NethServer Version: 7.5
Module: fail2ban
I upgraded my Neth server yesterday from 7.4 to 7.5. Except for needing to manually restart the httpd-admin service, everything seemed to work just fine. But I’m noticing a lot of fail2ban emails on what look like some pretty familiar IP addresses (or at least networks), and they seem to be coming up over and over again. Investigation appears to show that I don’t have a recidive jail any more.
[root@neth ~]# config show fail2ban
fail2ban=service
ApacheAuth_status=true
ApacheBadbots_status=true
ApacheBotsearch_status=false
ApacheFakegooglebot_status=true
ApacheModsecurity_status=true
ApacheNohome_status=true
ApacheNoscript_status=true
ApacheOverflows_status=true
ApachePhpMyAdmin_status=true
ApacheScan_status=true
ApacheShellshock_status=true
Apache_MaxRetry=
BanAction=shorewall-nethserver
BanLocalNetwork=disabled
BanTime=1800
CustomDestemail=admin@familybrown.org
Dovecot_MaxRetry=
Dovecot_status=true
EjabberAuth_status=true
Ejabber_MaxRetry=
FindTime=900
HttpdAdmin_MaxRetry=
HttpdAdmin_status=true
IgnoreIP=
LogLevel=INFO
Mail=enabled
MailJailState=disabled
MaxRetry=3
MysqldAuth_status=true
Mysqld_MaxRetry=
Nextcloud_MaxRetry=
Nextcloud_status=true
NginxBotSearch_status=true
NginxHttpAuth_status=true
Nginx_MaxRetry=
OpenVpnAuth_status=true
OpenVpn_MaxRetry=
Owncloud_MaxRetry=
Owncloud_status=true
PamGeneric_MaxRetry=
PamGeneric_status=true
PostfixRbl_status=true
Postfix_MaxRetry=
Postfix_status=true
Recidive_MaxRetry=
Recidive_Perpetual=disabled
Recidive_status=true
Roundcube_MaxRetry=
Roundcube_status=true
Sieve_MaxRetry=
Sieve_status=true
SogoAuth_status=true
Sogo_MaxRetry=
SshdDdos_status=true
Sshd_MaxRetry=
Sshd_status=true
Urbackup_MaxRetry=
Urbackup_status=true
Vsftpd_MaxRetry=
Vsftpd_status=true
status=enabled
This says that Recidive_status is enabled, but fail2ban-client doesn’t list it as an available jail:
[root@neth ~]# fail2ban-client status
Status
|- Number of jail: 23
`- Jail list: apache-auth, apache-badbots, apache-fakegooglebot, apache-modsecurity, apache-nohome, apache-noscript, apache-overflows, apache-scan, apache-shellshock, dovecot, dovecot-nethserver, httpd-admin, mysqld-auth, nextcloud-auth, pam-generic, pam-generic-nethserver, phpmyadmin, postfix, postfix-ddos, postfix-rbl, sieve, sshd, sshd-ddos
If I do fail2ban-listban, I get more information, but again no indication of a recidive jail:
[root@neth ~]# fail2ban-listban
If you want more information on a jail, do : fail2ban-client status {JailName}
Status of Jails
---------------
apache-auth Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
apache-badbots Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
apache-fakegooglebot Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
apache-modsecurity Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
apache-nohome Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
apache-noscript Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
apache-overflows Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
apache-scan Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
apache-shellshock Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
dovecot Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
dovecot-nethserver Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
httpd-admin Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
mysqld-auth Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
nextcloud-auth Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
pam-generic Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
pam-generic-nethserver Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
phpmyadmin Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
postfix Jail enabled
- Currently banned: 2 - Total banned after service start: 30
- Banned IP: 208.53.48.218 108.60.195.213
postfix-ddos Jail enabled
- Currently banned: 0 - Total banned after service start: 4
- Banned IP:
postfix-rbl Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
sieve Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
sshd Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
sshd-ddos Jail enabled
- Currently banned: 0 - Total banned after service start: 0
- Banned IP:
List of all banned IP:
Shorewall 5.1.10.2 Chain dynamic at neth.familybrown.org - Sat Jun 23 21:13:17 EDT 2018
Counters reset Sat Jun 23 08:09:41 EDT 2018
Chain dynamic (8 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 208.53.48.218 0.0.0.0/0
0 0 DROP all -- * * 108.60.195.213 0.0.0.0/0
/etc/fail2ban/filter.d/recidive.conf
is present. However, /etc/fail2ban/jail.local
seems to be the problem:
#recidive not used on this server
Why’s that? If I take a look at /etc/e-smith/templates/etc/fail2ban/jail.local/10recidive
(BTW, it seems pretty odd that all the fragments in this directory start with 10), it starts with
{
return "\n#recidive not used on this server"
unless (-f '/var/log/fail2ban.log');
…and though my understanding of Perl is nearly nonexistent, I think that means that what I’m seeing in my jail.local file should only be there if /var/log/fail2ban.log isn’t present.
[root@neth log]# ll /var/log/fail2ban.log
-rw------- 1 root root 115112 Jun 23 21:12 /var/log/fail2ban.log
Hmmm. Maybe the log file just wasn’t there when the template was expanded. A signal-event nethserver-fail2ban-update
will fix that, right? Nope, I do that, and jail.local still has the same line about recidive.
Am I missing something? Or is this a bug?