Resolved Fail2Ban doesn't start after upgrade

[Martin6969]

Got this during command-line install :

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * epel: mirrors.ircam.fr
plesk-fail2ban-configurator-17.5.3-cos7.build1705170314. | 194 kB     00:00
fail2ban-0.9.6-centos7.17031414.noarch.rpm               | 445 kB     00:01
Running Transaction Check
Non-fatal POSTIN scriptlet failure in rpm package 1:fail2ban-0.9.6-centos7.17031414.noarch
Installing: 1:fail2ban-0.9.6-centos7.17031414.noarch [1/2]
Failed to try-restart fail2ban.service: Unit not found.
warning: %post(fail2ban-1:0.9.6-centos7.17031414.noarch) scriptlet failed, exit status 5
Installing: plesk-fail2ban-configurator-17.5.3-cos7.build1705170314.17.noarch [2/2]
Verify: 1/2: fail2ban.noarch 1:0.9.6-centos7.17031414 - u
Verify: 2/2: plesk-fail2ban-configurator.noarch 0:17.5.3-cos7.build1705170314.17 - u
Installation des pats...

 

[Martin6969]

When trying to start this error :

# service fail2ban start
Redirecting to /bin/systemctl start  fail2ban.service
Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.

systemctl status fail2ban.service :

# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
   Active: activating (start) since jeu. 2017-04-27 02:54:45 CEST; 8s ago
     Docs: man:fail2ban(1)
  Process: 21389 ExecStartPre=/usr/bin/mkdir -p -m 755 /var/run/fail2ban (code=exited, status=0/SUCCESS)
 Main PID: 23880 (code=killed, signal=KILL);         : 21391 (fail2ban-client)
   CGroup: /system.slice/fail2ban.service
           ├─21340 /usr/bin/python /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
           ├─21391 /usr/bin/python /usr/bin/fail2ban-client -x start
           └─21394 /usr/bin/python /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

avril 27 02:54:45 ns0.xxxxx.net systemd[1]: Starting Fail2Ban Service...
avril 27 02:54:45 ns0.xxxxx.net fail2ban-client[21391]: 2017-04-27 02:54:45,802 fail2ban.server         [21392]: INFO    Star...0.9.6
avril 27 02:54:45 ns0.xxxxx.net fail2ban-client[21391]: 2017-04-27 02:54:45,802 fail2ban.server         [21392]: INFO    Star... mode
avril 27 02:54:50 ns0.xxxxx.net fail2ban-client[21391]: ERROR  NOK: ('database is locked',)
Hint: Some lines were ellipsized, use -l to show in full.

# journalctl -xe
avril 27 02:57:41 ns0.xxxxx.net fail2ban-client[21556]: ERROR  NOK: ('database is locked',)
avril 27 02:57:46 ns0.xxxxx.net systemd[1]: fail2ban.service start operation timed out. Terminating.
avril 27 02:57:46 ns0.xxxxx.net fail2ban-client[21556]: WARNING Caught signal 15. Exiting
avril 27 02:57:46 ns0.xxxxx.net systemd[1]: Failed to start Fail2Ban Service.
-- Subject: L'unité (unit) fail2ban.service a échoué
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- L'unité (unit) fail2ban.service a échoué, avec le résultat failed.
avril 27 02:57:46 ns0.xxxxx.net systemd[1]: Unit fail2ban.service entered failed state.
avril 27 02:57:46 ns0.xxxxx.net systemd[1]: fail2ban.service failed.
avril 27 02:57:46 ns0.xxxxx.net systemd[1]: fail2ban.service holdoff time over, scheduling restart.
avril 27 02:57:46 ns0.xxxxx.net systemd[1]: Starting Fail2Ban Service...
-- Subject: L'unité (unit) fail2ban.service a commencé à démarrer
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- L'unité (unit) fail2ban.service a commencé à démarrer.
avril 27 02:57:46 ns0.xxxxx.net fail2ban-client[21599]: 2017-04-27 02:57:46,803 fail2ban.server         [21601]: INFO    Starting Fai
avril 27 02:57:46 ns0.xxxxx.net fail2ban-client[21599]: 2017-04-27 02:57:46,803 fail2ban.server         [21601]: INFO    Starting in

 

[Martin6969]

Busy day tomorrow...i've got to get some sleep...

