fail2ban not execute command to start jail

Bug #403808 reported by mike Bernson
48
This bug affects 8 people
Affects Status Importance Assigned to Milestone
fail2ban (Arch Linux)
Invalid
Undecided
Unassigned
fail2ban (Debian)
Invalid
Undecided
Unassigned
fail2ban (Mandriva)
Invalid
Undecided
Unassigned
fail2ban (Suse)
Invalid
Undecided
Unassigned
fail2ban (Ubuntu)
Fix Released
Medium
Unassigned
Declined for Dapper by Steve Beattie
Declined for Hardy by Steve Beattie
Declined for Jaunty by Steve Beattie
Declined for Karmic by Daniel T Chen
Declined for Lucid by Daniel T Chen
Declined for Maverick by Daniel T Chen
iptables (Ubuntu)
Invalid
Undecided
Unassigned
Declined for Dapper by Steve Beattie
Declined for Hardy by Steve Beattie
Declined for Jaunty by Steve Beattie
Declined for Karmic by Daniel T Chen
Declined for Lucid by Daniel T Chen
Declined for Maverick by Daniel T Chen

Bug Description

Binary package hint: fail2ban

I am runnig ubuntu 9.04 server 64 bit.
root@work-isp:/etc/fail2ban# uname -a
Linux work-isp.ltcd.com 2.6.28-13-generic #45-Ubuntu SMP Tue Jun 30 22:12:12 UTC 2009 x86_64 GNU/Linux

Want start fail2ban a jail using iptables some or all of the command to create the jail will fail and
leave the jail in bad state or uncreated. When this happend the I see errors in the log stating that
the command failed with a returned code (sometime 200 and simetimes 400 and sometimes 100)

Between working and broken (failed to create jail) I do not change anything in the configs. All I do
is just /etc/init.d/fail2ban start. If it did not create all the jails I then do /etc/init.d/file2ban stop followed
by /et/init.d/fail2ban start. If a do the a few times then I get all the jails created.

I known that you must run using python 2.5 not python 2.6. I have edit the top of both
fail2ban-server and fail2ban-client to '#!/usr/bin/python2.5'.

I can see that the jail is not created using iptables -n -L.
Sometime the chain for the jail is not created. Sometimes
the return is not there. Sometime the rule in the INPUT
chain to jump is not there. In all case that did not work
I just a command returning X00.

root@work-isp:/etc/fail2ban# lsb_release -rd
Description: Ubuntu 9.04
Release: 9.04

root@work-isp:~# apt-cache policy fail2ban
fail2ban:
  Installed: 0.8.3-2
  Candidate: 0.8.3-2
  Version table:
 *** 0.8.3-2 0
        500 http://us.archive.ubuntu.com jaunty/universe Packages
        100 /var/lib/dpkg/status

Here is a copy of the 2 jails that are active in jails.conf:

[apache]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
bantime = 900
maxretry = 6

[dovecot]

enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot-auth
logpath = /var/log/mail.log
bantime = 900
maxretry = 6

[SquirrelMail]

enabled = true
port = http,https
filter = squirrelmail
logpath = /var/log/squirrelmail.log
bantime = 900
maxretry = 3

Here log file showing the error:
2009-07-23 18:42:31,996 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-07-23 18:42:31,998 fail2ban.jail : INFO Creating new jail 'apache'
2009-07-23 18:42:31,998 fail2ban.jail : INFO Jail 'apache' uses poller
2009-07-23 18:42:32,029 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2009-07-23 18:42:32,030 fail2ban.filter : INFO Set maxRetry = 6
2009-07-23 18:42:32,033 fail2ban.filter : INFO Set findtime = 600
2009-07-23 18:42:32,034 fail2ban.actions: INFO Set banTime = 900
2009-07-23 18:42:32,054 fail2ban.jail : INFO Creating new jail 'dovecot'
2009-07-23 18:42:32,054 fail2ban.jail : INFO Jail 'dovecot' uses poller
2009-07-23 18:42:32,056 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2009-07-23 18:42:32,058 fail2ban.filter : INFO Set maxRetry = 6
2009-07-23 18:42:32,060 fail2ban.filter : INFO Set findtime = 600
2009-07-23 18:42:32,062 fail2ban.actions: INFO Set banTime = 900
2009-07-23 18:42:32,080 fail2ban.jail : INFO Creating new jail 'SquirrelMail'
2009-07-23 18:42:32,080 fail2ban.jail : INFO Jail 'SquirrelMail' uses poller
2009-07-23 18:42:32,082 fail2ban.filter : INFO Added logfile = /var/log/squirrelmail.log
2009-07-23 18:42:32,083 fail2ban.filter : INFO Set maxRetry = 3
2009-07-23 18:42:32,086 fail2ban.filter : INFO Set findtime = 600
2009-07-23 18:42:32,087 fail2ban.actions: INFO Set banTime = 900
2009-07-23 18:42:32,102 fail2ban.jail : INFO Jail 'apache' started
2009-07-23 18:42:32,107 fail2ban.jail : INFO Jail 'dovecot' started
2009-07-23 18:42:32,114 fail2ban.jail : INFO Jail 'SquirrelMail' started
2009-07-23 18:42:32,139 fail2ban.actions.action: ERROR iptables -N fail2ban-dovecot
iptables -A fail2ban-dovecot -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s -j fail2ban-dovecot returned 200
2009-07-23 19:16:32,479 fail2ban.jail : INFO Jail 'apache' stopped
2009-07-23 19:16:33,426 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s -j fail2ban-dovecot
iptables -F fail2ban-dovecot
iptables -X fail2ban-dovecot returned 100

