'logencoding', 'auto']
['set', 'manual', 'addaction', 'firewallcmd-ipset']
['multi-set', 'manual', 'action', 'firewallcmd-ipset', [['actionstart', 'ipset -exist create <ipmset> hash:ip timeout 0 maxelem 1000000 <familyopt>\nfirewall-cmd --direct --add-rule <family> filter INPUT_direct 0 -p tcp -m multiport --dports http,https -m set --match-set <ipmset> src -j REJECT --reject-with <rejecttype>'], ['actionstop', 'firewall-cmd --direct --remove-rule <family> filter INPUT_direct 0 -p tcp -m multiport --dports http,https -m set --match-set <ipmset> src -j REJECT --reject-with <rejecttype>\nipset flush <ipmset>\nipset destroy <ipmset>'], ['actionflush', 'ipset flush <ipmset>'], ['actionban', 'ipset -exist add <ipmset> <ip> timeout 0'], ['actionunban', 'ipset -exist del <ipmset> <ip>'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['name', 'manual'], ['actname', 'firewallcmd-ipset'], ['family', 'ipv4'], ['zone', 'public'], ['service', 'ssh'], ['rejecttype', 'icmp-port-unreachable'], ['blocktype', 'REJECT --reject-with <rejecttype>'], ['rich-blocktype', "reject type='<rejecttype>'"], ['family?family=inet6', 'ipv6'], ['rejecttype?family=inet6', 'icmp6-port-unreachable'], ['default-ipsettime', '0'], ['ipsettime', '0'], ['timeout-bantime', '$([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)'], ['ipsettype', 'ipset'], ['actiontype', '<multiport>'], ['allports', '-p <protocol>'], ['multiport', '-p <protocol> -m multiport --dports <port>'], ['ipmset', 'f2b-<name>'], ['familyopt', ''], ['firewalld_familyopt', ''], ['ipmset?family=inet6', 'f2b-<name>6'], ['familyopt?family=inet6', 'family inet6'], ['firewalld_familyopt?family=inet6', '--option=family=inet6']]]
['start', 'manual']

uname -v

Debian 6.1.90-1

Question:

Where can I find a support channel for fail2ban to ask questions or receive support for configurations?

from fail2ban.

'actionstart', 'ipset -exist create <ipmset> hash:ip ...

As you can see, the action config has still original type of set.
Unfortunately, we haven't currently a parameter for ipset-based actions to set the type of ipset only...

And setting of actionstart in jail (as direct parameter of jail) would be not correct...
I don't know where you had set it, but there are basically only 3 possibilities at the moment:

• either to create a derivative action, including the action you want to use, and there overwrite actionstart or a part responsible for the ipset type inside corresponding section. And then set name of this action as new banaction for jail.
• almost the same as above but make a duplicate of action, where you'd overwrite the needed stuff.
• or supply actionstart as parameter for action in the jail.

Written from mobile phone, so too unhandy to provide an example... Please ping me if you'd need one, I'll provide it later.

from fail2ban.

I set the directive

[Definition]
actionstart = ipset -exist create <ipmset> hash:net timeout <default-ipsettime> maxelem 1000000 <familyopt>

in the /etc/fail2ban/action.d/manual.local

I am unsure how to ping you, but an example would be very much appreciated if you have the time to offer one.
Thank you.

from fail2ban.

I set the directive ... in the /etc/fail2ban/action.d/manual.local

Well, this looks like 2 errors to me (if you did only that):

• the action missing everything else, because neither have an include to original action, nor other directives expected for work
• probably you did not set it as banaction in jail.

Ok, below is an example for stock iptables-ipset, to rewrite this:

in the action.d/manual.local

[INCLUDES]
before = iptables-ipset.conf

[Definition]
actionstart = ipset -exist create <ipmset> hash:net timeout <default-ipsettime> maxelem <maxelem> <familyopt>
              <_ipt_add_rules>

(if your original action doesn't have <maxelem> parameter, simply use 1000000 like you did, although I doubt you'd ever ban 1M subnets).

in the jail:

[manual]
enabled = true
banaction = manual
...

(for firewallcmd-ipset action it would be similar: change the include and adjust ipset creation in related sections).

However a bit ugly is if tomorrow the original action would change in an incompatible way (e. g. _ipt_add_rules doesn't exist anymore or actionstart becomes more commands), this may fail after upgrade to newer version.

Alternative would be something like that:

in the action.d/manual.local

[INCLUDES]
before = iptables-ipset.conf

[Definition]
actionstart = ipset -exist create <ipmset> hash:net timeout <default-ipsettime> maxelem <maxelem> <familyopt>
              %(known/actionstart)s

where it'd firstly create the set with your parameters and then evaluate original actionstart, which also trying to create the set firstly (but would do nothing because of -exist) but hereafter would evaluate further commands... and since actionstart executes only once per ip-family, it looks like good workaround to me.

Important: don't forget to restart (not reload) the jail after all.

from fail2ban.