UFHH01 : I really hope you'll be available tomorrow evening aswell ;-)

 

[UFHH01]

Hi Martin6969,

pls. REMOVE Fail2Ban, as already suggest ( for CentOS/RHEL - based systems ):

yum remove failban plesk-fail2ban-configurator

Afterwards, make sure, that there is no existent fail2ban - database at "/var/lib/fail2ban/" ( named as: "fail2ban.sqlite3" ). Consider to delete the whole folder if it is still existent, with the example command:

rm -rf /var/lib/fail2ban

Consider as well an additional command as for example:

plesk installer --select-product-id plesk --select-release-current --remove-component fail2ban

... even that you uninstalled already with yum ( notice: this might display errors, which you could ignore right now )

Now clean yum with:

yum clean all

... and start another installation with:

plesk installer --select-product-id plesk --select-release-current --install-component fail2ban

*off - topic* - *spam*

UFHH01 : I really hope you'll be available tomorrow evening aswell ;-)

I'm sleeping on the forum - couch, so I should be there - just wake me up with some coffee, if I'm still sleeping/snoring.

 

[Martin6969]

Did mentioned steps above and got this during install :

Loading mirror speeds from cached hostfile
 * epel: mirrors.ircam.fr
+ plesk-fail2ban-configurator

Packages en cours d'installation
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * epel: mirrors.ircam.fr
plesk-fail2ban-configurator-17.5.3-cos7.build1705170314. | 194 kB     00:00
Running Transaction Check
Installing: plesk-fail2ban-configurator-17.5.3-cos7.build1705170314.17.noarch [1/1]
Verify: 1/1: plesk-fail2ban-configurator.noarch 0:17.5.3-cos7.build1705170314.17 - u

**** Product post-install started.

===> Checking for previous installation ... found.
 Trying to upgrade Fail2Ban configuration (bootstrapper-post stage)...  Trying to fix HTTPD_VHOSTS_D value in 'plesk-apache' Fail2Ban jail... ERROR  NOK: ('Cannot change database when there are jails present',)
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload', 'plesk-apache']' returned non-zero exit status 255
ERROR:f2bmng:Failed to reload following jails due to errors in configuration: plesk-apache
failed
 Trying to fix HTTPD_VHOSTS_D value in 'plesk-apache-badbot' Fail2Ban jail... ERROR  NOK: ('plesk-apache-badbot',)
ERROR  NOK: ('Cannot change database when there are jails present',)
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload', 'plesk-apache-badbot']' returned non-zero exit status 255
ERROR:f2bmng:Failed to reload following jails due to errors in configuration: plesk-apache-badbot
failed
After end of upgrade for 'fail2ban' (stage 'bootstrapper-post') following actions are registered as failed:  20140211101620-fail2ban_fix_httpd_vhosts_d_path_in_jail 20140211101621-fail2ban_fix_httpd_vhosts_d_path_in_jail.

WARNING!
Some problems are found during upgrade Fail2Ban configuration (bootstrapper-post stage)(see log file: /var/log/plesk/install/plesk_17.5.3_installation.log)

Continue...

and had this in /var/log/plesk/install/plesk_17.5.3_installation.log :

START pp17.5.3-bootstrapper-17.5.3-cos7.build1705170317.16 installing AT Thu Apr 27 02:13:20 CEST 2017

**** Package pp17.5.3-bootstrapper scriptlet completed successfully.

STOP pp17.5.3-bootstrapper-17.5.3-cos7.build1705170317.16 installing AT Thu Apr 27 02:13:20 CEST 2017
START Bootstrapper 17.5.3 prep-install for BASE AT Thu Apr 27 02:13:22 CEST 2017

**** Product prep-install started.

===> Checking for previous installation ... found.
Create user 'psaadm' and group 'psaadm'
 Checking for the group 'psaadm'...
 Group 'psaadm' already exists

 Checking for the user 'psaadm'...
 User 'psaadm' already exists

Create group swkey-data
 Checking for the group 'swkey-data'...
 Group 'swkey-data' already exists

"/var/log/plesk/install/plesk_17.5.3_installation.log" 1522L, 75851C

 

[Martin6969]

I get this when i want to activate jails in control panel:

[[errorJailNotDisabled]]
Unable to switch on the selected jails: f2bmng failed: ERROR NOK: ('plesk-apache-badbot',)
ERROR NOK: ('Cannot change database when there are jails present',)
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload', 'plesk-apache-badbot']' returned non-zero exit status 255
ERROR NOK: ('plesk-courierimap',)
ERROR NOK: ('Cannot change database when there are jails present',)
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload', 'plesk-courierimap']' returned non-zero exit status 255
ERROR NOK: ('plesk-postfix',)
ERROR NOK: ('Cannot change database when there are jails present',)
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload', 'plesk-postfix']' returned non-zero exit status 255
ERROR NOK: ('plesk-roundcube',)
ERROR NOK: ('Cannot change database when there are jails present',)
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload', 'plesk-roundcube']' returned non-zero exit status 255
ERROR:f2bmng:Failed to reload following jails due to errors in configuration: plesk-apache-badbot, plesk-courierimap, plesk-postfix, plesk-roundcube.

However fail2ban does start now but i can't activate any extra jails...

Btw...coffee is ready UFHH01 ;-)

 

[UFHH01]

Hi Martin6969,

i get the feeling, that you could have another Fail2Ban - instance installed on your server, which might interfere with each other. Pls. check for "fail2ban" folders on your server and make sure, that if you control running processes with "ps aux | grep fail2ban", that only ONE instance is running.

 

[RaHa]

Hi Martin6969,

However fail2ban does start now but i can't activate any extra jails...

Btw...coffee is ready UFHH01 ;-)

I get same errors after the new install of file2ban, than I do this and it works:

Example commands to restart the Plesk Control Panel over the command line:

service psa restart

or

service sw-cp-server restart
service sw-engine restart

 

[Martin6969]

Hi Martin6969,

i get the feeling, that you could have another Fail2Ban - instance installed on your server, which might interfere with each other. Pls. check for "fail2ban" folders on your server and make sure, that if you control running processes with "ps aux | grep fail2ban", that only ONE instance is running.

ps aux | grep fail2ban gives :

ps aux | grep fail2ban
root      5297  0.2  0.0 1106724 14512 ?       Sl   avril28   4:06 /usr/bin/python /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
root      9666  0.0  0.0 112668   956 pts/0    S+   01:09   0:00 grep --color=auto fail2ban

I get same errors after the new install of file2ban, than I do this and it works:

Doesn't work for me....still get same errors after restarting control panel :

[[errorJailNotDisabled]]
Unable to switch on the selected jails: f2bmng failed: ERROR NOK: ('plesk-courierimap',)
ERROR NOK: ('Cannot change database when there are jails present',)
ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload', 'plesk-courierimap']' returned non-zero exit status 255
ERROR:f2bmng:Failed to reload following jails due to errors in configuration: plesk-courierimap.

 

[UFHH01]

Hi Martin6969,

pls. let's repeat the DE- and RE-INSTALL steps and let's check as well with "mlocate" during the procedure, that all is the way, we expect it to be... o.k. ?


We start with installting "mlocate":

For Ubuntu/Debian based systems:

aptitude install mlocate

For CentOS/RHEL based systems:

yum install mlocate

Now we create and update the "mlocate" database with the command:

for all linux systems:

updatedb

Now we test a "mlocate" - command:

for all linux systems:

locate resolv.conf

Output should be several files and one of it must be "/etc/resolv.conf".​

We finished to install and test "mlocate". Pls. Keep in mind that "mlocate" works on a database - basis, if you don't regulary update the database, it is a useless tool. So pls. consider to create a returning crontab, where you update the "mlocate" - datebase with the command "updatedb" - otherwise you always will have to use this update-command, before you use a "locate" - command.