ProblemType: Bug
Architecture: amd64
Dependencies:

DistroRelease: Ubuntu 9.04
NonfreeKernelModules: nvidia
Package: fail2ban None [modified: /var/lib/dpkg/info/fail2ban.list]
PackageArchitecture: all
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: fail2ban
Uname: Linux 2.6.28-14-generic x86_64
UnreportableReason: This is not a genuine Ubuntu package

Fail2Ban (failtoban)
tags: added: fail2ban
Mitch Towner (kermiac)
tags: removed: fail2ban
Revision history for this message
Mitch Towner (kermiac) wrote :

Invalidated wrongly set tasks.

@ Fail2Ban: Please do not add new tasks to bug reports or nominate for release without commenting to advise why you have done this.
Thanks in advance!

Changed in iptables (Ubuntu):
status: New → Invalid
Changed in fail2ban (Arch Linux):
status: New → Invalid
Changed in fail2ban (Debian):
status: New → Invalid
Changed in fail2ban (Mandriva):
status: New → Invalid
Changed in fail2ban (Suse):
status: New → Invalid
Revision history for this message
Pawel Barcik (pawel-barcik) wrote :

It is caused by iptables, and the solution is here at the end of the page:

http://www.fail2ban.org/wiki/index.php/Fail2ban_talk:Community_Portal

"fail2ban.action.action ERROR on startup/restart

I had multiple fail2ban.action.action ERROR on startup/restart. It seems there was a "race" condition with iptables. I solved the problem completely on my system by editing /usr/bin/fail2ban-client and adding a time.sleep(0.1)

def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier() for c in cmd: time.sleep(0.1) beautifier.setInputCmd(c) "

adding " time.sleep(0.1)" worked like a charm for me. it extends the restart time by 20 or so seconds, but works great.

Revision history for this message
bsgcic (bsgcic) wrote :

I was getting the same behavior as the reporter of this bug (Mike) and when I finally found this page and realized that this is an bug of fail2ban itself. My system is Ubuntu 10.04 with 0.8.4-1ubuntu1 version of the fail2ban package for Ubuntu.

I just added the time.sleep(0.1) line to /usr/bin/fail2ban-client and now it works but with a slower response time.

Please change the designation of this report back from "Invalid" to "New".

Please add the time.sleep(0) to the package maintainer's version of /usr/bin/fail2ban-client or another fix that corrects the behavior of this * bug *.

Thank you

Revision history for this message
bsgcic (bsgcic) wrote :

I was trying to nominate this for lucid and mistakenly nominated for past releases. I do not see how I can remove nominations for the older releases after I have nominated them. I see that this has already been nominated for Karmic and Lucid by the fail2ban team.

Revision history for this message
Martitza (martitzam) wrote :

The sleep(0.1) described above (https://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/403808/comments/2) appears to work on both my Karmic and Lucid boxes. I don't mind adding a few seconds to booting. But this does seem like a brittle fix. A better solution would be a handshake with a finite timeout before logging an error.

Revision history for this message
MaxNegro (maxnegro) wrote :

Bug still present in Maverick. Proposed workaround (patching /usr/bin/fail2ban-client) does solve the problem.

Revision history for this message
Dave Walker (davewalker) wrote :

Hi, Can anyone confirm if this bug is present in Natty please?

Changed in fail2ban (Ubuntu):
status: New → Incomplete
Revision history for this message
MaxNegro (maxnegro) wrote :

Why is it marked incomplete, following a request for more info based on a version which is not yet released? The bug is present in lucid and maverick, there is a workaround and the info for reproducing are present...

Anyway, I'm going to test it on natty ASAP.

Revision history for this message
MaxNegro (maxnegro) wrote :

Confirmed in natty. To reproduce, enable more than a couple of jails in jail.conf and do a restart of the service.

Changed in fail2ban (Ubuntu):
status: Incomplete → New
Revision history for this message
MaxNegro (maxnegro) wrote :

Again, patch proposed in #2 does fix the issue reliably, at least on every system I've applied it.

Daniel T Chen (crimsun)
Changed in fail2ban (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Richard Hansen (rhansen) wrote :

Bug still present in fail2ban-0.8.5-1 (in oneiric).

Revision history for this message
Daniel Black (daniel-black) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in 0.8.5-2, which has been in Ubuntu since before 12.04. Marking Fix Released.

Changed in fail2ban (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers