Fail2ban shorewall with nethserver rc4

stephdl · January 25, 2017, 5:48pm

does the issue is reproducible ?

install first fail2ban, then reboot

does the issue is there

intall nethserver-fail2ban, then reboot and report

ok I will try it again, install another ns7, for the moment I use the same VM cloned several times.

flatspin · January 26, 2017, 4:47pm

Yes it is. When I install fail2ban the machine isn’t reachable by http nor by ssh. After remove by console machine is reachable without reboot. I tried to install fail2ban only and configured one ssh jail and had the same problem. So it seems the guilty guy is fail2ban itself.

stephdl · January 26, 2017, 5:13pm

whowwww, that sounds not good, but I don’t understand this…specific to NS :-?

You have installed fail2ban alone (no nethserver-fail2ban), are you clear on this ?

then I suppose you have removed it, so now please do

rpm -qa | grep -i fail2ban

flatspin · January 27, 2017, 7:31am

Good morning stephane,

today my machine has the same problem without any fail2ban? Shorewall doesn’t start at boot. Have to start it manually. I will install a new machine from scartch from the rc4.1 iso and try fail2ban again.
Will report later.

flatspin · January 27, 2017, 3:00pm

Hi Stephane.

I installed a new machine from scratch with rc4.1-iso and updated everything. After that I installed NSDC, fileserver, and firewall.
Good news: installation of nethserver-fail2ban then went fine. No problems so far.
I don’t know what went wrong with the upgrade from rc3 to rc4. But @hucky and I had exectly the same problems after upgrading to rc4. I will now build the same machine as before, if I encouter any problem I’ll report.

tavrist · January 30, 2017, 6:56pm

I have after upgrade from rc3 to rc4 and installation fayl2ban and shorewall also does not start at boot.

stephdl · January 30, 2017, 8:13pm

rpm -qa |grep nethserver-

please return the output

tavrist · January 30, 2017, 8:18pm

$ rpm -qa | grep nethserver-
nethserver-duc-1.4.1-1.ns7.noarch
nethserver-stephdl-1.0.2-1.ns7.sdl.noarch
nethserver-base-3.0.17-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-phonehome-1.2.1-1.ns7.noarch
nethserver-openvpn-1.4.4-1.ns7.noarch
nethserver-lightsquid-1.1.2-1.ns7.noarch
nethserver-ntopng-1.4.1-1.ns7.noarch
nethserver-unbound-1.1.0-1.ns7.noarch
nethserver-ntp-1.1.1-1.ns7.noarch
nethserver-mail-common-1.6.2-1.ns7.noarch
nethserver-samba-2.0.4-1.ns7.noarch
nethserver-crontabmanager-0.0.7-1.ns7.sdl.noarch
nethserver-sssd-1.1.6-1.ns7.noarch
nethserver-release-7-1.ns7.noarch
nethserver-vsftpd-1.1.0-1.ns7.noarch
nethserver-avahi-1.1.0-1.ns7.noarch
nethserver-nut-1.3.0-1.ns7.noarch
nethserver-firewall-base-3.1.6-1.ns7.noarch
nethserver-lib-2.2.1-1.ns7.noarch
nethserver-hosts-1.2.1-1.ns7.noarch
nethserver-mysql-1.1.1-1.ns7.noarch
nethserver-openssh-1.2.0-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-collectd-3.0.4-1.ns7.noarch
nethserver-mail-server-1.10.7-1.ns7.noarch
nethserver-backup-config-1.5.2-1.ns7.noarch
nethserver-transmission-1.1.1-1.ns7.sdl.noarch
nethserver-fail2ban-0.1.3-1.ns7.sdl.noarch
nethserver-lang-en-1.1.7-1.ns7.noarch
nethserver-cups-1.2.0-1.ns7.noarch
nethserver-nextcloud-1.0.4-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-bandwidthd-1.0.1-1.ns7.noarch
nethserver-firewall-base-ui-3.1.6-1.ns7.noarch
nethserver-antivirus-1.2.0-1.ns7.noarch
nethserver-lsm-1.2.2-1.ns7.noarch
nethserver-dnsmasq-1.6.3-1.ns7.noarch
nethserver-httpd-3.1.1-1.ns7.noarch
nethserver-squidguard-1.6.2-1.ns7.noarch
nethserver-mail-smarthost-0.1.0-1.ns7.noarch
nethserver-mail-filter-1.4.3-1.ns7.noarch
nethserver-ibays-3.0.3-1.ns7.noarch
nethserver-BackupPC-1.1.0-1.ns7.sdl.noarch
nethserver-httpd-admin-2.0.7-1.ns7.noarch
nethserver-cgp-2.1.2-1.ns7.noarch
nethserver-dokuwiki-0.1.0-1.ns7.sdl.noarch
nethserver-directory-3.1.3-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-squid-1.5.2-1.ns7.noarch
nethserver-letsencrypt-1.1.3-1.ns7.noarch

stephdl · January 30, 2017, 8:31pm

I’m trying to reproduce following the rpm you gave

stephdl · January 30, 2017, 9:30pm

Maybe I found something Interesting @dev_team

this is what I found on a NS7.2

[root@NS7DEV4 ~]# systemctl status iptables.service firewalld.service
● iptables.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

● firewalld.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

[root@NS7DEV4 ~]# cat /etc/nethserver-release
NethServer release 7.2.1511 (rc2)

then I installed a new fresh ns7.3, I installed a lot of new rpm

yum install ‘nethserver-duc nethserver-base nethserver-yum nethserver-phonehome nethserver-openvpn nethserver-lightsquid nethserver-ntopng nethserver-unbound nethserver-ntp nethserver-mail-common nethserver-samba nethserver-crontabmanager nethserver-sssd nethserver-release nethserver-vsftpd nethserver-avahi nethserver-nut nethserver-firewall-base nethserver-lib nethserver-hosts nethserver-mysql nethserver-openssh nethserver-smartd nethserver-collectd nethserver-mail-server nethserver-backup-config nethserver-transmission nethserver-fail2ban nethserver-lang-en nethserver-cups nethserver-nextcloud nethserver-nethforge-release nethserver-bandwidthd nethserver-firewall-base-ui nethserver-antivirus nethserver-lsm nethserver-dnsmasq nethserver-httpd nethserver-squidguard nethserver-mail-smarthost nethserver-mail-filter nethserver-ibays nethserver-BackupPC nethserver-httpd-admin nethserver-cgp nethserver-dokuwiki nethserver-directory nethserver-php nethserver-squid nethserver-letsencrypt’

the I updated to a fully updated ns7.3
[root@plop ~]# cat /etc/nethserver-release
NethServer release 7.3.1611 (Final)

after that I found something different

[root@plop ~]# systemctl status iptables.service firewalld.service
Unit iptables.service could not be found.
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

my concern is that

[root@plop ~]# cat  /lib/systemd/system/shorewall.service
#
#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
#
#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
#
[Unit]
Description=Shorewall IPv4 firewall
Wants=network-online.target
After=network-online.target
Conflicts=iptables.service firewalld.service

[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/sysconfig/shorewall
StandardOutput=syslog
ExecStart=/usr/sbin/shorewall $OPTIONS start $STARTOPTIONS
ExecStop=/usr/sbin/shorewall $OPTIONS stop
ExecReload=/usr/sbin/shorewall $OPTIONS reload $RELOADOPTIONS

[Install]
WantedBy=basic.target

I suppose that shorewall fails because firewalld.service is loaded…but I don’t yet know why

stephdl · January 30, 2017, 9:38pm

BINGO

do

systemctl disable firewalld

Then

reboot

the shorewall service should be started after

systemctl status shorewall

@tavrist can you confirm

filippo_carletti · January 30, 2017, 9:53pm

I haven’t tested this (I do not run fail2ban), but, AFAIK, firewalld should be disabled during install:

stephdl · January 30, 2017, 10:37pm

Ok I found the bug

After a fresh Install of NS7.3

[root@tutu ~]# systemctl status iptables.service firewalld.service shorewall.service
Unit iptables.service could not be found.
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

● shorewall.service - Shorewall IPv4 firewall
   Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2017-01-30 22:02:07 CET; 16s ago
  Process: 973 ExecStart=/usr/sbin/shorewall $OPTIONS start $STARTOPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 973 (code=exited, status=0/SUCCESS)

Jan 30 22:02:07 tutu.tutu.com shorewall[973]: Setting up Route Filtering...
Jan 30 22:02:07 tutu.tutu.com shorewall[973]: Setting up Martian Logging...
Jan 30 22:02:07 tutu.tutu.com shorewall[973]: Setting up Proxy ARP...
Jan 30 22:02:07 tutu.tutu.com shorewall[973]: Preparing iptables-restore input...
Jan 30 22:02:07 tutu.tutu.com shorewall[973]: Running /sbin/iptables-restore ...
Jan 30 22:02:07 tutu.tutu.com shorewall[973]: IPv4 Forwarding Enabled
Jan 30 22:02:07 tutu.tutu.com shorewall[973]: Processing /etc/shorewall/start ...
Jan 30 22:02:07 tutu.tutu.com shorewall[973]: Processing /etc/shorewall/started ...
Jan 30 22:02:07 tutu.tutu.com shorewall[973]: done.
Jan 30 22:02:07 tutu.tutu.com systemd[1]: Started Shorewall IPv4 firewall.

So firewalld is enabled from start but inactive. I can reboot the server, shorewall will start as expected. The problems comes when I install fail2ban

Installed:
  fail2ban.noarch 0:0.9.5-3.el7                                                                                                                                                                                    

Dependency Installed:
  fail2ban-firewalld.noarch 0:0.9.5-3.el7              fail2ban-sendmail.noarch 0:0.9.5-3.el7              fail2ban-server.noarch 0:0.9.5-3.el7              systemd-python.x86_64 0:219-30.el7_3.6             

[root@tutu ~]# systemctl enable fail2ban.service
Created symlink from /etc/systemd/system/multi-user.target.wants/fail2ban.service to /usr/lib/systemd/system/fail2ban.service.

after the reboot, then shorewall fails to start, probably because fail2ban tries to start firewalld (almost certainly by fail2ban-firewalld)…of course I have not installed nethserver-fail2ban

If I reboot

[root@tutu ~]# systemctl status iptables.service firewalld.service shorewall.service fail2ban.service
Unit iptables.service could not be found.
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

● shorewall.service - Shorewall IPv4 firewall
   Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/shorewall.service.d
           └─nethserver-firewall-base.conf
   Active: inactive (dead)

● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2017-01-30 22:25:19 CET; 1h 1min ago
     Docs: man:fail2ban(1)
  Process: 669 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
 Main PID: 839 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─839 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Jan 30 22:25:19 tutu.tutu.com systemd[1]: Starting Fail2Ban Service...
Jan 30 22:25:19 tutu.tutu.com fail2ban-client[669]: 2017-01-30 22:25:19,882 fail2ban.server         [753]: INFO    Starting Fail2ban v0.9.5
Jan 30 22:25:19 tutu.tutu.com fail2ban-client[669]: 2017-01-30 22:25:19,882 fail2ban.server         [753]: INFO    Starting in daemon mode
Jan 30 22:25:19 tutu.tutu.com systemd[1]: Started Fail2Ban Service.

@dev_team either I provide a ‘firewalld status disabled’ or in the ISO installer the service firewalld is disabled…what is the best solution ?

davidep · January 30, 2017, 10:46pm

It’s disabled since rc4. Perhaps fail2ban-firewalld enables it? Can you avoid to install that dependency?

stephdl · January 30, 2017, 10:49pm

no it is called by fail2ban

I used the rc3 iso since friends talked about problems with the update to rc4, but indeed after the yum update, I can see problem with shorewall and firewalld upgrade…so there are something more I guess

filippo_carletti · January 30, 2017, 10:49pm

I can confirm it’s disabled in 7-final:

[root@ns7 ~]# systemctl status iptables.service firewalld.service shorewall.service
Unit iptables.service could not be found.
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

● shorewall.service - Shorewall IPv4 firewall
   Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/shorewall.service.d
           └─nethserver-firewall-base.conf
   Active: active (exited) since Mon 2017-01-30 22:37:39 CET; 1h 9min ago
 Main PID: 1698 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/shorewall.service

stephdl · January 30, 2017, 10:50pm

How trade with people who installed ns7 in beta/RC stage ?

