Resolved can't enable Fail2Ban after upgrade Onyx Version 17.5.3

[Xantiva]

I can tell you only what I observed. My Putty Connection doesn't response, a reconnect didn't work.
How long could these flush command run? Maybe several minutes?

Even if I run

iptables -L

it takes 18 minutes (!!!) for an output of < 900 lines. Most of them like:

REJECT all -- 111.206.163.56 anywhere reject-with icmp-port-unreachable

Is that normal? Or is there something wrong with the iptables (after the update)?

 

[UFHH01]

Hi Xantiva,

it takes 18 minutes (!!!) for an output of < 900 lines

... quite a long time, but this depends on YOUR hardware on YOUR server and last but not least on the server network connection and YOUR internet connection to the server.

Is that normal?

Having 900 entries? This depends on YOUR configuration. You should consider to use the additional jail "RECIDIVE" and pls. inform yourself about it's usage and how it can be configured/adjusted, to fit YOUR needs and desires.

My Putty Connection doesn't response, a reconnect didn't work.

To investigate such an issue, ps. consider to inspect YOUR SSH - log - files, in order to investigate, why the connections has been closed or why your server didn't respond to your putty client. Again, this indicates slow internet/network connections.

 

[Xantiva]

The server and my internet connection aren't very slow. The problem seems to be all the DNS requests if the option "-n" (numeric output of addresses and ports) is not used.

iptables -L -n

is much faster now (no visible delay)!

And I still use the recidive jail ...

 

[UFHH01]

Hi Xantiva,

The problem seems to be all the DNS requests if the option "-n"

Yes, the command "iptables" has several command options, which you are able to use, but the word "seems" is hardly an indication of an actual research of your root cause.

Information: The standart command "iptables -L" is a command, which includes parsing, ordering and DNS - reverse commands, while the additional option "-n" doesn't have to process a reverse DNS, in order to be able to show the corresponding hostname, it just parses/reads the current IP - entries.

 

[Xantiva]

Thank for your reply. I only found this thread: iptables -L pretty slow. Is this normal? with this as best answer:

Include the -n option so it doesn't try to use DNS to resolve names for every ip address, network and port. Then it will be fast.

 

[UFHH01]

Hi Xantiva,

your very first step to inform yourself about a command option on linux based systems, is to read the corresponding "man" pages for the installed package. If you desire manuals provided over internet sites, you should consider to use:

=> LMGTFY​

 

[Xantiva]

Hi UFHH01,

what do you want to tell me? The first google hit is Man page of IPTABLES

-L, --list [chain]
List all rules in the selected chain. If no chain is selected, all chains are listed. Like every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by
iptables -t nat -n -L

Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups.

 

[UFHH01]

Hi Xantiva,

what do you want to tell me?

well, you could have investigated by yourself, that your initial command "iptables -L" will certainly take up more time, than using the additional "-n" option, which could have answered the question:

it takes 18 minutes (!!!) for an output of < 900 lines.

Is that normal?

 

[Jisse]

The instruction that was missing here to be able to restart fail2ban after

aptitude purge fail2ban plesk-fail2ban-configurator

is described on Failed to start fail2ban service

kill `ps afvvx | grep -v grep | grep fail2ban-server | awk '{print $1}' | xargs`

thanks @UFHH01 for your help, altogether those instructions made it for me cause i had the exact same system and exception as @tomer628

 

[Jose Juan Calvo]

I can confirm that following the instructions of UFHH01 and restarting the VPS the failban service starts working.

Thanks UFHH01, great work!!!