Knowledgebase

Portal Home > Knowledgebase > Articles Database > fail2ban startup issue on centos7, Re: will rebooting and or updating affecting startup


fail2ban startup issue on centos7, Re: will rebooting and or updating affecting startup




Posted by Greenerpastures, 02-14-2016, 06:46 PM
Hi everyone, first post, first vps setup, first time to use fail2ban. With some doing I managed to install and set up fail2ban on my vps running centos7. I have a problem that occurs when starting the service, there is a work around that overcomes the startup issue and I confirm that fail2ban is running and working, at least from the poing of blocking threats, I have not looked into logs nor do I even know where to find them, but going from 9000 bruteforce attempts gradually to 3 is proof enough. Below are my attempts to start fail2ban, and how I eventually got it running. My question is?, If I use yum update, will I end up having to repeat the steps I initially took to get fail2ban started, will yum update mess it up if it finds and updates fail2ban. I know a reboot cause me to go through the below procedure. Either way, is there a solution that will fix the startup issue permenantly so I can update and reboot without fail2ban failing to restart. I followes these instruction which I got off the web ***************************** Create/edit the file /etc/fail2ban/jail.local and add: [sshd] enabled = true Start it with: systemctl start fail2ban Make it start at boot time: systemctl enable fail2ban There used to be a known bug where SELinux would block fail2ban from accessing the log files it needed to do its job. This seems to be fixed in the most recent version of CentOS 7; you shouldn't need to make the changes below. If you do have this issue, symptoms are nothing appearing in the logs and nothing appearing as failed or blocked in the output of fail2ban-client status sshd. To check for SELinux error, read the journals with: journalctl -lfu fail2ban Watch them for messages such as: SELinux is preventing /usr/bin/python2.7 from getattr access on the file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed getattr access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep fail2ban-server /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Therefore do as suggested and run: grep fail2ban-server /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp Then, to be safe, restart fail2ban: systemctl restart fail2ban You may even have to repeat the process above until no more error messages appear in the log. If your server is on the internet then monitor fail2ban-client status sshd. It will soon start to show failed and banned counts if you've caught all the SELinux issues. Note that you will have to keep an eye on your SELinux policy updates. If a selinux-policy package update appears, it may overwrite the above and you may need to run the above commands again. You'll know if this is the case as fail2ban will stop working again! End of instructions ********************************************************************** Rough record of what I did, the errors I got and the final startup success to get it to work. [root@63 ~]# systemctl restart file2ban Failed to restart file2ban.service: Unit file2ban.service failed to load: No such file or directory. [root@63 ~]# systemctl start file2ban Failed to start file2ban.service: Unit file2ban.service failed to load: No such file or directory. [root@63 ~]# service file2ban reload Redirecting to /bin/systemctl reload file2ban.service Failed to reload file2ban.service: Unit file2ban.service failed to load: No such file or directory. [root@63 ~]# systemctl status fail2ban.service * fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: failed (Result: start-limit) since Sun 2016-02-14 07:19:33 CST; 1h 41min ago Docs: man:fail2ban(1) Process: 1659 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=255) Feb 14 07:19:33 63 systemd[1]: Failed to start Fail2Ban Service. Feb 14 07:19:33 63 systemd[1]: Unit fail2ban.service entered failed state. Feb 14 07:19:33 63 systemd[1]: fail2ban.service failed. Feb 14 07:19:33 63 systemd[1]: fail2ban.service holdoff time over, scheduli...t. Feb 14 07:19:33 63 systemd[1]: start request repeated too quickly for fail2...ce Feb 14 07:19:33 63 systemd[1]: Failed to start Fail2Ban Service. Feb 14 07:19:33 63 systemd[1]: Unit fail2ban.service entered failed state. Feb 14 07:19:33 63 systemd[1]: fail2ban.service failed. **********FAILED TO START FAIL2BAN, I added this line. Hint: Some lines were ellipsized, use -l to show in full. [root@63 ~]# grep fail2ban-server /var/log/audit/audit.log | audit2allow -M mypol [root@63 ~]#semodule -i mypol.pp *******[root@63 ~]# systemctl start fail2ban ***** START FAIL2BAN [root@63 ~]# systemctl enable fail2ban ***** ENABLE IT AT STARTUP [root@63 ~]# journalctl -lfu fail2ban ***** CHECK IF FAIL2BAN STARTED AND WHAT ERRORS OCCURED -- Logs begin at Thu 2016-02-11 16:25:03 CST. -- Feb 14 07:19:33 63 systemd[1]: fail2ban.service failed. Feb 14 07:19:33 63 systemd[1]: fail2ban.service holdoff time over, scheduling restart. Feb 14 07:19:33 63 systemd[1]: start request repeated too quickly for fail2ban.service Feb 14 07:19:33 63 systemd[1]: Failed to start Fail2Ban Service. Feb 14 07:19:33 63 systemd[1]: Unit fail2ban.service entered failed state. Feb 14 07:19:33 63 systemd[1]: fail2ban.service failed. Feb 14 09:03:52 63 systemd[1]: Starting Fail2Ban Service... Feb 14 09:03:52 63 fail2ban-client[5565]: 2016-02-14 09:03:52,378 fail2ban.server [5566]: INFO Starting Fail2ban v0.9.3 Feb 14 09:03:52 63 fail2ban-client[5565]: 2016-02-14 09:03:52,378 fail2ban.server [5566]: INFO Starting in daemon mode Feb 14 09:03:52 63 systemd[1]: Started Fail2Ban Service. ****Successfull startup**** Again my question is, will yum update mess this up and as such I will have to go through the steps take above to restart fail2ban, I know a reboot cause me to go through the above procedure. Either way, is there a solution that will fix the startup issue permenantly so I can update and reboot without fail2ban failing to restart. Thank you kindly for your support.
Posted by Greenerpastures, 02-15-2016, 09:03 AM
I need your advise regarding my post, as I do not want to upset my server by updating or rebooting if it is going to mess with my fail2ban application. Kind regards
Posted by Srv24x7, 02-15-2016, 11:35 AM
Hi, If it is an selinux issue, it will not cause, as you already made the changes to fix it. However, if this is a configuration based, then you might get into issue with update.
Posted by Greenerpastures, 02-15-2016, 12:16 PM
Hi Srv24x7, and thanks. I have had to reboot and fail2ban started as normal. I then altered iptables via webmin, just re ordered them, and when I did iptables -L -n there was no longer any entries for fail2ban, so I altered and the JAIL.COCAL and I now see entries in my iptables, through shell only, they do not show under webmin in the linux firewall settings. The entries I now get are not the same as those before, it is working bur perhaps my fail2ban settings are not good. If you care to comment on these new settings please do, otherwise I may start a new post. **************************************************************************************************. [root@63 ~]# iptables -L -n Chain INPUT (policy DROP) target prot opt source destination f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DO I NEED THIS LINE TO ALLOW ACCESS TO LOCALHOST AND THE PORTS I ALLOW AFTER THIS LINE????? ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:110 !!! DO I NEED THIS LINE AS I COULD LEAVE OUTPUT TO ACCEPT, was just curious and added and entry for port 110 because i was having trouble sending mail, have no mx records as am only testing and no domain setup for this ip either. Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- 69.197.145.242 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 58.218.211.38 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 218.75.219.238 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 183.3.202.101 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 119.254.103.15 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 113.195.145.12 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0 [root@63 ~]# I could do with everyone's opinion as I am new to all this and want to get iptables and fail2ban sorted so and before I upload any files / site. Thank you kindly
Posted by Srv24x7, 02-16-2016, 10:28 AM
Hi, Those iptables rules seems to be all basic ones. You can really make more use of it from the fail2ban if you want. Refer to the below link: fail2ban.org/wiki/index.php/HOWTOs Check over the configuration once more and freeze it, so you will be a bit relax on some part of administration in terms of attack.
Posted by Greenerpastures, 02-17-2016, 10:00 PM
Thanks Srv24x7. I found too many errors in the fail2ban logss, I got rid of it, and am now using specific iptables to mess anyones chances of getting in to my server, I will not have many ssh based attempts from now on. Did a good bit of reading up and found I do not need fail2ban, I also had trouble with the firewalld running, I do not use that any more. Regards to all.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Account suspension (Views: 620)
i want web space in windows server (Views: 590)
lfd on host.mydomain.com failed. (Views: 616)
Need cloudy, white label reseller account of VERY big volume, with API (Views: 616)
Moble connection (Views: 596)