Fail2ban shorewall with nethserver rc4

Support
, , ,
1

NethServer Version: NethServer release 7.3.1611 (rc4)
Module: fail2ban, shorewall

Hey Guys, i update today the Nethserver to RC4 and get after a reboot errors and shorewall did not start correct. anyone else has also fail2ban installed and check i am right?

2

Have you seen any error inside the logs? Maybe we can find the problem!

3

unfortunately i did not find something in the logs. it seems that something happens at the start, like they hinder them self at the start. if i stop fail2ban with commandline and start the shorewall and then fail2ban it works.

4

Updated to RC4 without fail2ban.

After update “clear yum chache button” appeared. After reboot everything seems to be o.k.
Tommorow I will go back to snapshot before, install fail2ban and update then. Will report about behavior.

1 Like
5

try

‘journalctl --boot’ to see all logs from the boot start

‘journalctl -u shorewall.service’ to see all logs on shorewall

Fail2ban might be a bug, but nethserver-fail2ban doesn’t manage shorewall…so :-?

6

i got this:
Checking using Shorewall 5.0.14.1…
Processing /etc/shorewall/params …
Processing /etc/shorewall/shorewall.conf…
Checking /etc/shorewall/zones…
Checking /etc/shorewall/interfaces…
Determining Hosts in Zones…
Locating Action Files…
Checking /etc/shorewall/policy…
Running /etc/shorewall/initdone…
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering…
Checking Kernel Route Filtering…
Checking Martian Logging…
Checking /etc/shorewall/masq…
Checking MAC Filtration – Phase 1…
Checking /etc/shorewall/rules…
Checking /etc/shorewall/action.NFQBY for chain NFQBY…
Checking /etc/shorewall/conntrack…
Checking MAC Filtration – Phase 2…
Applying Policies…
Checking /usr/share/shorewall/action.Reject for chain Reject…
Checking /usr/share/shorewall/action.Broadcast for chain Broadcast…
Checking /usr/share/shorewall/action.Drop for chain Drop…
Checking /etc/shorewall/mangle…
Checking /etc/shorewall/stoppedrules…
Shorewall configuration verified

shorewall did not start after an reboot

when i start shorewall manually and then start fail2ban, and save a rule everything works well. the problem is only after a reboot.

1 Like
7

Hi hucky,

I did the test and have the same problem. After reboot shorewall is dead.

Pasted image751×135 2.58 KB

The machine is extemly slow, but cpuload is o.k. Not reachable via http and ssh. Just on console.
After systemctl daemon-reload and systemctl start shorewall.service Shorewall is running.
Access via http and ssh is given now. But services shows that fail2ban and nmb are stopped red.
Machine hangs during reboot. Power off and start again. Start up is slow.
After reboot had to start httd and shorewall manually. Now yellow messages appeard “Check firewall rules. Firewall not running.” Again nmb and fail2ban are stopped. Manually started nmb and fail2ban. Both are running machine speed is o.k. again.

From boot.log:

[e[1;31mFAILEDe[0m] Failed to start Samba NMB Daemon.
See 'systemctl status nmb.service' for details.
         Starting Samba SMB Daemon...
[e[32m  OK  e[0m] Started Samba SMB Daemon.

