Barracuda is not installing ipset so csf is not effectively working

[yaazkal]

Hi, as recent discussion on #1169 I've tried to upgrade to head using barracuda up-head system, and everything seems to be ok.

I detect a suspucious CPU usage on my server so I started to check and I can see many mails reporting a distributed ssh attack, this is normal on a daily basis except that csf was not blocking the IPs, I manually block them using csf -d IP_NUMER but it also doesn't take effect. I was curious so I restarted csf using csf -q and again nothing happens.

I then made a full upgrade of barracuda to head keeping octopus in stable using:

# cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
# barracuda up-head
# barracuda up-head system
# octopus up-stable all both
# bash /var/xdrago/manage_ltd_users.sh
# bash /var/xdrago/daily.sh

To found in logs something like:

BOA [09:59:27] ==> INFO: Upgrading csf/lfd firewall...
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
/opt/tmp/boa/lib/functions/firewall.sh.inc: line 66: cd: csf: No such file or directory

So maybe csf is not getting installed because is not extracted. But weird thing is that if I run csf -version I can get csf: v10.22 (generic).

Now the bad thing is that if I run iptables -L there is no policy applied !

The thing seems to be ipset:

# csf -r
lfd will restart csf within the next 5 seconds
*WARNING* Binary location for [IPSET] [/usr/sbin/ipset] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Because even if I install manually csf (according to the script and it also reports OK on the test) it sitll runs, it still "works", it still send me mails but in the real world it is not working, it is not blocking ips or doing its magic, it is just reporting things.

This seems to be a critical security issue.

[omega8cc]

Thanks for the heads up! It was a matter of missing symlink. Should be fixed on all systems running current BOA HEAD and CSF in a few minutes. Note that this affects standard/popular VPS systems, but not VServer based containers, which typically have firewall on the physical machine or network level only, so it's not managed by BOA.

[omega8cc]

There were two not really related issues here. The most important was about the missing symlink to ipset which prevented CSF from working, and the second, related to the incorrect download URI for the CSF update. Since BOA doesn't uninstall CSF, the previously installed version still worked, just update didn't work (but there is also self-update, which is used in the first fix). Both fixed now.