Comments (8)
just to make it clearer (since I am a bit confused by dichotomy of summary/description)
- what version of fail2ban?
- you have an action file -- share it so this all could be reproduced (is it consistently reproducible? try on a different box)
- those stop actions are not called within action file, right?
- action file in questions just gets/sends the status and as soon as it is enabled, but regardless either it is "invoked" atm -- fail2ban-client stop fails if called outside
- sample of fail2ban.log (at loglevel = 4, ie DEBUG)?
from fail2ban.
The bug occures only if there is at least one banned ip.
- Fail2Ban v0.8.4-SVN
- iptables-allports.local:
... actionban = iptables -I fail2ban-<name> -s <ip> -j DROP /etc/zabbix/fail2ban_helper.sh <name> actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP /etc/zabbix/fail2ban_helper.sh <name> ...
/etc/zabbix/fail2ban_helper.sh:
#!/bin/bash
set -x
if [ $# -ne 1 ]; then
echo "Usage: $0 <name>"
exit 1
fi
zabbix_server=monitor
hostname=$(hostname)
# If script is called when fail2ban service is stopping
# Socket is alive, but fail2ban-server would not answer
# so fail2ban-client hangs. Here is DIRTY workaround:
#fail2ban-client ping &
#pid=$!
#sleep 1
#if [ ps -e | grep $pid ]; then
# echo "Service is stopping, bans are removed"
# zabbix_sender -z $zabbix_server -s $hostname -k ssh_num_banned_ips -o 0
# zabbix_sender -z $zabbix_server -s $hostname -k ssh_list_of_banned_ips -o ""
# exit 0
#fi
number_of_banned_ips=$(fail2ban-client status ssh | grep 'Currently banned' | cut -d':' -f 2 | tr -d '[:cntrl:]')
list_of_banned_ips=$(fail2ban-client status ssh | grep 'IP list' | cut -d':' -f 2 | tr -d '[:cntrl:]')
zabbix_sender -z $zabbix_server -s $hostname -k ssh_num_banned_ips -o $number_of_banned_ips
zabbix_sender -z $zabbix_server -s $hostname -k ssh_list_of_banned_ips -o "$list_of_banned_ips"
- Yes, stop action is called outside
- Here is part of process tree when fail2ban-client stop hangs:
- /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock - sh -c iptables -D fail2ban-ssh -s 10.0.0.9 -j DROP /etc/zabbix/fail2ban_helper.sh ssh - /bin/bash /etc/zabbix/fail2ban_helper.sh ssh - /bin/bash /etc/zabbix/fail2ban_helper.sh ssh - tr -d [:cntrl:] - cut -d: -f 2 - grep Currently banned - /usr/bin/python /usr/bin/fail2ban-client status ssh
fail2ban.log, loglevel = 4:
2011-11-21 16:22:01,988 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN 2011-11-21 16:22:01,990 fail2ban.comm : DEBUG Command: ['add', 'ssh', 'polling'] 2011-11-21 16:22:01,990 fail2ban.jail : INFO Creating new jail 'ssh' 2011-11-21 16:22:01,990 fail2ban.jail : INFO Jail 'ssh' uses poller 2011-11-21 16:22:02,097 fail2ban.filter : DEBUG Created Filter 2011-11-21 16:22:02,097 fail2ban.filter : DEBUG Created FilterPoll 2011-11-21 16:22:02,098 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addlogpath', '/var/log/auth.log'] 2011-11-21 16:22:02,099 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2011-11-21 16:22:02,100 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'maxretry', '3'] 2011-11-21 16:22:02,101 fail2ban.filter : INFO Set maxRetry = 3 2011-11-21 16:22:02,102 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addignoreip', '127.0.0.1'] 2011-11-21 16:22:02,102 fail2ban.filter : DEBUG Add 127.0.0.1 to ignore list 2011-11-21 16:22:02,103 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'findtime', '600'] 2011-11-21 16:22:02,104 fail2ban.filter : INFO Set findtime = 600 2011-11-21 16:22:02,105 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'bantime', '600'] 2011-11-21 16:22:02,106 fail2ban.actions: INFO Set banTime = 600 2011-11-21 16:22:02,108 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?Authentication failure for .* from \\s*$'] 2011-11-21 16:22:02,114 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from \\s*$'] 2011-11-21 16:22:02,121 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed (?:password|publickey) for .* from (?: port \\d*)?(?: ssh\\d*)?$'] 2011-11-21 16:22:02,131 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*ROOT LOGIN REFUSED.* FROM \\s*$'] 2011-11-21 16:22:02,139 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*[iI](?:llegal|nvalid) user .* from \\s*$'] 2011-11-21 16:22:02,153 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from not allowed because not listed in AllowUsers$'] 2011-11-21 16:22:02,168 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=(?:\\s+user=.*)?\\s*$'] 2011-11-21 16:22:02,183 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*refused connect from \\S+ \\(\\)\\s*$'] 2011-11-21 16:22:02,198 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Address .* POSSIBLE BREAK-IN ATTEMPT!*\\s*$'] 2011-11-21 16:22:02,215 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', "^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from not allowed because none of user's groups are listed in AllowGroups\\s*$"] 2011-11-21 16:22:02,237 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addaction', 'iptables-allports'] 2011-11-21 16:22:02,237 fail2ban.actions.action: DEBUG Created Action 2011-11-21 16:22:02,239 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionban', 'iptables-allports', 'iptables -I fail2ban- 1 -s -j DROP\n/etc/zabbix/fail2ban_helper.sh '] 2011-11-21 16:22:02,239 fail2ban.actions.action: DEBUG Set actionBan = iptables -I fail2ban- 1 -s -j DROP /etc/zabbix/fail2ban_helper.sh 2011-11-21 16:22:02,240 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstop', 'iptables-allports', 'iptables -D INPUT -p -j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-'] 2011-11-21 16:22:02,241 fail2ban.actions.action: DEBUG Set actionStop = iptables -D INPUT -p -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- 2011-11-21 16:22:02,242 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstart', 'iptables-allports', 'iptables -N fail2ban-\niptables -A fail2ban- -j RETURN\niptables -I INPUT -p -j fail2ban-'] 2011-11-21 16:22:02,242 fail2ban.actions.action: DEBUG Set actionStart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN iptables -I INPUT -p -j fail2ban- 2011-11-21 16:22:02,244 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionunban', 'iptables-allports', 'iptables -D fail2ban- -s -j DROP\n/etc/zabbix/fail2ban_helper.sh '] 2011-11-21 16:22:02,244 fail2ban.actions.action: DEBUG Set actionUnban = iptables -D fail2ban- -s -j DROP /etc/zabbix/fail2ban_helper.sh 2011-11-21 16:22:02,245 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actioncheck', 'iptables-allports', 'iptables -n -L INPUT | grep -q fail2ban-'] 2011-11-21 16:22:02,246 fail2ban.actions.action: DEBUG Set actionCheck = iptables -n -L INPUT | grep -q fail2ban- 2011-11-21 16:22:02,247 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables-allports', 'protocol', 'all'] 2011-11-21 16:22:02,248 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables-allports', 'name', 'ssh'] 2011-11-21 16:22:02,249 fail2ban.comm : DEBUG Command: ['start', 'ssh'] 2011-11-21 16:22:02,250 fail2ban.filter : DEBUG /var/log/auth.log has been modified 2011-11-21 16:22:02,251 fail2ban.filter.datedetector: DEBUG Sorting the template list 2011-11-21 16:22:02,251 fail2ban.jail : INFO Jail 'ssh' started 2011-11-21 16:22:02,257 fail2ban.actions.action: DEBUG iptables -N fail2ban-ssh iptables -A fail2ban-ssh -j RETURN iptables -I INPUT -p all -j fail2ban-ssh 2011-11-21 16:22:02,298 fail2ban.actions.action: DEBUG iptables -N fail2ban-ssh iptables -A fail2ban-ssh -j RETURN iptables -I INPUT -p all -j fail2ban-ssh returned successfully 2011-11-21 16:23:40,369 fail2ban.filter : DEBUG /var/log/auth.log has been modified 2011-11-21 16:23:40,413 fail2ban.filter : DEBUG Found 10.0.0.9 2011-11-21 16:23:40,414 fail2ban.filter : DEBUG Found 10.0.0.9 2011-11-21 16:23:40,414 fail2ban.filter.datedetector: DEBUG Sorting the template list 2011-11-21 16:23:41,417 fail2ban.filter : DEBUG /var/log/auth.log has been modified 2011-11-21 16:23:41,418 fail2ban.filter : DEBUG Found 10.0.0.9 2011-11-21 16:23:41,418 fail2ban.filter.datedetector: DEBUG Sorting the template list 2011-11-21 16:23:42,412 fail2ban.actions: WARNING [ssh] Ban 10.0.0.9 2011-11-21 16:23:42,412 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh 2011-11-21 16:23:42,421 fail2ban.filter : DEBUG /var/log/auth.log has been modified 2011-11-21 16:23:42,423 fail2ban.filter : DEBUG Found 10.0.0.9 2011-11-21 16:23:42,423 fail2ban.filter.datedetector: DEBUG Sorting the template list 2011-11-21 16:23:42,448 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh returned successfully 2011-11-21 16:23:42,448 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 10.0.0.9 -j DROP /etc/zabbix/fail2ban_helper.sh ssh 2011-11-21 16:23:42,535 fail2ban.comm : DEBUG Command: ['status', 'ssh'] 2011-11-21 16:23:42,626 fail2ban.comm : DEBUG Command: ['status', 'ssh'] 2011-11-21 16:23:42,768 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 10.0.0.9 -j DROP /etc/zabbix/fail2ban_helper.sh ssh returned successfully 2011-11-21 16:24:42,950 fail2ban.comm : DEBUG Command: ['status'] 2011-11-21 16:24:43,032 fail2ban.comm : DEBUG Command: ['stop'] 2011-11-21 16:24:43,489 fail2ban.filter : DEBUG ssh: filter terminated 2011-11-21 16:24:43,839 fail2ban.actions: DEBUG Flush ban list 2011-11-21 16:24:43,839 fail2ban.actions: WARNING [ssh] Unban 10.0.0.9 2011-11-21 16:24:43,839 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh 2011-11-21 16:24:43,845 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh returned successfully 2011-11-21 16:24:43,846 fail2ban.actions.action: DEBUG iptables -D fail2ban-ssh -s 10.0.0.9 -j DROP /etc/zabbix/fail2ban_helper.sh ssh
from fail2ban.
Thanks for all the glory details
FWIW: I see -- so indeed server fails to communicate while it is in the "shutting down" mode, and since it tries to talk to itself (via running unbanning command which invokes fail2ban-client call -- it gets stuck). The problem lies in the locking mechanism since when server performs banning action all threads gets locked ...
as a quick resolution -- pushing the fix which would stop communications first and then will stop the jails upon 'quit' method of the server
from fail2ban.
Ah apparently syntax for commit message keywords to close issues for github 2.0 has changed:
https://github.com/blog/831-issues-2-0-the-next-generation
So -- this issue was addressed in 1632244
from fail2ban.
I'm not a progrmmer and I'm not familiar with github... but as I see, db39c74 is adding support of syslog-ng time format, it does not fix this problem.
from fail2ban.
oops -- wrong cut and paste. See
1632244
BF: stop all communications before stopping the jails (Close gh-7)
It is necessary because otherwise if jails actions try to communicate
to the server we are getting a lockup since threads are locked
from fail2ban.
Thank you for quick fix and for making this great tool :)
from fail2ban.
You are welcome !
I guess that I could take the gratitude as the confirmation that it resolved the issue for you ;-)
from fail2ban.
Related Issues (20)
- [FR]: coturn.log regex filter HOT 6
- [RFE]: Mix `<fid>` and `<ip>` in a ban action HOT 2
- [BR]: fail2ban complains about missing key in the default config file HOT 1
- [BR]: dpkg: warning: unable to delete old directory '/usr/lib/systemd/system': Directory not empty HOT 1
- [FR]: Fail2Ban stops functioning periodically without any evident reason HOT 1
- [BR]: ERROR: cannot import name 'MutableMapping' from 'collections' (/usr/lib/python3.11/collections/__init__.py) HOT 4
- [BR]: Jail works but no chain created in iptables HOT 4
- [BR]: STDIN is closed and triggers libuv error in external programs during actionban HOT 8
- [FR]: sshd failed login attempts not detected? HOT 1
- [RFE]: multi-line ignoreip doesn't handle end-of-line comments HOT 1
- [BR]: faulty regexes in sshd.conf? HOT 1
- Request new release HOT 1
- Active : failed HOT 1
- [FR]: sshd_filter not matching password authentication failed log line HOT 2
- [FR]: nginx-bad-request.conf nginx-botsearch.conf should also support the new journalctl format introduced in the other nginx filters
- New jail matches but doesn't ban nginx-limit-req.conf HOT 3
- [RFE]: Change cloudflare.conf to use WAF Custom Rules rather than Firewall Access Rules due to deprecation
- [BR]: basic setup fail HOT 2
- Not working filter apache logs HOT 1
- [FR]: qbittorrent-nox HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fail2ban.