Whois package on NethServer Fail2ban Module

On one of my server whois was not installed with fail2ban, I just installed it by the software center, just after the installation I tried to be banned by my server, once done I received the email with the whois output of the IP.

I cannot reproduce, please go to logs (fail2ban) and try to see if something warn inside, try also to reinstall

The server was installed from scratch as email server only, around two weeks ago, using the last NS ISO.
As usual, after first login, I made all the updates and then I have installed necessary modules for email server.
This function, whois, did not work from the beginning but I had no time to write about it.
Till yesterday, I removed and reinstalled F2B module, with and without the whois package, for couple of times, without success to make it functionally.
I hope at the end of the week I will have time to reinstall from scratch the server.
I will keep you informed about this.
Thank you for your time!

Kind regards,

No need to reinstall from scratch just for fail2ban

I did it without success.

Well…we have no settings to detect and triggers the whois informations, this is an internal fail2ban issue. If you can gather some logs/warns/things we could make an upstream bug, without these it is useless

@other could you reproduce ?


whereis whois


How they query whois or they display the warn about the lack of whois bin

just an idea, try whois from the command line


/usr/bin/whois <ip> ||… means the command does not exit 0 which can have multiple causes.

1 Like

check resolving hostname (DNS) ?

Default configuration of whois tries to connect to www.arin.net

ping www.arin.net


ping www.google.com

Out of ideas, its clear the problem is not missing whois, the message “missing whois program” is misleading.

@GG_jr whois returns Unable to connect to remote host ; which probably is whois.arin.net (not sure about the later).

does curl whois.arin.net give a ‘normal’ response?

[root@ ~]# curl whois.arin.net
<title>302 Found</title>
<p>The document has moved <a href="http://whois.arin.net/ui/">here</a>.</p>


my output of whois

[root@ ~]# whois

# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/whois_reporting/index.html

# start

NetRange: -
NetName:        LVLT-ORG-8-8
NetHandle:      NET-8-0-0-0-1
Parent:         NET8 (NET-8-0-0-0-0)
NetType:        Direct Allocation
Organization:   Level 3 Parent, LLC (LPL-141)
RegDate:        1992-12-01
Updated:        2018-04-23
Ref:            https://whois.arin.net/rest/net/NET-8-0-0-0-1

OrgName:        Level 3 Parent, LLC
OrgId:          LPL-141
Address:        100 CenturyLink Drive
City:           Monroe
StateProv:      LA
PostalCode:     71203
Country:        US
RegDate:        2018-02-06
Updated:        2018-02-22
Ref:            https://whois.arin.net/rest/org/LPL-141

OrgAbuseHandle: IPADD5-ARIN
OrgAbuseName:   ipaddressing
OrgAbusePhone:  +1-877-453-8353
OrgAbuseEmail:  ipaddressing@level3.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/IPADD5-ARIN

OrgTechHandle: IPADD5-ARIN
OrgTechName:   ipaddressing
OrgTechPhone:  +1-877-453-8353
OrgTechEmail:  ipaddressing@level3.com
OrgTechRef:    https://whois.arin.net/rest/poc/IPADD5-ARIN

# end

# start

NetRange: -
NetName:        LVLT-GOGL-8-8-8
NetHandle:      NET-8-8-8-0-1
Parent:         LVLT-ORG-8-8 (NET-8-0-0-0-1)
NetType:        Reallocated
Organization:   Google LLC (GOGL)
RegDate:        2014-03-14
Updated:        2014-03-14
Ref:            https://whois.arin.net/rest/net/NET-8-8-8-0-1

OrgName:        Google LLC
OrgId:          GOGL
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US
RegDate:        2000-03-30
Updated:        2017-12-21
Ref:            https://whois.arin.net/rest/org/GOGL

OrgTechHandle: ZG39-ARIN
OrgTechName:   Google LLC
OrgTechPhone:  +1-650-253-0000
OrgTechEmail:  arin-contact@google.com
OrgTechRef:    https://whois.arin.net/rest/poc/ZG39-ARIN

OrgAbuseHandle: ABUSE5250-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-650-253-0000
OrgAbuseEmail:  network-abuse@google.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE5250-ARIN

# end

# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/whois_reporting/index.html

in other words your curllpit is getting whois to work maybe others have insights on this :hushed:

1 Like

@mark_nl : Thank you for your support!

@stephdl: There is other way than from Software center to remove all F2B and all dependencies (whois, jwhois, pwhois, perl-net-whois-ip, perl-net-whois-raw, …)?




The problem is the port 43 which must be opened on my UTM (outbound traffic from DMZ to WAN). This port is used by IANA for WHOIS services.

How can I remove all F2B to reinstall?


No need to reinstall. Now it’s working!
Thank you all for support!

Kind regards,


For the sake of sysadmin, how did you solve your issue please

My NS email server is placed in DMZ.
For outgoing traffic from DMZ to WAN, I open only necessary ports.
During tests with @mark_nl (thank you again!), I thought that Whois service need an open port to communicate with whois.arin.net.
“I asked” Google to tell me which ports must be opened on firewall to reach whois.arin.net. And Google told me! VIVA LAS … GOOGLE! :wink:

Thank you again for your time!

ok nothing that we can do on the nethserver side

1 Like

No, nothing wrong from NethServer!
Maybe is good to know for some scenarios.
On Tips & Tricks.

1 Like