and

 Starting Fail2Ban Service...
[   e[31m*e[1;31m*e[0me[31m*e[0m] (2 of 10) A start job is running fo...port Agent (1min 24s / 2min 23s)
e[K[e[32m  OK  e[0m] Started SOGo is a groupware server.
[    e[31m*e[1;31m*e[0m] (3 of 9) A start job is running for...networking (1min 29s / 6min 19s)
e[K[     e[31m*e[0m] (3 of 9) A start job is running for...networking (1min 29s / 6min 19s)
e[K[    e[31m*e[1;31m*e[0m] (4 of 9) A start job is running for...NMB Daemon (1min 30s / 1min 56s)
e[K[   e[31m*e[1;31m*e[0me[31m*e[0m] (4 of 9) A start job is running for...NMB Daemon (1min 30s / 1min 56s)
e[K[  e[31m*e[1;31m*e[0me[31m* e[0m] (4 of 9) A start job is running for...NMB Daemon (1min 31s / 1min 56s)
e[K[ e[31m*e[1;31m*e[0me[31m*  e[0m] (5 of 9) A start job is running for...rough DKMS (1min 31s / no limit)
e[K[e[31m*e[1;31m*e[0me[31m*   e[0m] (5 of 9) A start job is running for...rough DKMS (1min 32s / no limit)
e[K[e[1;31m*e[0me[31m*    e[0m] (5 of 9) A start job is running for...rough DKMS (1min 32s / no limit)
e[K[e[32m  OK  e[0m] Started Dynamic System Tuning Daemon.
[e[0me[31m*     e[0m] (7 of 8) A start job is running for...ase server (1min 38s / 5min 53s)
e[K[e[1;31m*e[0me[31m*    e[0m] (7 of 8) A start job is running for...ase server (1min 38s / 5min 53s)
e[K[e[31m*e[1;31m*e[0me[31m*   e[0m] (7 of 8) A start job is running for...ase server (1min 39s / 5min 53s)
e[K[ e[31m*e[1;31m*e[0me[31m*  e[0m] (8 of 8) A start job is running for...ner Engine (1min 39s / no limit)
e[K[  e[31m*e[1;31m*e[0me[31m* e[0m] (8 of 8) A start job is running for...ner Engine (1min 40s / no limit)
e[K[   e[31m*e[1;31m*e[0me[31m*e[0m] (8 of 8) A start job is running for...ner Engine (1min 40s / no limit)
e[K[    e[31m*e[1;31m*e[0m] (1 of 8) A start job is running for...TTP Server (1min 40s / 1min 54s)
e[K[     e[31m*e[0m] (1 of 8) A start job is running for...TTP Server (1min 41s / 1min 54s)
e[K[    e[31m*e[1;31m*e[0m] (1 of 8) A start job is running for...TTP Server (1min 41s / 1min 54s)
e[K[   e[31m*e[1;31m*e[0me[31m*e[0m] (2 of 8) A start job is running for...port Agent (1min 42s / 2min 23s)
e[K[  e[31m*e[1;31m*e[0me[31m* e[0m] (2 of 8) A start job is running for...port Agent (1min 42s / 2min 23s)
e[K[ e[31m*e[1;31m*e[0me[31m*  e[0m] (2 of 8) A start job is running for...port Agent (1min 43s / 2min 23s)
e[K[e[32m  OK  e[0m] Started Postfix Mail Transport Agent.
[e[32m  OK  e[0m] Started Builds and install new kernel modules through DKMS.
[e[32m  OK  e[0m] Started Fail2Ban Service.

Hope this helps.

2 Likes
8

Yes, that exactly happens at my side, so i guess it is a bug :slight_smile:

9

Removed netsherver-fail2ban and fail2ban via CLI. Now everything is o.k. again. Restart is quick and machine response is o.k. So fail2ban is the problem I think.

2 Likes
10

Might i have the list of all nethserver-* rpm installed

rpm -qa |grep nethserver-

1 Like
11

For el7 epel provides a rpm fail2ban-shorewall, maybe the problem comes here.

Can you reproduce the issue if you install only fail2ban from epel

Yum install fail2ban

Then please provide the list of fail2ban rpm installed

rpm -qa |grep fail2ban

2 Likes
12

I cannot reproduce it :’(

Can you answer to my previous questions

13

the output is:
fail2ban-0.9.5-3.el7.noarch
fail2ban-server-0.9.5-3.el7.noarch
fail2ban-sendmail-0.9.5-3.el7.noarch
nethserver-fail2ban-0.1.3-1.ns7.sdl.noarch
fail2ban-firewalld-0.9.5-3.el7.noarch
fail2ban-shorewall-0.9.5-3.el7.noarch

14

maybe i am wrong and fail2ban is also not starting, but in any case shorewall don’t start automatically, what is a big turn off in general cause it is not possible to reach the system in that moment to start it manually.

15

what are all nethserver-* rpm installed

what are your migration path (install from rc3 then update to rc4 for example)

@flatspin @hucky do you have information ?

