-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to execute ban (can only concatenate str (not "NoneType") to str) -- family is None using F-ID tags #2895
Comments
May be that are subsequent faults... Which first error do you see in log after 23:07:44? But something is strange here anyway - your INPUT chain in iptables does contain f2b-geologger, but action check with
Please try this above and Also I would like to know which shell is default for root (or user fail2ban is working under) |
The first error is at After I submitted this bug, I stopped fail2ban, backed up fail2ban.sqlite3, and restarted fail2ban. So now But that did not help me. Fail2ban.log:
fail2ban debug:
iptables:There is no f2b-geologger in INPUT not "Chain f2b-geologger." |
Sure, fail2bans starts actions on demand (so by first ban only). So directly after start it may be indeed not there.
OK, I think I know what it could be: The info from ticket looks like $ python -c 'from fail2ban.server.actions import Actions; from fail2ban.server.ticket import BanTicket; a = Actions.ActionInfo(BanTicket("192.0.2.1/24")); print(a["family"]);'
inet4 I don't know why you use F-ID tags in your regex ( subnet_ = (?:(?:::f{4,6}:)?<F-IP4>(?:\d{1,3}\.){3}\d{1,3}/\d+</F-IP4>|<F-IP6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)/\d+</F-IP6>)
failregex = ^... <subnet_> ... PoC:
|
Just for the record, I verified this issue against latest 0.10/0.11 - it looks more safe (does not cause this error |
I used
I think it is better to upgrade to 0.11. Please advice the best way to upgrade from 0.10.2 to the latest version. |
I'm sorry, I did not know about such issue (and as already said it was also not reproducible on my side).
Huh... I would say it is impossible, tested with 0.10.2 now with my regex from above (F-IP4|F-IP6), and family is correct there, IP/CIDR gets banned with iptables-multiport and no error happens.
Well, basically you don't need install fail2ban for the test attempts or to try some new functionality, so firstly read How to test newer fail2ban version resp. use fail2ban standalone instance. As for the upgrade, the newest upstream releases contain a debian package now, which can be installed manually, or one can install it from source. |
I started fail2ban in debug mode. Here are the files. I did not find stack trace. |
BTW. The link https://github.com/fail2ban/fail2ban/issues/How-to-test-newer-fail2ban-version-resp.-use-fail2ban-standalone-instance to "How to test newer fail2ban version resp. use fail2ban standalone instance" returns "406 Not Acceptable." Most possible the issue is in the dot (-resp.-). |
I upgraded to 0.10.6 and my version with |
Well, console.log shows debug messages, but it does not contain the error (so no call stack then)... fail2ban.log contains the error, but it does not contain any debug message. You seems to start fail2ban-client in verbose mode (
No, my bad (used relative link)... Updated.
Glad it works, so we can exclude that it was some constellation affecting your system only, but just old version. |
Environment:
Fail2Ban v0.10.2, installed by apt.
Debian GNU/Linux 10
The issue:
CRITICAL Unable to restore environment
Steps to reproduce
Most possible my server was rebooted between 22:01:15 and 23:07:44, after 193.56.28.0/24 was banned and added into iptables. See logs below. After reboot, iptables did not contain that entry.
Expected behavior
After reboot or
systemctl restart fail2ban
, fail2ban must work./var/log/fail2ban.log file:
fail2ban debug:
iptables:
The text was updated successfully, but these errors were encountered: