fail2ban: ERROR iptables

rgruyters · Oct 23, 2014

I have installed Fail2ban via the Plesk add-on packages. When I run fail2ban after few hours I see a lot of error messages in the `/var/log/messages`.

Code:

...
Oct 23 15:17:12 server fail2ban.actions.action[3281]: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH#012iptables -F fail2ban-SSH#012iptables -X fail2ban-SSH returned 300
Oct 23 15:17:12 server fail2ban.actions.action[3281]: ERROR iptables -N fail2ban-SSH#012iptables -A fail2ban-SSH -j RETURN#012iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 300
Oct 23 15:27:13 server fail2ban.actions.action[3281]: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH#012iptables -F fail2ban-SSH#012iptables -X fail2ban-SSH returned 300
Oct 23 15:27:13 server fail2ban.actions.action[3281]: ERROR iptables -N fail2ban-SSH#012iptables -A fail2ban-SSH -j RETURN#012iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 300
Oct 23 20:36:42 server fail2ban.actions.action[3281]: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH#012iptables -F fail2ban-SSH#012iptables -X fail2ban-SSH returned 300
Oct 23 20:36:42 server fail2ban.actions.action[3281]: ERROR iptables -N fail2ban-SSH#012iptables -A fail2ban-SSH -j RETURN#012iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 300
Oct 23 20:44:32 server fail2ban.actions.action[3281]: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH#012iptables -F fail2ban-SSH#012iptables -X fail2ban-SSH returned 300
Oct 23 20:44:32 server fail2ban.actions.action[3281]: ERROR iptables -N fail2ban-SSH#012iptables -A fail2ban-SSH -j RETURN#012iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 300
Oct 23 20:46:42 server fail2ban.actions.action[3281]: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH#012iptables -F fail2ban-SSH#012iptables -X fail2ban-SSH returned 300
Oct 23 20:46:42 server fail2ban.actions.action[3281]: ERROR iptables -N fail2ban-SSH#012iptables -A fail2ban-SSH -j RETURN#012iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 300
Oct 23 20:54:33 server fail2ban.actions.action[3281]: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH#012iptables -F fail2ban-SSH#012iptables -X fail2ban-SSH returned 300
Oct 23 20:54:33 server fail2ban.actions.action[3281]: ERROR iptables -N fail2ban-SSH#012iptables -A fail2ban-SSH -j RETURN#012iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 300
...

And have fail2ban 0.8.14 installed:
fail2ban-0.8.14-1.el6.noarch
plesk-fail2ban-configurator-12.0.18-cos6.build1200140526.11.noarch

Any ideas what is the problem?

Regards,

Robin.

UFHH01 · Oct 23, 2014

Have you got selinux installed?

Please provide some logs from "/var/log/audit/audit.log" for further investigations.

rgruyters · Oct 24, 2014

Here. Looks like selinux is blocking things. (and that answered your question as well)

Code:

type=SYSCALL msg=audit(1414094129.495:1896754): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=4 items=0 ppid=26281 pid=26284 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10696 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null)
type=AVC msg=audit(1414094129.495:1896755): avc:  denied  { search } for  pid=26284 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=SYSCALL msg=audit(1414094129.495:1896755): arch=c000003e syscall=2 success=no exit=-13 a0=3b6e005672 a1=0 a2=0 a3=4 items=0 ppid=26281 pid=26284 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10696 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null)
type=AVC msg=audit(1414094129.496:1896756): avc:  denied  { create } for  pid=26281 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1414094129.496:1896756): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=4 items=0 ppid=26255 pid=26281 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10696 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null)
type=AVC msg=audit(1414094129.496:1896757): avc:  denied  { search } for  pid=26281 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=SYSCALL msg=audit(1414094129.496:1896757): arch=c000003e syscall=2 success=no exit=-13 a0=3b6e005672 a1=0 a2=0 a3=4 items=0 ppid=26255 pid=26281 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10696 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null)
type=AVC msg=audit(1414094129.606:1896761): avc:  denied  { create } for  pid=26300 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1414094129.606:1896761): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=0 items=0 ppid=26299 pid=26300 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10696 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null)
type=AVC msg=audit(1414094129.607:1896762): avc:  denied  { search } for  pid=26300 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=SYSCALL msg=audit(1414094129.607:1896762): arch=c000003e syscall=2 success=no exit=-13 a0=3b6e005672 a1=0 a2=0 a3=0 items=0 ppid=26299 pid=26300 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10696 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null)
type=AVC msg=audit(1414094129.613:1896763): avc:  denied  { create } for  pid=26301 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1414094129.613:1896763): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=4 items=0 ppid=26299 pid=26301 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10696 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null)
type=AVC msg=audit(1414094129.616:1896764): avc:  denied  { search } for  pid=26301 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=SYSCALL msg=audit(1414094129.616:1896764): arch=c000003e syscall=2 success=no exit=-13 a0=3b6e005672 a1=0 a2=0 a3=4 items=0 ppid=26299 pid=26301 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10696 comm="iptables" exe="/sbin/iptables-multi-1.4.7" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null)
type=AVC msg=audit(1414094129.617:1896765): avc:  denied  { create } for  pid=26299 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=rawip_socket

UFHH01 · Oct 24, 2014

The policies from selinux are incorrect. This bug may be solved manually, or by an upgrade of the selinux-policy package.

rgruyters · Oct 24, 2014

How? I mean i have already run `yum upgrade -y`. Or do you mean `restorecon`?

UFHH01 · Oct 24, 2014

NOT tested... please choose to do it on your own risk ( please read both articles, before starting to fix ):

http://osdir.com/ml/centos/2014-08/msg00579.html

http://www.cyberciti.biz/faq/iptables-multi-ip6tables-multi-incorrect-selinux-labels/

fail2ban: ERROR iptables

rgruyters

Basic Pleskian

UFHH01

Guest

rgruyters

Basic Pleskian

UFHH01

Guest

rgruyters

Basic Pleskian

UFHH01

Guest

Similar threads