Difference between revisions of "Fail2ban troubleshooting"

From Kolmisoft Wiki
Jump to navigationJump to search
 
(4 intermediate revisions by 2 users not shown)
Line 26: Line 26:


[root@ns312752 fail2ban-0.8.4]# ./fail2ban-client -v -v -v start
[root@ns312752 fail2ban-0.8.4]# ./fail2ban-client -v -v -v start
DEBUG  Reading /etc/fail2ban/fail2ban
 
DEBUG  Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
DEBUG  Reading /etc/fail2ban/fail2ban
INFO  Using socket file /var/run/fail2ban/fail2ban.sock
DEBUG  Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
DEBUG  Reading /etc/fail2ban/fail2ban
INFO  Using socket file /var/run/fail2ban/fail2ban.sock
DEBUG  Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
DEBUG  Reading /etc/fail2ban/fail2ban
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading /etc/fail2ban/jail
WARNING 'action' not defined in 'php-url-fopen'. Using default value
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading /etc/fail2ban/jail
WARNING 'action' not defined in 'php-url-fopen'. Using default value
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading /etc/fail2ban/filter.d/asterisk_hgc_200
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading files: ['/etc/fail2ban/filter.d/asterisk_hgc_200.conf', '/etc/fail2ban/filter.d/asterisk_hgc_200.local']
DEBUG  Reading /etc/fail2ban/filter.d/asterisk_hgc_200
DEBUG  Reading /etc/fail2ban/action.d/iptables-allports
DEBUG  Reading files: ['/etc/fail2ban/filter.d/asterisk_hgc_200.conf', '/etc/fail2ban/filter.d/asterisk_hgc_200.local']
DEBUG  Reading files: ['/etc/fail2ban/action.d/iptables-allports.conf', '/etc/fail2ban/action.d/iptables-allports.local']
DEBUG  Reading /etc/fail2ban/action.d/iptables-allports
DEBUG  Reading /etc/fail2ban/action.d/sendmail-banned
DEBUG  Reading files: ['/etc/fail2ban/action.d/iptables-allports.conf', '/etc/fail2ban/action.d/iptables-allports.local']
DEBUG  Reading files: ['/etc/fail2ban/action.d/sendmail-banned.conf', '/etc/fail2ban/action.d/sendmail-banned.local']
DEBUG  Reading /etc/fail2ban/action.d/sendmail-banned
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading files: ['/etc/fail2ban/action.d/sendmail-banned.conf', '/etc/fail2ban/action.d/sendmail-banned.local']
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading /etc/fail2ban/jail
WARNING 'action' not defined in 'lighttpd-fastcgi'. Using default value
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading /etc/fail2ban/jail
WARNING 'action' not defined in 'lighttpd-fastcgi'. Using default value
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading /etc/fail2ban/filter.d/asterisk_manager
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
'''ERROR  /etc/fail2ban/filter.d/asterisk_manager.conf and /etc/fail2ban/filter.d/asterisk_manager.local do not exist
DEBUG  Reading /etc/fail2ban/filter.d/asterisk_manager
ERROR  Unable to read the filter
 
ERROR  Errors in jail 'asterisk-manager'. Skipping...'''
'''ERROR  /etc/fail2ban/filter.d/asterisk_manager.conf and /etc/fail2ban/filter.d/asterisk_manager.local do not exist
ERROR  Unable to read the filter
ERROR  Errors in jail 'asterisk-manager'. Skipping...'''


4. This means that these files are missing. Let's try to update our svn tree in /usr/src/mor
4. This means that these files are missing. Let's try to update our svn tree in /usr/src/mor


[root@ns312752 ~]# svn update /usr/src/mor                                                                                                                                
[root@ns312752 ~]# svn update /usr/src/mor    
U    /usr/src/mor/test/files/fail2ban/jail.conf                                                                                                                            
                                                                                                                           
'''A    /usr/src/mor/test/files/fail2ban/filter.d/asterisk_manager.conf      '''                                                                                                
U    /usr/src/mor/test/files/fail2ban/jail.conf                                                                                                                          
U    /usr/src/mor/db/12/permissions.sql                                                                                                                                     
'''A    /usr/src/mor/test/files/fail2ban/filter.d/asterisk_manager.conf      '''                                                                                                
U    /usr/src/mor/db/x4/permissions.sql                                                                                                                                     
U    /usr/src/mor/db/12/permissions.sql                                                                                                                                     
U    /usr/src/mor/scripts/mor_alerts.h                                                                                                                                       
U    /usr/src/mor/db/x4/permissions.sql                                                                                                                                     
U    /usr/src/mor/upgrade/12/stable_revision                                                                                                                                 
U    /usr/src/mor/scripts/mor_alerts.h                                                                                                                                       
U    /usr/src/mor/upgrade/x4/stable_revision
U    /usr/src/mor/upgrade/12/stable_revision                                                                                                                                 
U    /usr/src/mor/upgrade/x4/stable_revision


we see that this file was missing previously. Probably Fail2Ban patches script from Kolmisoft will be enough to fix this:
we see that this file was missing previously. Probably Fail2Ban patches script from Kolmisoft will be enough to fix this:
Line 73: Line 76:
5. We see that this solved the problem:
5. We see that this solved the problem:


[root@ns312752 ~]# /usr/src/mor/test/scripts/various/fail2ban_patches.sh  
[root@ns3127522 ~]# /usr/src/mor/test/scripts/various/fail2ban_patches.sh  


[SOME OUTPUT SKIPPED HERE
[SOME OUTPUT SKIPPED HERE


Stopping fail2ban:                                        [FALLITO]
Stopping fail2ban:                                        [FALLITO]
Starting fail2ban:                                        [FALLITO]
Starting fail2ban:                                        [FALLITO]
  FAILED        Fail2Ban-SSH
  FAILED        Fail2Ban-SSH
Stopping fail2ban:                                        [FALLITO]
Stopping fail2ban:                                        [FALLITO]
'''Starting fail2ban:                                        [  OK  ]'''
'''Starting fail2ban:                                        [  OK  ]'''
 
[root@ns3127522 ~]#
[root@ns3127522 ~]#
<br><br>
==Fail2ban fails to start on CentOS 7==
Symptoms:
ERROR  Could not start server. Maybe an old socket file is still present. Try to remove /var/run/fail2ban/fail2ban.sock. If you used fail2ban-client to start the server, adding the -x option will do it
Resolution:
rm -rf /var/run/fail2ban/fail2ban.sock
mkdir /var/run/fail2ban
chmod 0750 /var/run/fail2ban/
systemctl start fail2ban.service
Testing:
systemctl status fail2ban.service
You should get similar output:
● fail2ban.service - SYSV: Fail2ban daemon
  Loaded: loaded (/etc/rc.d/init.d/fail2ban; bad; vendor preset: disabled)
  Active: active (running) since Kt 2018-10-11 15:33:48 CEST; 12s ago
    Docs: man:systemd-sysv-generator(8)
  Process: 18840 ExecStart=/etc/rc.d/init.d/fail2ban start (code=exited, status=0/SUCCESS)
  CGroup: /system.slice/fail2ban.service
          ├─18851 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
          └─18853 /usr/libexec/gam_server

Latest revision as of 19:10, 15 July 2019

Problem: Fail2Ban does not start

Solution:

mv /usr/share/fail2ban /usr/share/fail2ban_old
cd /usr/src/fail2ban-0.8.4
python setup.py install
service fail2ban restart


Starting fail2ban in debug mode (real example how to troubleshoot)

Problem - Fail2ban does not start:

[root@ns3127522 ~]# service fail2ban restart
Stopping fail2ban:                                         [FALLITO] 
Starting fail2ban:                                         [FALLITO]
[root@ns3127522 ~]# 

Debuging

1. Go to /usr/src/fail2ban-0.8.4

cd /usr/src/fail2ban-0.8.4

2. Launch Fail2Ban in debug mode:

./fail2ban-client -v -v -v start

3. You will see a similar output:

[root@ns312752 fail2ban-0.8.4]# ./fail2ban-client -v -v -v start

DEBUG  Reading /etc/fail2ban/fail2ban
DEBUG  Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
INFO   Using socket file /var/run/fail2ban/fail2ban.sock
DEBUG  Reading /etc/fail2ban/fail2ban
DEBUG  Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
WARNING 'action' not defined in 'php-url-fopen'. Using default value
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading /etc/fail2ban/filter.d/asterisk_hgc_200
DEBUG  Reading files: ['/etc/fail2ban/filter.d/asterisk_hgc_200.conf', '/etc/fail2ban/filter.d/asterisk_hgc_200.local']
DEBUG  Reading /etc/fail2ban/action.d/iptables-allports
DEBUG  Reading files: ['/etc/fail2ban/action.d/iptables-allports.conf', '/etc/fail2ban/action.d/iptables-allports.local']
DEBUG  Reading /etc/fail2ban/action.d/sendmail-banned
DEBUG  Reading files: ['/etc/fail2ban/action.d/sendmail-banned.conf', '/etc/fail2ban/action.d/sendmail-banned.local']
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
WARNING 'action' not defined in 'lighttpd-fastcgi'. Using default value
DEBUG  Reading /etc/fail2ban/jail
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading /etc/fail2ban/filter.d/asterisk_manager
ERROR  /etc/fail2ban/filter.d/asterisk_manager.conf and /etc/fail2ban/filter.d/asterisk_manager.local do not exist
ERROR  Unable to read the filter
ERROR  Errors in jail 'asterisk-manager'. Skipping...

4. This means that these files are missing. Let's try to update our svn tree in /usr/src/mor

[root@ns312752 ~]# svn update /usr/src/mor

U    /usr/src/mor/test/files/fail2ban/jail.conf                                                                                                                           
A    /usr/src/mor/test/files/fail2ban/filter.d/asterisk_manager.conf                                                                                                       
U    /usr/src/mor/db/12/permissions.sql                                                                                                                                     
U    /usr/src/mor/db/x4/permissions.sql                                                                                                                                     
U    /usr/src/mor/scripts/mor_alerts.h                                                                                                                                      
U    /usr/src/mor/upgrade/12/stable_revision                                                                                                                                
U    /usr/src/mor/upgrade/x4/stable_revision

we see that this file was missing previously. Probably Fail2Ban patches script from Kolmisoft will be enough to fix this:

/usr/src/mor/test/scripts/various/fail2ban_patches.sh 

5. We see that this solved the problem:

[root@ns3127522 ~]# /usr/src/mor/test/scripts/various/fail2ban_patches.sh

[SOME OUTPUT SKIPPED HERE

Stopping fail2ban:                                         [FALLITO]
Starting fail2ban:                                         [FALLITO]
FAILED         Fail2Ban-SSH
Stopping fail2ban:                                         [FALLITO]
Starting fail2ban:                                         [  OK  ]

[root@ns3127522 ~]#

Fail2ban fails to start on CentOS 7

Symptoms:

ERROR  Could not start server. Maybe an old socket file is still present. Try to remove /var/run/fail2ban/fail2ban.sock. If you used fail2ban-client to start the server, adding the -x option will do it

Resolution:

rm -rf /var/run/fail2ban/fail2ban.sock
mkdir /var/run/fail2ban
chmod 0750 /var/run/fail2ban/
systemctl start fail2ban.service

Testing:

systemctl status fail2ban.service

You should get similar output:

● fail2ban.service - SYSV: Fail2ban daemon
  Loaded: loaded (/etc/rc.d/init.d/fail2ban; bad; vendor preset: disabled)
  Active: active (running) since Kt 2018-10-11 15:33:48 CEST; 12s ago
    Docs: man:systemd-sysv-generator(8)
 Process: 18840 ExecStart=/etc/rc.d/init.d/fail2ban start (code=exited, status=0/SUCCESS)
  CGroup: /system.slice/fail2ban.service
          ├─18851 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
          └─18853 /usr/libexec/gam_server