The next step is again the DE - installation of Fail2Ban:

• STOP Fail2Ban:

  service fail2ban stop

• ( Normally, I would say now: Pls. create a backup from "/etc/fail2ban", but since you should have done this before, I won't repeat these steps! )
• UN - INSTALL Fail2Ban with the command:

  plesk installer --select-product-id plesk --select-release-current --remove-component fail2ban

• Pls. re-check, that Fail2Ban has been uninstalled, with the system - specific commands: On Ubuntu/Debian - based systems:

  aptitude purge failban plesk-fail2ban-configurator

  ... and on CentOS/RHEL - based systems:

  yum remove failban plesk-fail2ban-configurator

• ( Normally, I would never suggest a reboot, but due to the fact, that you experienced quite a lot of issues/problems with Fail2Ban, which works with iptables, I want to make sure, that all is "as expected", and therefore: Pls. REBOOT now your server )
• ( You rebooted and logged yourself in again as user "root" over SSH and the first to check is now your iptables with the command:

  iptables -L

  ... which should result in the output of your used firewall rules, but WITHOUT any Fail2Ban chain! )
• We are now going to check for possible leftovers of Fail2Ban with the "locate" command:
  

  updatedb
  
  locate fail2ban

  ... which actually should result in NO output at all, because you removed everything. If you have some leftovers, pls. DELETE the whole Fail2Ban - folders and it's content(s).

We have now a clean system, without any Fail2Ban and restart with the absolute common installation with the Plesk autoinstaller:

• Install the Plesk Fail2Ban components with the command:

  plesk installer --select-product-id plesk --select-release-current --install-component fail2ban

• Pls. go to your Plesk Control Panel and check there, that Fail2Ban is installed as expected and start to configure Fail2Ban by adding "127.0.0.1/8" and "XXX.XXX.XXX.XXX" ( where XXX.XXX.XXX.XXX is a placeholder for your very own, unique server IP(s) !!! ) to your WHITELIST, which is named at the Plesk Control Panel: "Trusted IP Addresses".

If you have any further question/issue/problem, pls. consider to post YOUR recent steps and include as well ( as always ) the corresponding, actual error message.

 

[Martin6969]

Hi,

I think the 'leftovers' in the /etc/fail2ban directory and some other /var/www/vhosts/******/ directories were the cause. I had to remove these manualy (rm).

locate fail2ban[/CODE] ... which actually should result in NO output at all, because you removed everything. If you have some leftovers, pls. DELETE the whole Fail2Ban - folders and it's content(s).

But it works like a charme now !!!! UFHH01 did it again !!!

Thanks a lot !

 

[Stephan Lallement]

Hello HFHH01

I follow all your information but when i want to remove fail2ban i have this error :

yum remove fail2ban

...............................

Dépendances résolues

=============================================================================================================================================================================================================================================
Paquet Architecture Version Dépôt Taille
=============================================================================================================================================================================================================================================
Suppression:
fail2ban noarch 1:0.9.6-centos6.17031414 @PLESK_17_5_3-dist 2.0 M

Résumé de la transaction
=============================================================================================================================================================================================================================================
Suppression de 1 paquet(s)

Taille d'installation : 2.0 M
Est-ce correct [o/N] : o

Téléchargement des paquets :
Lancement de rpm_check_debug
Lancement de la transaction de test
Transaction de test réussie
Lancement de la transaction
Traceback (most recent call last):
File "/usr/sbin/yum-complete-transaction", line 266, in <module>
util = YumCompleteTransaction()
File "/usr/sbin/yum-complete-transaction", line 119, in __init__
try: self.main()
File "/usr/sbin/yum-complete-transaction", line 249, in main
if self.doUtilTransaction() == 0:
File "/usr/share/yum-cli/utils.py", line 353, in doUtilTransaction
return_code = self.doTransaction()
File "/usr/share/yum-cli/cli.py", line 588, in doTransaction
resultobject = self.runTransaction(cb=cb)
File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 1519, in runTransaction
lastdbv = self.history.last()
File "/usr/lib/python2.6/site-packages/yum/history.py", line 1267, in last
ret = self.old([], 1, complete_transactions_only)
File "/usr/lib/python2.6/site-packages/yum/history.py", line 1216, in old
executeSQL(cur, sql, params)
File "/usr/lib/python2.6/site-packages/yum/sqlutils.py", line 166, in executeSQLQmark
return cursor.execute(query)
sqlite3.OperationalError: database is locked

I read a lot, but don't find how ro resolv this bug

Thank you for your help

Plesk Onyx v17.5.3_build1705170317.16 os_CentOS 6
OS CentOS 6.9 (Final)