16

Output of rpm -qa |grep nethserver- is

nethserver-restore-data-1.2.1-1.ns7.noarch
nethserver-lsm-1.2.1-1.ns7.noarch
nethserver-dc-1.1.1-1.ns7.x86_64
nethserver-httpd-3.1.1-1.ns7.noarch
nethserver-pulledpork-2.0.0-1.ns7.noarch
nethserver-p3scan-1.1.2-1.ns7.noarch
nethserver-ndpi-1.1.0-1.ns7.noarch
nethserver-crontabmanager-0.0.7-1.ns7.sdl.noarch
nethserver-duc-1.4.1-1.ns7.noarch
nethserver-ntp-1.1.1-1.ns7.noarch
nethserver-release-7-0.7.ns7.noarch
nethserver-backup-config-1.5.2-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-base-3.0.15-1.ns7.noarch
nethserver-openssh-1.2.0-1.ns7.noarch
nethserver-getmail-1.0.0-1.ns7.noarch
nethserver-net-snmp-1.1.0-1.ns7.noarch
nethserver-fail2ban-0.1.3-1.ns7.sdl.noarch
nethserver-squidguard-1.6.1-1.ns7.noarch
nethserver-lang-de-1.1.6-1.ns7.noarch
nethserver-firewall-base-3.1.6-1.ns7.noarch
nethserver-mail-smarthost-0.1.0-1.ns7.noarch
nethserver-lightsquid-1.1.2-1.ns7.noarch
nethserver-dnsmasq-1.6.2-1.ns7.noarch
nethserver-collectd-3.0.4-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-spamd-1.0.0-1.ns7.noarch
nethserver-mail-filter-1.4.3-1.ns7.noarch
nethserver-backup-data-1.2.3-1.ns7.noarch
nethserver-cgp-2.1.2-1.ns7.noarch
nethserver-lang-en-1.1.6-1.ns7.noarch
nethserver-unbound-1.1.0-1.ns7.noarch
nethserver-hosts-1.2.1-1.ns7.noarch
nethserver-firewall-base-ui-3.1.6-1.ns7.noarch
nethserver-letsencrypt-1.1.3-1.ns7.noarch
nethserver-phonehome-1.2.1-1.ns7.noarch
nethserver-httpd-proxypass-3.1.1-1.ns7.noarch
nethserver-squidclamav-2.0.0-1.ns7.noarch
nethserver-sssd-1.1.4-1.ns7.noarch
nethserver-mail-server-1.10.6-1.ns7.noarch
nethserver-ddclient-1.0.1-4.ns7.sdl.noarch
nethserver-lib-2.2.1-1.ns7.noarch
nethserver-memcached-1.1.0-1.ns7.noarch
nethserver-mail-common-1.6.2-1.ns7.noarch
nethserver-suricata-1.0.0-1.ns7.noarch
nethserver-stephdl-1.0.0-2.ns7.sdl.noarch
nethserver-sogo-1.6.1-1.15.ga5eb638.ns7.noarch
nethserver-httpd-admin-2.0.6-1.ns7.noarch
nethserver-squid-1.5.2-1.ns7.noarch
nethserver-antivirus-1.2.0-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-mysql-1.1.0-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch

Migration Path is from RC3 Update to RC4

17

Hi stephane, will give it on monday.

18

thank @flatspin and @hucky, I will try to reproduce.

does the issue come back if you reinstall nethserver-fail2ban ?

19

well I cannot reproduce !

on a ns7B2

yum install http://mirror.de-labrusse.fr/NethServer/7/x86_64/nethserver-stephdl-1.0.2-1.ns7.sdl.noarch.rpm

then

yum install nethserver-restore-data nethserver-lsm nethserver-dc nethserver-httpd nethserver-pulledpork nethserver-p3scan nethserver-ndpi nethserver-crontabmanager nethserver-duc nethserver-ntp nethserver-release nethserver-backup-config nethserver-yum nethserver-base nethserver-openssh nethserver-getmail nethserver-net-snmp nethserver-fail2ban nethserver-squidguard nethserver-lang-de nethserver-firewall-base nethserver-mail-smarthost nethserver-lightsquid nethserver-dnsmasq nethserver-collectd nethserver-nethforge-release nethserver-spamd nethserver-mail-filter nethserver-backup-data nethserver-cgp nethserver-lang-en nethserver-unbound nethserver-hosts nethserver-firewall-base-ui nethserver-letsencrypt nethserver-phonehome nethserver-httpd-proxypass nethserver-squidclamav nethserver-sssd nethserver-mail-server nethserver-ddclient nethserver-lib nethserver-memcached nethserver-mail-common nethserver-suricata nethserver-stephdl nethserver-sogo nethserver-httpd-admin nethserver-squid nethserver-antivirus nethserver-php nethserver-mysql nethserver-smartd

once done

yum update -y

and after all of this

reboot

It could be interesting to see if you can reproduce the issue by reinstalling nethserver-fail2ban (I suspect fail2ban-shorewall)

if yes, then remove nethserver-fail2ban, do ‘yum autoremove’ and install ‘fail2ban’ alone…if no issue with fail2ban , then we found the guilty. I never liked the shorewall implementation of fail2ban, maybe a good reason to remove it :stuck_out_tongue:

If your server doesn’t host critical/personal data, I can do it by a ssh access.

20

Update form rc3 to rc4 via softwarecenter / GUI.

nethserver-diagtools-0.0.5-1.ns7.sdl.noarch
nethserver-httpd-3.1.1-1.ns7.noarch
nethserver-dc-1.1.1-1.ns7.x86_64
nethserver-httpd-admin-2.0.6-1.ns7.noarch
nethserver-mail-common-1.6.2-1.ns7.noarch
nethserver-vsftpd-1.1.0-1.ns7.noarch
nethserver-firewall-base-3.1.5-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-mysql-1.1.0-1.ns7.noarch
nethserver-openssh-1.2.0-1.ns7.noarch
nethserver-collectd-3.0.4-1.ns7.noarch
nethserver-nextcloud-1.0.4-1.ns7.noarch
nethserver-virtualhosts-1.0.2-1.ns7.noarch
nethserver-pulledpork-2.0.0-1.ns7.noarch
nethserver-memcached-1.1.0-1.ns7.noarch
nethserver-antivirus-1.2.0-1.ns7.noarch
nethserver-mail-smarthost-0.1.0-1.ns7.noarch
nethserver-backup-config-1.5.2-1.ns7.noarch
nethserver-sssd-1.1.4-1.ns7.noarch
nethserver-lightsquid-1.1.2-1.ns7.noarch
nethserver-openvpn-1.4.4-1.ns7.noarch
nethserver-dnsmasq-1.6.2-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-docker-0.0.0-1.ns7.noarch
nethserver-httpd-proxypass-3.1.1-1.ns7.noarch
nethserver-lang-en-1.1.6-1.ns7.noarch
nethserver-suricata-1.0.0-1.ns7.noarch
nethserver-hosts-1.2.1-1.ns7.noarch
nethserver-clamscan-0.1.0-1.ns7.sdl.noarch
nethserver-letsencrypt-1.1.3-1.ns7.noarch
nethserver-phonehome-1.2.1-1.ns7.noarch
nethserver-sogo-1.6.1-1.15.ga5eb638.ns7.noarch
nethserver-duc-1.4.1-1.ns7.noarch
nethserver-phpmyadmin-1.2.0-1.ns7.sdl.noarch
nethserver-base-3.0.14-1.ns7.noarch
nethserver-ibays-3.0.3-1.ns7.noarch
nethserver-release-7-0.7.ns7.noarch
nethserver-squid-1.5.2-1.ns7.noarch
nethserver-mail-server-1.10.6-1.ns7.noarch
nethserver-samba-2.0.4-1.ns7.noarch
nethserver-cgp-2.1.2-1.ns7.noarch
nethserver-lib-2.2.1-1.ns7.noarch
nethserver-lsm-1.2.1-1.ns7.noarch
nethserver-squidguard-1.6.1-1.ns7.noarch
nethserver-stephdl-1.0.0-2.ns7.sdl.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-firewall-base-ui-3.1.5-1.ns7.noarch
nethserver-ntp-1.1.1-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch