Whois package on NethServer Fail2ban Module

Support
#1

NethServer Version: NethServer release 7.5.1804 (final)
Module: NethServer Fail2ban

Hi @stephdl,

I have installed Fail2ban module from Software center with “whois” package selected to be installed during Fail2ban module installation.
However, when I receive email with banned IP, I’m notified that “whois” program is missing.

On the other hand, in NS documentation, at Fail2ban section is written:
“If you desire to query the IP whois database and obtain the origin of the banned IP by email, you could Install the whois rpm.”

In this moment, it is sure that what is written in NS documentation is correct, but
in this case, the option to install “whois” package from Software center must be eliminated.

IMO, is better to have this option in Software center and the NS documentation to be corrected.

Kind regards,
Gabriel

1 Like
Fail2ban - whois lookup
Add Whois information to fail2ban reports
#2

Sorry I did not catch you

rpm -qa|grep whois

Could you please reformulate

#3

Ok, sorry!
I have installed Fail2ban with whois option.
When I receive a notification email with banned IP, the message say that the whois program is missing.

Software%20center%201
Software center 1.JPG1017×663 50.1 KB

Software%20center%202

Email
Email.JPG852×345 28.1 KB

rpm%20-%20whois

1 Like
#4

Could you please restart fail2ban, else there is another whois rpm, could you please install it… but Firstly restart fail2ban and wait some ban

Yum search whois

#5

I have an old email with the same message.
From then, I have restarted F2B and even reboot the server for many times (some updates, …).

Email_old
Email_old.JPG853×317 27.3 KB

yum%20search%20whois
yum search whois.JPG937×319 51.4 KB

#6

Let me check the whois installed on my server, I know it is working whois

1 Like
#7

OK!

TIA,
Gabriel

PS:
In the past, when I have installed Fail2ban from here:
https://wiki.nethserver.org/doku.php?id=module:fail2ban
with whois, it worked.

Edit:
maybe is something wrong with whois dependencies.

#8

sorry I cannot reproduce

[root@prometheus ~]# rpm -qa |grep whois
whois-5.1.1-2.el7.x86_64
[root@prometheus ~]# rpm -qa | grep fail2ban
fail2ban-server-0.9.7-1.el7.noarch
fail2ban-firewalld-0.9.7-1.el7.noarch
fail2ban-shorewall-0.9.7-1.el7.noarch
fail2ban-sendmail-0.9.7-1.el7.noarch
fail2ban-0.9.7-1.el7.noarch
nethserver-fail2ban-1.0.4-1.ns7.noarch

this is what I have…Since how many time did you install the rpm whois…is it possible to need to wait sometime before to sync the whole database :-?

Hi,

The IP 67.164.207.205 has just been banned by Fail2Ban after
3 attempts against sshd.


Here is more information about 67.164.207.205 :


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/whois_reporting/index.html
#



# start

NetRange:       67.164.192.0 - 67.164.207.255
CIDR:           67.164.192.0/20
NetName:        UTAH-3
NetHandle:      NET-67-164-192-0-1
Parent:         COMCAST (NET-67-160-0-0-1)
NetType:        Reassigned
OriginAS:       
Customer:       Comcast Cable Communications, Inc. (C00500168)
RegDate:        2003-04-02
Updated:        2004-07-02
Ref:            https://whois.arin.net/rest/net/NET-67-164-192-0-1


CustName:       Comcast Cable Communications, Inc.
Address:        3 Executive Campus
Address:        5th Floor
City:           Cherry Hill
StateProv:      NJ
PostalCode:     08002
Country:        US
RegDate:        2003-04-02
Updated:        2016-08-31
Ref:            https://whois.arin.net/rest/customer/C00500168

OrgTechHandle: IC161-ARIN
OrgTechName:   Comcast Cable Communications Inc
OrgTechPhone:  +1-856-317-7200 
OrgTechEmail:  CNIPEO-Ip-registration@cable.comcast.com
OrgTechRef:    https://whois.arin.net/rest/poc/IC161-ARIN

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName:   Network Abuse and Policy Observance
OrgAbusePhone:  +1-888-565-4329 
OrgAbuseEmail:  abuse@comcast.net
OrgAbuseRef:    https://whois.arin.net/rest/poc/NAPO-ARIN

# end


# start

NetRange:       67.160.0.0 - 67.191.255.255
CIDR:           67.160.0.0/11
NetName:        COMCAST
NetHandle:      NET-67-160-0-0-1
Parent:         NET67 (NET-67-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS7922
Organization:   Comcast Cable Communications, LLC (CCCS)
RegDate:        2002-12-16
Updated:        2016-08-31
Ref:            https://whois.arin.net/rest/net/NET-67-160-0-0-1



OrgName:        Comcast Cable Communications, LLC
OrgId:          CCCS
Address:        1800 Bishops Gate Blvd
City:           Mt Laurel
StateProv:      NJ
PostalCode:     08054
Country:        US
RegDate:        2001-09-17
Updated:        2017-01-28
Ref:            https://whois.arin.net/rest/org/CCCS


OrgTechHandle: IC161-ARIN
OrgTechName:   Comcast Cable Communications Inc
OrgTechPhone:  +1-856-317-7200 
OrgTechEmail:  CNIPEO-Ip-registration@cable.comcast.com
OrgTechRef:    https://whois.arin.net/rest/poc/IC161-ARIN

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName:   Network Abuse and Policy Observance
OrgAbusePhone:  +1-888-565-4329 
OrgAbuseEmail:  abuse@comcast.net
OrgAbuseRef:    https://whois.arin.net/rest/poc/NAPO-ARIN

# end



#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/whois_reporting/index.html
#

Regards,

Fail2Ban
Add Whois information to fail2ban reports
#9

On one of my server whois was not installed with fail2ban, I just installed it by the software center, just after the installation I tried to be banned by my server, once done I received the email with the whois output of the IP.

I cannot reproduce, please go to logs (fail2ban) and try to see if something warn inside, try also to reinstall

#10

The server was installed from scratch as email server only, around two weeks ago, using the last NS ISO.
As usual, after first login, I made all the updates and then I have installed necessary modules for email server.
This function, whois, did not work from the beginning but I had no time to write about it.
Till yesterday, I removed and reinstalled F2B module, with and without the whois package, for couple of times, without success to make it functionally.
I hope at the end of the week I will have time to reinstall from scratch the server.
I will keep you informed about this.
Thank you for your time!

Kind regards,
Gabriel

#11

No need to reinstall from scratch just for fail2ban

#12

I did it without success.

#13

Well…we have no settings to detect and triggers the whois informations, this is an internal fail2ban issue. If you can gather some logs/warns/things we could make an upstream bug, without these it is useless

@other could you reproduce ?

#14

Please

whereis whois

Check

How they query whois or they display the warn about the lack of whois bin

#15

whereis%20whois
whereis whois.JPG730×335 31.9 KB

F2B%20config%20file
F2B config file.JPG712×763 71.4 KB

#16

just an idea, try whois from the command line

whois 8.8.8.8

/usr/bin/whois <ip> ||… means the command does not exit 0 which can have multiple causes.

1 Like
Add Whois information to fail2ban reports
#17

8
whois 8.8.8.8.JPG760×344 49.5 KB

#18

check resolving hostname (DNS) ?

Default configuration of whois tries to connect to www.arin.net

ping www.arin.net

or

ping www.google.com

#19

ping%20www
ping www.JPG722×409 77.5 KB

#20

Out of ideas, its clear the problem is not missing whois, the message “missing whois program” is misleading.

@GG_jr whois 8.8.8.8 returns Unable to connect to remote host ; which probably is whois.arin.net (not sure about the later).

does curl whois.arin.net give a ‘normal’ response?

[root@ ~]# curl whois.arin.net
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://whois.arin.net/ui/">here</a>.</p>
</body></html>
Add Whois information to fail2ban reports