That’s the question

filippo_carletti · January 30, 2017, 10:53pm

On a system installed from a beta release I have:

[root@neth7 ~]# systemctl status firewalld.service
Unit firewalld.service could not be found.

stephdl · January 30, 2017, 10:54pm

after this upgrade

Installed:
  kernel.x86_64 0:3.10.0-514.6.1.el7                                                                    python2-simplejson.x86_64 0:3.10.0-1.el7                                                                   

Dependency Installed:
  tdb-tools.x86_64 0:1.3.8-1.el7_2                                                                                                                                                                                 

Updated:
  NetworkManager.x86_64 1:1.4.0-14.el7_3            NetworkManager-libnm.x86_64 1:1.4.0-14.el7_3           NetworkManager-team.x86_64 1:1.4.0-14.el7_3            NetworkManager-tui.x86_64 1:1.4.0-14.el7_3       
  NetworkManager-wifi.x86_64 1:1.4.0-14.el7_3       bash.x86_64 0:4.2.46-21.el7_3                          bind-libs.x86_64 32:9.9.4-38.el7_3.1                   bind-libs-lite.x86_64 32:9.9.4-38.el7_3.1        
  bind-license.noarch 32:9.9.4-38.el7_3.1           bind-utils.x86_64 32:9.9.4-38.el7_3.1                  chrony.x86_64 0:2.1.1-4.el7.centos                     device-mapper.x86_64 7:1.02.135-1.el7_3.2        
  device-mapper-event.x86_64 7:1.02.135-1.el7_3.2   device-mapper-event-libs.x86_64 7:1.02.135-1.el7_3.2   device-mapper-libs.x86_64 7:1.02.135-1.el7_3.2         duc.x86_64 0:1.4.2-1.ns7                         
  epel-release.noarch 0:7-9                         expat.x86_64 0:2.1.0-10.el7_3                          firewalld.noarch 0:0.4.3.2-8.1.el7_3                   firewalld-filesystem.noarch 0:0.4.3.2-8.1.el7_3  
  glibc.x86_64 0:2.17-157.el7_3.1                   glibc-common.x86_64 0:2.17-157.el7_3.1                 kernel-tools.x86_64 0:3.10.0-514.6.1.el7               kernel-tools-libs.x86_64 0:3.10.0-514.6.1.el7    
  kpartx.x86_64 0:0.4.9-99.el7_3.1                  krb5-libs.x86_64 0:1.14.1-27.el7_3                     krb5-workstation.x86_64 0:1.14.1-27.el7_3              libgcrypt.x86_64 0:1.5.3-13.el7_3.1              
  libipa_hbac.x86_64 0:1.14.0-43.el7_3.11           libkadm5.x86_64 0:1.14.1-27.el7_3                      libnl3.x86_64 0:3.2.28-3.el7_3                         libnl3-cli.x86_64 0:3.2.28-3.el7_3               
  libpciaccess.x86_64 0:0.13.4-3.el7_3              libsemanage.x86_64 0:2.5-5.1.el7_3                     libsmbclient.x86_64 0:4.4.4-12.el7_3                   libsss_autofs.x86_64 0:1.14.0-43.el7_3.11        
  libsss_idmap.x86_64 0:1.14.0-43.el7_3.11          libsss_nss_idmap.x86_64 0:1.14.0-43.el7_3.11           libsss_sudo.x86_64 0:1.14.0-43.el7_3.11                libwbclient.x86_64 0:4.4.4-12.el7_3              
  lvm2.x86_64 7:2.02.166-1.el7_3.2                  lvm2-libs.x86_64 7:2.02.166-1.el7_3.2                  microcode_ctl.x86_64 2:2.1-16.1.el7_3                  nethserver-base.noarch 0:3.0.17-1.ns7            
  nethserver-dnsmasq.noarch 0:1.6.3-1.ns7           nethserver-duc.noarch 0:1.4.1-1.ns7                    nethserver-firewall-base.noarch 0:3.1.6-1.ns7          nethserver-httpd-admin.noarch 0:2.0.7-1.ns7      
  nethserver-lang-en.noarch 0:1.1.7-1.ns7           nethserver-lsm.noarch 0:1.2.2-1.ns7                    nethserver-ntp.noarch 0:1.1.1-1.ns7                    nethserver-release.noarch 0:7-1.ns7              
  nethserver-sssd.noarch 0:1.1.6-1.ns7              nss.x86_64 0:3.21.3-2.el7_3                            nss-sysinit.x86_64 0:3.21.3-2.el7_3                    nss-tools.x86_64 0:3.21.3-2.el7_3                
  nss-util.x86_64 0:3.21.3-1.1.el7_3                openssh.x86_64 0:6.6.1p1-33.el7_3                      openssh-clients.x86_64 0:6.6.1p1-33.el7_3              openssh-server.x86_64 0:6.6.1p1-33.el7_3         
  policycoreutils.x86_64 0:2.5-11.el7_3             python-firewall.noarch 0:0.4.3.2-8.1.el7_3             python-perf.x86_64 0:3.10.0-514.6.1.el7                python-sssdconfig.noarch 0:1.14.0-43.el7_3.11    
  samba-client-libs.x86_64 0:4.4.4-12.el7_3         samba-common.noarch 0:4.4.4-12.el7_3                   samba-common-libs.x86_64 0:4.4.4-12.el7_3              samba-common-tools.x86_64 0:4.4.4-12.el7_3       
  samba-libs.x86_64 0:4.4.4-12.el7_3                selinux-policy.noarch 0:3.13.1-102.el7_3.13            selinux-policy-targeted.noarch 0:3.13.1-102.el7_3.13   shorewall.noarch 0:5.0.14.1-2.el7                
  shorewall-core.noarch 0:5.0.14.1-2.el7            sssd.x86_64 0:1.14.0-43.el7_3.11                       sssd-ad.x86_64 0:1.14.0-43.el7_3.11                    sssd-client.x86_64 0:1.14.0-43.el7_3.11          
  sssd-common.x86_64 0:1.14.0-43.el7_3.11           sssd-common-pac.x86_64 0:1.14.0-43.el7_3.11            sssd-ipa.x86_64 0:1.14.0-43.el7_3.11                   sssd-krb5.x86_64 0:1.14.0-43.el7_3.11            
  sssd-krb5-common.x86_64 0:1.14.0-43.el7_3.11      sssd-ldap.x86_64 0:1.14.0-43.el7_3.11                  sssd-proxy.x86_64 0:1.14.0-43.el7_3.11                 sudo.x86_64 0:1.8.6p7-21.el7_3                   
  tuned.noarch 0:2.7.1-3.el7_3.1                    tzdata.noarch 0:2016j-1.el7                            vim-minimal.x86_64 2:7.4.160-1.el7_3.1                 xfsprogs.x86_64 0:4.5.0-9.el7_3                  

