Fail2Ban Keeps Turning Off

[pleskpanel]

What a bugger of a problem.

Anecdotally it sounded like it had something to do with the way that iptables gets gracefully stopped (along with Fail2Ban) and even though iptables is restarted Fail2Ban does not get restarted. Hopefully this thread receives some additional insight that could help change that behavior.

 

[Dan Hammer]

Until this problem is fixed, I have added some protection to the server. I have a cron job that runs every 2 minutes to check if fail2ban is still running. The service gets restarted if it has failed. This isn't the ideal solution to the problem. Ideally the service wouldn't stop for some reason. I guess this is the next best thing.

 

[Dan Hammer]

I MAY have found a possible problem. Once again I noticed that fail2ban was off when I went into Plesk. Didn't make sense that my script didn't restart the service when it crashed. So I checked the logs. It didn't crash. It was shut off. I noted the time it shut down and remember getting a notification email about another package update.

I got the cron email... Cron <root@web2> /usr/sbin/csf -u

So it seems fail2ban shut down when CSF updated. For whatever reason it got shut off but didn't get restarted once the update completed. There was nothing about fail2ban in the cron email so not sure why it gets shut off and why it doesn't restart.

Does this help shed light on the problem?

 

[Linulex]

csf is an iptables script. So when csf was updates, it most likely restarted iptables. The fail2ban was still running (that's why no action from your cron), but isn't correct working anymore because of the restart of iptables.

See my earlier posting

This is not a plesk "problem", this is normal f2b behaviour: whenever iptables is restarted, fail2ban must be restarted.

The answer would be to have your cron scan the fail2ban log, investigate the last 10 lines or so on entries that indicates iptables was restarted like "ERROR iptables", and restart fail2ban if they are found.

tail -n 10 /var/log/fail2ban.log | grep "ERROR iptables"

regards
Jan

 

[Dan Hammer]

Hi Jan,

There was no error in the fail2ban.log. It was disabled as if I had done so through Plesk. CSF disabled it and never re-enabled it.

So late last night/early this morning, there was another CSF update. This time it wasn't a clean shutdown with no errors. This time the log file was filled with errors. I ran CSF and fail2ban on cPanel and never had these problems. Not sure why I am experiencing these with Plesk. Here is just a small sample of the errors that showed up with the latest shut down.

2017-10-25 01:47:08,257 fail2ban.server [29150]: INFO Stopping all jails
2017-10-25 01:47:09,275 fail2ban.action [29150]: ERROR iptables -w -D INPUT -p tcp -j f2b-BadBots
iptables -w -F f2b-BadBots
iptables -w -X f2b-BadBots -- stdout: ''
2017-10-25 01:47:09,276 fail2ban.action [29150]: ERROR iptables -w -D INPUT -p tcp -j f2b-BadBots
iptables -w -F f2b-BadBots
iptables -w -X f2b-BadBots -- stderr: "iptables v1.4.21: Couldn't load target `f2b-BadBots':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2017-10-25 01:47:09,278 fail2ban.action [29150]: ERROR iptables -w -D INPUT -p tcp -j f2b-BadBots
iptables -w -F f2b-BadBots
iptables -w -X f2b-BadBots -- returned 1
2017-10-25 01:47:09,281 fail2ban.actions [29150]: ERROR Failed to stop jail 'plesk-apache-badbot' action 'iptables-allports': Error stopping action
2017-10-25 01:47:09,282 fail2ban.jail [29150]: INFO Jail 'plesk-apache-badbot' stopped
2017-10-25 01:47:10,086 fail2ban.actions [29150]: NOTICE [recidive] Unban 191.96.249.105
2017-10-25 01:47:10,192 fail2ban.action [29150]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-recidive[ \t]' -- stdout: ''
2017-10-25 01:47:10,192 fail2ban.action [29150]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-recidive[ \t]' -- stderr: ''
2017-10-25 01:47:10,192 fail2ban.action [29150]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-recidive[ \t]' -- returned 1
2017-10-25 01:47:10,193 fail2ban.CommandAction [29150]: ERROR Invariant check failed. Trying to restore a sane environment
2017-10-25 01:47:10,299 fail2ban.action [29150]: ERROR iptables -w -D INPUT -p tcp -j f2b-recidive
iptables -w -F f2b-recidive
iptables -w -X f2b-recidive -- stdout: ''

 

[Linulex]

What does the fail2ban forum says?
What does the csf forum says?

not fail2ban and not csf are created by plesk and its clear that is doesn't interest you if someone give you an answer.

if f2b is disabled when csf updates then csf disables it.
If the errors come when iptables was restarted then ...

why do i bother, i give up

have a nice life
Jan

 

[Dan Hammer]

Sorry Jan but I am not sure you are much help. I know Plesk doesn't make fail2ban and csf. It doesn't make Apache, PHP, nginx, etc. But it does work with those services and when there are problems related to those services working with Plesk people post here. Don't you think I've hunted high and low for solutions? I have. The problem seems to be unique to the functionality of those features on Plesk. That is why I post here. I've used them on cPanel and haven't had problems. So why does the problem exist here? I've tried countless solutions and nothing seems to work. I am not here for my entertainment or yours. If you have nothing constructive to offer this discussion please don't bother responding.

An in case someone else is having the same problem, the latest solution I am trying is updating the cron job. I've added a stop to the fail2ban service before the csf update followed by a restart of the service. Hopefully this eliminates the crashing of the feature.

