On one of my server whois was not installed with fail2ban, I just installed it by the software center, just after the installation I tried to be banned by my server, once done I received the email with the whois output of the IP.
I cannot reproduce, please go to logs (fail2ban) and try to see if something warn inside, try also to reinstall
The server was installed from scratch as email server only, around two weeks ago, using the last NS ISO.
As usual, after first login, I made all the updates and then I have installed necessary modules for email server.
This function, whois, did not work from the beginning but I had no time to write about it.
Till yesterday, I removed and reinstalled F2B module, with and without the whois package, for couple of times, without success to make it functionally.
I hope at the end of the week I will have time to reinstall from scratch the server.
I will keep you informed about this.
Thank you for your time!
Kind regards,
Gabriel
No need to reinstall from scratch just for fail2ban
I did it without success.
Well…we have no settings to detect and triggers the whois informations, this is an internal fail2ban issue. If you can gather some logs/warns/things we could make an upstream bug, without these it is useless
@other could you reproduce ?
Please
whereis whois
Check
How they query whois or they display the warn about the lack of whois bin
just an idea, try whois from the command line
whois 8.8.8.8
/usr/bin/whois <ip> ||… means the command does not exit 0 which can have multiple causes.
check resolving hostname (DNS) ?
Default configuration of whois tries to connect to www.arin.net
ping www.arin.net
or
ping www.google.com
Out of ideas, its clear the problem is not missing whois, the message “missing whois program” is misleading.
@GG_jr whois 8.8.8.8 returns Unable to connect to remote host ; which probably is whois.arin.net (not sure about the later).
does curl whois.arin.net give a ‘normal’ response?
[root@ ~]# curl whois.arin.net
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://whois.arin.net/ui/">here</a>.</p>
</body></html>
my output of whois 8.8.8.8
[root@ ~]# whois 8.8.8.8
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/whois_reporting/index.html
#
# start
NetRange: 8.0.0.0 - 8.127.255.255
CIDR: 8.0.0.0/9
NetName: LVLT-ORG-8-8
NetHandle: NET-8-0-0-0-1
Parent: NET8 (NET-8-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Level 3 Parent, LLC (LPL-141)
RegDate: 1992-12-01
Updated: 2018-04-23
Ref: https://whois.arin.net/rest/net/NET-8-0-0-0-1
OrgName: Level 3 Parent, LLC
OrgId: LPL-141
Address: 100 CenturyLink Drive
City: Monroe
StateProv: LA
PostalCode: 71203
Country: US
RegDate: 2018-02-06
Updated: 2018-02-22
Ref: https://whois.arin.net/rest/org/LPL-141
OrgAbuseHandle: IPADD5-ARIN
OrgAbuseName: ipaddressing
OrgAbusePhone: +1-877-453-8353
OrgAbuseEmail: ipaddressing@level3.com
OrgAbuseRef: https://whois.arin.net/rest/poc/IPADD5-ARIN
OrgTechHandle: IPADD5-ARIN
OrgTechName: ipaddressing
OrgTechPhone: +1-877-453-8353
OrgTechEmail: ipaddressing@level3.com
OrgTechRef: https://whois.arin.net/rest/poc/IPADD5-ARIN
# end
# start
NetRange: 8.8.8.0 - 8.8.8.255
CIDR: 8.8.8.0/24
NetName: LVLT-GOGL-8-8-8
NetHandle: NET-8-8-8-0-1
Parent: LVLT-ORG-8-8 (NET-8-0-0-0-1)
NetType: Reallocated
OriginAS:
Organization: Google LLC (GOGL)
RegDate: 2014-03-14
Updated: 2014-03-14
Ref: https://whois.arin.net/rest/net/NET-8-8-8-0-1
OrgName: Google LLC
OrgId: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2000-03-30
Updated: 2017-12-21
Ref: https://whois.arin.net/rest/org/GOGL
OrgTechHandle: ZG39-ARIN
OrgTechName: Google LLC
OrgTechPhone: +1-650-253-0000
OrgTechEmail: arin-contact@google.com
OrgTechRef: https://whois.arin.net/rest/poc/ZG39-ARIN
OrgAbuseHandle: ABUSE5250-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-650-253-0000
OrgAbuseEmail: network-abuse@google.com
OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE5250-ARIN
# end
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/whois_reporting/index.html
#
in other words your curllpit is getting whois to work maybe others have insights on this 
@mark_nl : Thank you for your support!
@stephdl: There is other way than from Software center to remove all F2B and all dependencies (whois, jwhois, pwhois, perl-net-whois-ip, perl-net-whois-raw, …)?
TIA,
Gabriel
OK!
The problem is the port 43 which must be opened on my UTM (outbound traffic from DMZ to WAN). This port is used by IANA for WHOIS services.
How can I remove all F2B to reinstall?
EDIT:
No need to reinstall. Now it’s working!
Thank you all for support!
Kind regards,
Gabriel
For the sake of sysadmin, how did you solve your issue please
My NS email server is placed in DMZ.
For outgoing traffic from DMZ to WAN, I open only necessary ports.
During tests with @mark_nl (thank you again!), I thought that Whois service need an open port to communicate with whois.arin.net.
“I asked” Google to tell me which ports must be opened on firewall to reach whois.arin.net. And Google told me! VIVA LAS … GOOGLE! 
Thank you again for your time!
ok nothing that we can do on the nethserver side
No, nothing wrong from NethServer!
Maybe is good to know for some scenarios.
On Tips & Tricks.