Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing nftables dependency in unitfile #2313

Closed
schaten opened this issue Dec 29, 2018 · 0 comments
Closed

Missing nftables dependency in unitfile #2313

schaten opened this issue Dec 29, 2018 · 0 comments

Comments

@schaten
Copy link

schaten commented Dec 29, 2018

Environment:

  • Fail2Ban v0.9.6
  • Linux 4.9.0-6-amd64 Support other date/time formats #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux
  • [ x ] Fail2Ban installed via OS/distribution mechanisms
  • [ x ] You have not applied any additional foreign patches to the codebase
  • [ x ] Some customizations were done to the configuration (provide details below is so)
    Fail2ban is configured to use nftables via a configuration file nftables.conf in /etc/fail2ban/jail.d containing:
[DEFAULT]
chain = input
banaction = nftables-allports
banaction_allports = nftables-allports

The issue:

Upon reloading/restarting nftables (installed via apt) or simply after rebooting the system, fail2ban stops working. This can be seen in the logs:

2018-12-29 15:24:15,902 fail2ban.filter         [2363]: INFO    [sshd] Found 1.2.3.4
2018-12-29 15:24:15,903 fail2ban.action         [2363]: ERROR   nft list chain inet filter input | grep -q '@f2b-sshd[ \t]' -- stderr: b'' 
2018-12-29 15:24:15,903 fail2ban.action         [2363]: ERROR   nft list chain inet filter input | grep -q '@f2b-sshd[ \t]' -- returned 1
2018-12-29 15:24:15,903 fail2ban.CommandAction  [2363]: ERROR   Invariant check failed. Trying to restore a sane environment

Upon restarting, the nftables-ruleset is flushed, so the initial rules from fail2ban are missing. This seems to be the root cause of the problem.

Steps to reproduce

Reboot system or systemctl restart nftables.

Expected/Observed behavior

Fail2ban continues working, evtl. after being restarted.

Relevant parts of /var/log/fail2ban.log file:

Full version of the above excerpt:

2018-12-29 15:24:15,902 fail2ban.filter         [2363]: INFO    [sshd] Found 1.2.3.4
2018-12-29 15:24:15,903 fail2ban.action         [2363]: ERROR   nft list chain inet filter input | grep -q '@f2b-sshd[ \t]' -- stderr: b'' 
2018-12-29 15:24:15,903 fail2ban.action         [2363]: ERROR   nft list chain inet filter input | grep -q '@f2b-sshd[ \t]' -- returned 1
2018-12-29 15:24:15,903 fail2ban.CommandAction  [2363]: ERROR   Invariant check failed. Trying to restore a sane environment
2018-12-29 15:24:16,010 fail2ban.action         [2363]: ERROR   HANDLE_ID=$(nft --handle --numeric list chain inet filter input | grep -m1 'ip saddr @f2b-sshd reject # handle' | grep -oe ' handle [0-9]*')
nft delete rule inet filter input $HANDLE_ID
nft delete set inet filter f2b-sshd -- stdout: b''
2018-12-29 15:24:16,011 fail2ban.action         [2363]: ERROR   HANDLE_ID=$(nft --handle --numeric list chain inet filter input | grep -m1 'ip saddr @
f2b-sshd reject # handle' | grep -oe ' handle [0-9]*')
nft delete rule inet filter input $HANDLE_ID
nft delete set inet filter f2b-sshd -- stderr: b'<cmdline>:1:30-30: Error: syntax error, unexpected newline, expecting handle\ndelete rule inet filter
 input\n                             ^\n<cmdline>:1:1-32: Error: Could not process rule: No such file or directory\ndelete set inet filter f2b-sshd\n^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n'
2018-12-29 15:24:16,011 fail2ban.action         [2363]: ERROR   HANDLE_ID=$(nft --handle --numeric list chain inet filter input | grep -m1 'ip saddr @
f2b-sshd reject # handle' | grep -oe ' handle [0-9]*')
nft delete rule inet filter input $HANDLE_ID
nft delete set inet filter f2b-sshd -- returned 1
2018-12-29 15:24:16,011 fail2ban.actions        [2363]: ERROR   Failed to execute ban jail 'sshd' action 'nftables-allports' info 'CallingMap({'matches': 'Dec 29 15:23:20 myhost sshd[28943]: Failed password for root from 1.2.3.4 port 30093 ssh2\nDec 29 15:23:23 myhost sshd[28943]: Failed password for root from 1.2.3.4 port 30093 ssh2\nDec 29 15:23:25 myhost sshd[28943]: Failed password for root from 1.2.3.4 port 30093 ssh2\nDec 29 15:24:10 myhost sshd[29018]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4  user=root\nDec 29 15:24:12 myhost sshd[29018]: Failed password for root from 1.2.3.4 port 14067 ssh2', 'failures': 5, 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f14bed1fd90>, 'ip': '1.2.3.4', 'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f14be2059d8>, 'time': 1546093454.2596495, 'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f14be205378>, 'ipfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f14bed1f7b8>})': Error stopping action

Workaround

Create a drop-in unitfile to (re)start fail2ban after nftables:

  • mkdir /etc/systemd/system/fail2ban.service.d
  • Content of /etc/systemd/system/fail2ban.service.d/nft.conf:
[Unit]                                                                                                                                                
After=nftables.service
PartOf=nftables.service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@schaten