Have you seen any error inside the logs? Maybe we can find the problem!
unfortunately i did not find something in the logs. it seems that something happens at the start, like they hinder them self at the start. if i stop fail2ban with commandline and start the shorewall and then fail2ban it works.
Updated to RC4 without fail2ban.
After update “clear yum chache button” appeared. After reboot everything seems to be o.k.
Tommorow I will go back to snapshot before, install fail2ban and update then. Will report about behavior.
try
‘journalctl --boot’ to see all logs from the boot start
‘journalctl -u shorewall.service’ to see all logs on shorewall
Fail2ban might be a bug, but nethserver-fail2ban doesn’t manage shorewall…so :-?
i got this:
Checking using Shorewall 5.0.14.1…
Processing /etc/shorewall/params …
Processing /etc/shorewall/shorewall.conf…
Checking /etc/shorewall/zones…
Checking /etc/shorewall/interfaces…
Determining Hosts in Zones…
Locating Action Files…
Checking /etc/shorewall/policy…
Running /etc/shorewall/initdone…
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering…
Checking Kernel Route Filtering…
Checking Martian Logging…
Checking /etc/shorewall/masq…
Checking MAC Filtration – Phase 1…
Checking /etc/shorewall/rules…
Checking /etc/shorewall/action.NFQBY for chain NFQBY…
Checking /etc/shorewall/conntrack…
Checking MAC Filtration – Phase 2…
Applying Policies…
Checking /usr/share/shorewall/action.Reject for chain Reject…
Checking /usr/share/shorewall/action.Broadcast for chain Broadcast…
Checking /usr/share/shorewall/action.Drop for chain Drop…
Checking /etc/shorewall/mangle…
Checking /etc/shorewall/stoppedrules…
Shorewall configuration verified
shorewall did not start after an reboot
when i start shorewall manually and then start fail2ban, and save a rule everything works well. the problem is only after a reboot.
Hi hucky,
I did the test and have the same problem. After reboot shorewall is dead.
The machine is extemly slow, but cpuload is o.k. Not reachable via http and ssh. Just on console.
After systemctl daemon-reload
and systemctl start shorewall.service
Shorewall is running.
Access via http and ssh is given now. But services shows that fail2ban and nmb are stopped red.
Machine hangs during reboot. Power off and start again. Start up is slow.
After reboot had to start httd and shorewall manually. Now yellow messages appeard “Check firewall rules. Firewall not running.” Again nmb and fail2ban are stopped. Manually started nmb and fail2ban. Both are running machine speed is o.k. again.
From boot.log:
[e[1;31mFAILEDe[0m] Failed to start Samba NMB Daemon.
See 'systemctl status nmb.service' for details.
Starting Samba SMB Daemon...
[e[32m OK e[0m] Started Samba SMB Daemon.
and
Starting Fail2Ban Service...
[ e[31m*e[1;31m*e[0me[31m*e[0m] (2 of 10) A start job is running fo...port Agent (1min 24s / 2min 23s)
e[K[e[32m OK e[0m] Started SOGo is a groupware server.
[ e[31m*e[1;31m*e[0m] (3 of 9) A start job is running for...networking (1min 29s / 6min 19s)
e[K[ e[31m*e[0m] (3 of 9) A start job is running for...networking (1min 29s / 6min 19s)
e[K[ e[31m*e[1;31m*e[0m] (4 of 9) A start job is running for...NMB Daemon (1min 30s / 1min 56s)
e[K[ e[31m*e[1;31m*e[0me[31m*e[0m] (4 of 9) A start job is running for...NMB Daemon (1min 30s / 1min 56s)
e[K[ e[31m*e[1;31m*e[0me[31m* e[0m] (4 of 9) A start job is running for...NMB Daemon (1min 31s / 1min 56s)
e[K[ e[31m*e[1;31m*e[0me[31m* e[0m] (5 of 9) A start job is running for...rough DKMS (1min 31s / no limit)
e[K[e[31m*e[1;31m*e[0me[31m* e[0m] (5 of 9) A start job is running for...rough DKMS (1min 32s / no limit)
e[K[e[1;31m*e[0me[31m* e[0m] (5 of 9) A start job is running for...rough DKMS (1min 32s / no limit)
e[K[e[32m OK e[0m] Started Dynamic System Tuning Daemon.
[e[0me[31m* e[0m] (7 of 8) A start job is running for...ase server (1min 38s / 5min 53s)
e[K[e[1;31m*e[0me[31m* e[0m] (7 of 8) A start job is running for...ase server (1min 38s / 5min 53s)
e[K[e[31m*e[1;31m*e[0me[31m* e[0m] (7 of 8) A start job is running for...ase server (1min 39s / 5min 53s)
e[K[ e[31m*e[1;31m*e[0me[31m* e[0m] (8 of 8) A start job is running for...ner Engine (1min 39s / no limit)
e[K[ e[31m*e[1;31m*e[0me[31m* e[0m] (8 of 8) A start job is running for...ner Engine (1min 40s / no limit)
e[K[ e[31m*e[1;31m*e[0me[31m*e[0m] (8 of 8) A start job is running for...ner Engine (1min 40s / no limit)
e[K[ e[31m*e[1;31m*e[0m] (1 of 8) A start job is running for...TTP Server (1min 40s / 1min 54s)
e[K[ e[31m*e[0m] (1 of 8) A start job is running for...TTP Server (1min 41s / 1min 54s)
e[K[ e[31m*e[1;31m*e[0m] (1 of 8) A start job is running for...TTP Server (1min 41s / 1min 54s)
e[K[ e[31m*e[1;31m*e[0me[31m*e[0m] (2 of 8) A start job is running for...port Agent (1min 42s / 2min 23s)
e[K[ e[31m*e[1;31m*e[0me[31m* e[0m] (2 of 8) A start job is running for...port Agent (1min 42s / 2min 23s)
e[K[ e[31m*e[1;31m*e[0me[31m* e[0m] (2 of 8) A start job is running for...port Agent (1min 43s / 2min 23s)
e[K[e[32m OK e[0m] Started Postfix Mail Transport Agent.
[e[32m OK e[0m] Started Builds and install new kernel modules through DKMS.
[e[32m OK e[0m] Started Fail2Ban Service.
Hope this helps.
Yes, that exactly happens at my side, so i guess it is a bug
Removed netsherver-fail2ban and fail2ban via CLI. Now everything is o.k. again. Restart is quick and machine response is o.k. So fail2ban is the problem I think.
Might i have the list of all nethserver-* rpm installed
rpm -qa |grep nethserver-
For el7 epel provides a rpm fail2ban-shorewall, maybe the problem comes here.
Can you reproduce the issue if you install only fail2ban from epel
Yum install fail2ban
Then please provide the list of fail2ban rpm installed
rpm -qa |grep fail2ban
I cannot reproduce it :’(
Can you answer to my previous questions
the output is:
fail2ban-0.9.5-3.el7.noarch
fail2ban-server-0.9.5-3.el7.noarch
fail2ban-sendmail-0.9.5-3.el7.noarch
nethserver-fail2ban-0.1.3-1.ns7.sdl.noarch
fail2ban-firewalld-0.9.5-3.el7.noarch
fail2ban-shorewall-0.9.5-3.el7.noarch
maybe i am wrong and fail2ban is also not starting, but in any case shorewall don’t start automatically, what is a big turn off in general cause it is not possible to reach the system in that moment to start it manually.
what are all nethserver-* rpm installed
what are your migration path (install from rc3 then update to rc4 for example)
Output of rpm -qa |grep nethserver- is
nethserver-restore-data-1.2.1-1.ns7.noarch
nethserver-lsm-1.2.1-1.ns7.noarch
nethserver-dc-1.1.1-1.ns7.x86_64
nethserver-httpd-3.1.1-1.ns7.noarch
nethserver-pulledpork-2.0.0-1.ns7.noarch
nethserver-p3scan-1.1.2-1.ns7.noarch
nethserver-ndpi-1.1.0-1.ns7.noarch
nethserver-crontabmanager-0.0.7-1.ns7.sdl.noarch
nethserver-duc-1.4.1-1.ns7.noarch
nethserver-ntp-1.1.1-1.ns7.noarch
nethserver-release-7-0.7.ns7.noarch
nethserver-backup-config-1.5.2-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-base-3.0.15-1.ns7.noarch
nethserver-openssh-1.2.0-1.ns7.noarch
nethserver-getmail-1.0.0-1.ns7.noarch
nethserver-net-snmp-1.1.0-1.ns7.noarch
nethserver-fail2ban-0.1.3-1.ns7.sdl.noarch
nethserver-squidguard-1.6.1-1.ns7.noarch
nethserver-lang-de-1.1.6-1.ns7.noarch
nethserver-firewall-base-3.1.6-1.ns7.noarch
nethserver-mail-smarthost-0.1.0-1.ns7.noarch
nethserver-lightsquid-1.1.2-1.ns7.noarch
nethserver-dnsmasq-1.6.2-1.ns7.noarch
nethserver-collectd-3.0.4-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-spamd-1.0.0-1.ns7.noarch
nethserver-mail-filter-1.4.3-1.ns7.noarch
nethserver-backup-data-1.2.3-1.ns7.noarch
nethserver-cgp-2.1.2-1.ns7.noarch
nethserver-lang-en-1.1.6-1.ns7.noarch
nethserver-unbound-1.1.0-1.ns7.noarch
nethserver-hosts-1.2.1-1.ns7.noarch
nethserver-firewall-base-ui-3.1.6-1.ns7.noarch
nethserver-letsencrypt-1.1.3-1.ns7.noarch
nethserver-phonehome-1.2.1-1.ns7.noarch
nethserver-httpd-proxypass-3.1.1-1.ns7.noarch
nethserver-squidclamav-2.0.0-1.ns7.noarch
nethserver-sssd-1.1.4-1.ns7.noarch
nethserver-mail-server-1.10.6-1.ns7.noarch
nethserver-ddclient-1.0.1-4.ns7.sdl.noarch
nethserver-lib-2.2.1-1.ns7.noarch
nethserver-memcached-1.1.0-1.ns7.noarch
nethserver-mail-common-1.6.2-1.ns7.noarch
nethserver-suricata-1.0.0-1.ns7.noarch
nethserver-stephdl-1.0.0-2.ns7.sdl.noarch
nethserver-sogo-1.6.1-1.15.ga5eb638.ns7.noarch
nethserver-httpd-admin-2.0.6-1.ns7.noarch
nethserver-squid-1.5.2-1.ns7.noarch
nethserver-antivirus-1.2.0-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-mysql-1.1.0-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
Migration Path is from RC3 Update to RC4
Hi stephane, will give it on monday.
thank @flatspin and @hucky, I will try to reproduce.
does the issue come back if you reinstall nethserver-fail2ban ?
well I cannot reproduce !
on a ns7B2
yum install http://mirror.de-labrusse.fr/NethServer/7/x86_64/nethserver-stephdl-1.0.2-1.ns7.sdl.noarch.rpm
then
yum install nethserver-restore-data nethserver-lsm nethserver-dc nethserver-httpd nethserver-pulledpork nethserver-p3scan nethserver-ndpi nethserver-crontabmanager nethserver-duc nethserver-ntp nethserver-release nethserver-backup-config nethserver-yum nethserver-base nethserver-openssh nethserver-getmail nethserver-net-snmp nethserver-fail2ban nethserver-squidguard nethserver-lang-de nethserver-firewall-base nethserver-mail-smarthost nethserver-lightsquid nethserver-dnsmasq nethserver-collectd nethserver-nethforge-release nethserver-spamd nethserver-mail-filter nethserver-backup-data nethserver-cgp nethserver-lang-en nethserver-unbound nethserver-hosts nethserver-firewall-base-ui nethserver-letsencrypt nethserver-phonehome nethserver-httpd-proxypass nethserver-squidclamav nethserver-sssd nethserver-mail-server nethserver-ddclient nethserver-lib nethserver-memcached nethserver-mail-common nethserver-suricata nethserver-stephdl nethserver-sogo nethserver-httpd-admin nethserver-squid nethserver-antivirus nethserver-php nethserver-mysql nethserver-smartd
once done
yum update -y
and after all of this
reboot
It could be interesting to see if you can reproduce the issue by reinstalling nethserver-fail2ban (I suspect fail2ban-shorewall)
if yes, then remove nethserver-fail2ban, do ‘yum autoremove’ and install ‘fail2ban’ alone…if no issue with fail2ban , then we found the guilty. I never liked the shorewall implementation of fail2ban, maybe a good reason to remove it
If your server doesn’t host critical/personal data, I can do it by a ssh access.
Update form rc3 to rc4 via softwarecenter / GUI.
nethserver-diagtools-0.0.5-1.ns7.sdl.noarch
nethserver-httpd-3.1.1-1.ns7.noarch
nethserver-dc-1.1.1-1.ns7.x86_64
nethserver-httpd-admin-2.0.6-1.ns7.noarch
nethserver-mail-common-1.6.2-1.ns7.noarch
nethserver-vsftpd-1.1.0-1.ns7.noarch
nethserver-firewall-base-3.1.5-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-mysql-1.1.0-1.ns7.noarch
nethserver-openssh-1.2.0-1.ns7.noarch
nethserver-collectd-3.0.4-1.ns7.noarch
nethserver-nextcloud-1.0.4-1.ns7.noarch
nethserver-virtualhosts-1.0.2-1.ns7.noarch
nethserver-pulledpork-2.0.0-1.ns7.noarch
nethserver-memcached-1.1.0-1.ns7.noarch
nethserver-antivirus-1.2.0-1.ns7.noarch
nethserver-mail-smarthost-0.1.0-1.ns7.noarch
nethserver-backup-config-1.5.2-1.ns7.noarch
nethserver-sssd-1.1.4-1.ns7.noarch
nethserver-lightsquid-1.1.2-1.ns7.noarch
nethserver-openvpn-1.4.4-1.ns7.noarch
nethserver-dnsmasq-1.6.2-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-docker-0.0.0-1.ns7.noarch
nethserver-httpd-proxypass-3.1.1-1.ns7.noarch
nethserver-lang-en-1.1.6-1.ns7.noarch
nethserver-suricata-1.0.0-1.ns7.noarch
nethserver-hosts-1.2.1-1.ns7.noarch
nethserver-clamscan-0.1.0-1.ns7.sdl.noarch
nethserver-letsencrypt-1.1.3-1.ns7.noarch
nethserver-phonehome-1.2.1-1.ns7.noarch
nethserver-sogo-1.6.1-1.15.ga5eb638.ns7.noarch
nethserver-duc-1.4.1-1.ns7.noarch
nethserver-phpmyadmin-1.2.0-1.ns7.sdl.noarch
nethserver-base-3.0.14-1.ns7.noarch
nethserver-ibays-3.0.3-1.ns7.noarch
nethserver-release-7-0.7.ns7.noarch
nethserver-squid-1.5.2-1.ns7.noarch
nethserver-mail-server-1.10.6-1.ns7.noarch
nethserver-samba-2.0.4-1.ns7.noarch
nethserver-cgp-2.1.2-1.ns7.noarch
nethserver-lib-2.2.1-1.ns7.noarch
nethserver-lsm-1.2.1-1.ns7.noarch
nethserver-squidguard-1.6.1-1.ns7.noarch
nethserver-stephdl-1.0.0-2.ns7.sdl.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-firewall-base-ui-3.1.5-1.ns7.noarch
nethserver-ntp-1.1.1-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch