Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fail2ban not creating rules while configured with nftables #1814

Closed
dthpulse opened this issue Jun 29, 2017 · 5 comments

Comments

@dthpulse
Copy link

commented Jun 29, 2017

We will be very grateful, if your problem was described as completely as possible,
enclosing excerpts from logs (if possible within DEBUG mode, if no errors evident
within INFO mode), and configuration in particular of effected relevant settings
(e.g., with fail2ban-client -d | grep 'affected-jail-name' for a particular
jail troubleshooting).
Thank you in advance for the details, because such issues like "It does not work"
alone could not help to resolve anything!
Thanks! (remove this paragraph and other comments upon reading)

Environment:

Fill out and check ([x]) the boxes which apply. If your Fail2Ban version is outdated,
and you can't verify that the issue persists in the recent release, better seek support
from the distribution you obtained Fail2Ban from

  • Fail2Ban version (including any possible distribution suffixes):
  • OS, including release name/version:
  • [x ] Fail2Ban installed via OS/distribution mechanisms
  • [ x] You have not applied any additional foreign patches to the codebase
  • [ x] Some customizations were done to the configuration (provide details below is so)

The issue:

fail2ban doesn't create rules while configured with nftables.
error message is:

2017-06-29 06:30:07,188 fail2ban.action         [2755]: ERROR   nft list chain inet filter INPUT | grep -q '@f2b-sshd[ \t]' -- stdout: b''
2017-06-29 06:30:07,188 fail2ban.action         [2755]: ERROR   nft list chain inet filter INPUT | grep -q '@f2b-sshd[ \t]' -- stderr: b"<cmdline>:1:1-29: Error: Could not p
rocess rule: Chain 'INPUT' does not exist\nlist chain inet filter INPUT\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n"
2017-06-29 06:30:07,188 fail2ban.action         [2755]: ERROR   nft list chain inet filter INPUT | grep -q '@f2b-sshd[ \t]' -- returned 1
2017-06-29 06:30:07,189 fail2ban.CommandAction  [2755]: ERROR   Invariant check failed. Trying to restore a sane environment
2017-06-29 06:30:07,399 fail2ban.action         [2755]: ERROR   nft add set inet filter f2b-sshd \{ type ipv4_addr\; \}
nft insert rule inet filter INPUT tcp dport \{ ssh \} ip saddr @f2b-sshd reject -- stdout: b''
2017-06-29 06:30:07,399 fail2ban.action         [2755]: ERROR   nft add set inet filter f2b-sshd \{ type ipv4_addr\; \}
nft insert rule inet filter INPUT tcp dport \{ ssh \} ip saddr @f2b-sshd reject -- stderr: b'<cmdline>:1:1-74: Error: Could not process rule: No such file or directory\ninsert rule inet filter INPUT tcp dport { ssh } ip saddr @f2b-sshd reject\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n'
2017-06-29 06:30:07,399 fail2ban.action         [2755]: ERROR   nft add set inet filter f2b-sshd \{ type ipv4_addr\; \}
nft insert rule inet filter INPUT tcp dport \{ ssh \} ip saddr @f2b-sshd reject -- returned 1
2017-06-29 06:30:07,399 fail2ban.actions        [2755]: ERROR   Failed to execute unban jail 'sshd' action 'nftables-multiport' info '{'ip': '91.197.232.109', 'matches': 'Jun 29 06:20:05 podciarou sshd[3791]: Invalid user 0 from 91.197.232.109 port 56739Jun 29 06:20:05 podciarou sshd[3793]: Invalid user 0000 from 91.197.232.109 port 34928Jun 29 06:20:05 podciarou sshd[3795]: Invalid user 010101 from 91.197.232.109 port 39348Jun 29 06:20:06 podciarou sshd[3797]: Invalid user 1111 from 91.197.232.109 port 43326Jun 29 06:20:06 podciarou sshd[3801]: Invalid user 1234 from 91.197.232.109 port 52357', 'time': 1498710007.0681896, 'failures': 5}': Error starting action

Steps to reproduce

$ cp jail.conf jail.local
then modify:

banaction = nftables-multiport
banaction_allports = nftables-allports

Expected behavior

should ban found ipaddresses without error

Observed behavior

error reported above, not banning

Any additional information

Configuration, dump and another helpful excerpts

Any customizations done to /etc/fail2ban/ configuration

Relevant parts of /var/log/fail2ban.log file:

preferably obtained while running fail2ban with loglevel = 4

2017-06-29 08:49:19,249 fail2ban.action         [5146]: DEBUG   nft add set inet filter f2b-sshd \{ type ipv4_addr\; \}
nft insert rule inet filter INPUT tcp dport \{ ssh \} ip saddr @f2b-sshd reject
2017-06-29 08:49:19,250 fail2ban.jail           [5146]: INFO    Jail 'sshd' started
2017-06-29 08:49:19,250 fail2ban.filterpyinotify[5146]: DEBUG   pyinotifier started for sshd.
2017-06-29 08:49:19,361 fail2ban.action         [5146]: ERROR   nft add set inet filter f2b-sshd \{ type ipv4_addr\; \}
nft insert rule inet filter INPUT tcp dport \{ ssh \} ip saddr @f2b-sshd reject -- stdout: b''
2017-06-29 08:49:19,362 fail2ban.action         [5146]: ERROR   nft add set inet filter f2b-sshd \{ type ipv4_addr\; \}
nft insert rule inet filter INPUT tcp dport \{ ssh \} ip saddr @f2b-sshd reject -- stderr: b'<cmdline>:1:1-74: Error: Could not process rule: No such file or directory\ninsert rule inet filter INPUT tcp dport { ssh } ip saddr @f2b-sshd reject\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n'
2017-06-29 08:49:19,362 fail2ban.action         [5146]: ERROR   nft add set inet filter f2b-sshd \{ type ipv4_addr\; \}
nft insert rule inet filter INPUT tcp dport \{ ssh \} ip saddr @f2b-sshd reject -- returned 1
2017-06-29 08:49:19,362 fail2ban.actions        [5146]: ERROR   Failed to start jail 'sshd' action 'nftables-multiport': Error starting action
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/fail2ban/server/actions.py", line 221, in run
    action.start()
  File "/usr/lib/python3/dist-packages/fail2ban/server/action.py", line 283, in start
    raise RuntimeError("Error starting action")
RuntimeError: Error starting action

Relevant lines from monitored log files in question:

@sebres

This comment has been minimized.

Copy link
Member

commented Jun 29, 2017

Chain 'INPUT' does not exist

It means that you've no chain INPUT in your nft-configuration (I mean nft self, not fail2ban).
Either you should create it or specify another chain using chain = somechain.

We are not common forum resp. support group for the distribution you obtained Fail2Ban from, please seek for support there. Thus closed.

@sebres sebres closed this Jun 29, 2017
@dthpulse

This comment has been minimized.

Copy link
Author

commented Jun 29, 2017

it does exist:

# nft list chains
table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
	}
	chain forward {
		type filter hook forward priority 0; policy accept;
	}
	chain output {
		type filter hook output priority 0; policy accept;
	}
}
@dthpulse

This comment has been minimized.

Copy link
Author

commented Jun 29, 2017

ach you have an BUG somewhere, as input is defined

/etc/fail2ban/action.d/nftables-common.conf:chain = input

and exists:

nft list chains
table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
	}
	chain forward {
		type filter hook forward priority 0; policy accept;
	}
	chain output {
		type filter hook output priority 0; policy accept;
	}
}

But your code still looking for "INPUT" instead of "input"

 No such file or directory\ninsert rule inet filter INPUT tcp dport

As soon as I changed chain name in nftables.conf to INPUT it started to work.

table inet filter {
	chain INPUT {
		type filter hook input priority 0; policy drop;
	}
	chain forward {
		type filter hook forward priority 0; policy accept;
	}
	chain output {
		type filter hook output priority 0; policy accept;
	}
}
@sebres

This comment has been minimized.

Copy link
Member

commented Jun 29, 2017

ach you have an BUG somewhere...

This is definitely not a bug.
The leading configuration file of fail2ban is jail.conf (or your customization jail.local). This overwrites many other parameters provided from action.d/some-action.conf.
The default configuration focuses on the iptables (and other similar actions), where the chain is INPUT.
If you changed the default banning action, then you should supply all parameters that is expected.

As I already wrote, just set the chain in your jail.local in default section or for all jails using nft:

# jail.local:
[DEFAULT]
chain = input

[jail-w-other-action]
chain = BAD
banaction = other-action

For the explanation why it is so:

[DEFAULT]
banaction = nft
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_)s
# chain is set explicit in jail.conf:
chain = INPUT

results to

action = nft[name=..., chain="INPUT"]
@dthpulse

This comment has been minimized.

Copy link
Author

commented Jun 29, 2017

right, thank you for explanation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.