Replaced:
  python-simplejson.x86_64 0:3.5.3-1.el7

shorewall doesn’t start

[root@tutu ~]# systemctl status iptables.service firewalld.service shorewall.service fail2ban.service
Unit iptables.service could not be found.
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

● shorewall.service - Shorewall IPv4 firewall
   Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/shorewall.service.d
           └─nethserver-firewall-base.conf
   Active: inactive (dead)

● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2017-01-30 22:51:37 CET; 16s ago
     Docs: man:fail2ban(1)
  Process: 667 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
 Main PID: 808 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─808 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Jan 30 22:51:36 tutu.tutu.com systemd[1]: Starting Fail2Ban Service...
Jan 30 22:51:37 tutu.tutu.com fail2ban-client[667]: 2017-01-30 22:51:37,625 fail2ban.server         [722]: INFO    Starting Fail2ban v0.9.5
Jan 30 22:51:37 tutu.tutu.com fail2ban-client[667]: 2017-01-30 22:51:37,625 fail2ban.server         [722]: INFO    Starting in daemon mode
Jan 30 22:51:37 tutu.tutu.com systemd[1]: Started Fail2Ban Service.

stephdl · January 30, 2017, 10:55pm

on a 7.2 me too, this is why I coud not reproduce the issue

[root@NS7DEV4 ~]# systemctl status iptables.service firewalld.service
● iptables.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

● firewalld.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)
[root@NS7DEV4 ~]# cat /etc/nethserver-release

Therefore I used a rc3 iso