 

[Linulex]

2017-10-25 21:14:24,733 fail2ban.filter         [32246]: INFO    [plesk-courierimap] Found 84.192.31.234
2017-10-25 21:14:42,035 fail2ban.filter         [32246]: INFO    [plesk-courierimap] Found 84.192.31.234
2017-10-25 21:15:50,528 fail2ban.filter         [32246]: INFO    [ssh-iptables] Found 124.204.42.38
2017-10-25 21:15:50,530 fail2ban.filter         [32246]: INFO    [ssh-iptables] Found 124.204.42.38
2017-10-25 21:15:50,553 fail2ban.actions        [32246]: NOTICE  [ssh-iptables] Ban 124.204.42.38
2017-10-25 21:15:50,655 fail2ban.action         [32246]: ERROR   iptables  -n -L INPUT | grep -q 'f2b-SSH[ \t]' -- stdout: ''
2017-10-25 21:15:50,655 fail2ban.action         [32246]: ERROR   iptables  -n -L INPUT | grep -q 'f2b-SSH[ \t]' -- stderr: ''
2017-10-25 21:15:50,655 fail2ban.action         [32246]: ERROR   iptables  -n -L INPUT | grep -q 'f2b-SSH[ \t]' -- returned 1
2017-10-25 21:15:50,655 fail2ban.CommandAction  [32246]: ERROR   Invariant check failed. Trying to restore a sane environment
2017-10-25 21:15:50,757 fail2ban.action         [32246]: ERROR   iptables  -D INPUT -p tcp --dport 22222 -j f2b-SSH
iptables  -F f2b-SSH
iptables  -X f2b-SSH -- stdout: ''
2017-10-25 21:15:50,757 fail2ban.action         [32246]: ERROR   iptables  -D INPUT -p tcp --dport 22222 -j f2b-SSH
iptables  -F f2b-SSH
iptables  -X f2b-SSH -- stderr: "iptables v1.4.7: Couldn't load target `f2b-SSH':/lib64/xtables/libipt_f2b-SSH.so: cannot open shared object file: No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2017-10-25 21:15:50,757 fail2ban.action         [32246]: ERROR   iptables  -D INPUT -p tcp --dport 22222 -j f2b-SSH
iptables  -F f2b-SSH
iptables  -X f2b-SSH -- returned 1
2017-10-25 21:15:50,758 fail2ban.actions        [32246]: ERROR   Failed to execute ban jail 'ssh-iptables' action 'iptables' info 'CallingMap({'ipjailmatches': <function <lambda> at 0x26f3c80>, 'matches': u'Oct 25 21:11:16 res1 sshd[18183]: Invalid user db2fenc1 from 124.204.42.38\nOct 25 21:11:16 res1 sshd[18183]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.204.42.38 \nOct 25 21:11:19 res1 sshd[18183]: Failed password for invalid user db2fenc1 from 124.204.42.38 port 15909 ssh2\nOct 25 21:15:50 res1 sshd[20563]: Invalid user content from 124.204.42.38\nOct 25 21:15:50 res1 sshd[20563]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.204.42.38 ', 'ip': '124.204.42.38', 'ipmatches': <function <lambda> at 0x27705f0>, 'ipfailures': <function <lambda> at 0x26f3578>, 'time': 1508958950.5529971, 'failures': 5, 'ipjailfailures': <function <lambda> at 0x7fbe440d8b90>})': Error stopping action
2017-10-25 21:15:52,324 fail2ban.filter         [32246]: INFO    [ssh-iptables] Found 124.204.42.38
2017-10-25 21:16:11,394 fail2ban.actions        [32246]: NOTICE  [plesk-proftpd] Unban 219.139.150.33
2017-10-25 21:16:11,496 fail2ban.action         [32246]: ERROR   iptables  -n -L INPUT | grep -q 'f2b-plesk-proftpd[ \t]' -- stdout: ''
2017-10-25 21:16:11,496 fail2ban.action         [32246]: ERROR   iptables  -n -L INPUT | grep -q 'f2b-plesk-proftpd[ \t]' -- stderr: ''
2017-10-25 21:16:11,497 fail2ban.action         [32246]: ERROR   iptables  -n -L INPUT | grep -q 'f2b-plesk-proftpd[ \t]' -- returned 1
2017-10-25 21:16:11,497 fail2ban.CommandAction  [32246]: ERROR   Invariant check failed. Trying to restore a sane environment
2017-10-25 21:16:11,599 fail2ban.action         [32246]: ERROR   iptables  -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j f2b-plesk-proftpd
iptables  -F f2b-plesk-proftpd
iptables  -X f2b-plesk-proftpd -- stdout: ''
2017-10-25 21:16:11,599 fail2ban.action         [32246]: ERROR   iptables  -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j f2b-plesk-proftpd
iptables  -F f2b-plesk-proftpd
iptables  -X f2b-plesk-proftpd -- stderr: "iptables v1.4.7: Couldn't load target `f2b-plesk-proftpd':/lib64/xtables/libipt_f2b-plesk-proftpd.so: cannot open shared object file: No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2017-10-25 21:16:11,599 fail2ban.action         [32246]: ERROR   iptables  -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j f2b-plesk-proftpd
iptables  -F f2b-plesk-proftpd
iptables  -X f2b-plesk-proftpd -- returned 1

does these errors look familiar?

I produced this log by restarting iptables without restarting fail2ban. So please don't tell me i that i am not much help. I gave the reason to your problem already twice.

Jan

 

[Nibbels]

Well I just can say: I have this problem too. And I had this since years now but didnt really research it until now.

CentOS Linux 7.5.1804 (Core)‬
Plesk Onyx
Version 17.5.3 Update #57

Maybe that post helps to bump the thread to some devs. I as well suspect that updates might be the cause of the problem.

 

[Julian Aubertin]

I had also such a Problem for years now and could figure it out for me.
You will most likely have the same Problem if you can verify that fail2ban continues work when you comment out cron.daily in /etc/crontab for testing. Im still testing and report my solution.