Welcome to Soft32 Linux Forums!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Bug#554162: fail2ban: sometimes(frequently) fails to load ..

  
   Soft32 Home -> Linux -> Bugs Dist RSS
Next:  Bug#554158: linux-image-2.6-amd64: USB Dell &quot..  
Author Message
Libor Klepac

External


Since: Mar 27, 2006
Posts: 2



(Msg. 1) Posted: Tue Nov 03, 2009 9:20 am
Post subject: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Archived from groups: linux>debian>bugs>dist (more info?)
Package: fail2ban
Version: 0.8.4-1
Severity: important

Hi,
I have problems with using several jails. It was there before, but didn't hit so hard as today, when i was unable to restart fail2ban cleanly , i was trying it for maybe 50 times (changing configs, installing python2.4 ...etc).
I seems to fail to execute iptables in correct orderd leading to something like this in its output

-----
iptables: Resource temporarily unavailable.
iptables: No chain/target/match by that name.
iptables v1.4.4: Couldn't load target `fail2ban-proftpd':/lib/xtables/libipt_fail2ban-proftpd.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
2009-11-03 14:29:14,591 fail2ban.actions.action: ERROR iptables -N fail2ban-proftpd
iptables -A fail2ban-proftpd -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd returned 200
-----
Seems like last rule is executed when chain is not ready

This problem is reported upstream, i think
http://sourceforge.net/tracker/?func=detail&aid=2870788&group_id=12103...tid=689

With patch
http://sourceforge.net/tracker/?func=detail&aid=2857096&group_id=12103...tid=689

Patch applies fine and seems to help, but I have to use
action = %(action_)s

instead of action_m
action_m = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
action = %(action_m)s

or provided
action = %(action_mw)s


With regards
Libor

-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-Cool
Shell: /bin/sh linked to /bin/bash

Versions of packages fail2ban depends on:
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii python 2.5.4-2 An interactive high-level object-o
ii python-central 0.6.11 register and build utility for Pyt

Versions of packages fail2ban recommends:
ii iptables 1.4.4-2 administration tools for packet fi
ii whois 4.7.32 an intelligent whois client

Versions of packages fail2ban suggests:
ii bsd-mailx [mailx] 8.1.2-0.20081101cvs-2 A simple mail user agent
pn python-gamin <none> (no description available)

-- no debconf information



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org
Back to top
Login to vote
Yaroslav Halchenko

External


Since: Nov 22, 2006
Posts: 81



(Msg. 2) Posted: Tue Nov 03, 2009 11:20 am
Post subject: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
brr... are you sure you just have some problem with iptables? what if
whenever there is no fail2ban running you run those commands while being
root

iptables -N fail2ban-proftpd
iptables -A fail2ban-proftpd -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd

will you get at some point that
iptables v1.4.4: Couldn't load target `fail2ban-proftpd':/lib/xtables/libipt_fail2ban-proftpd.so: cannot open shared object file: No such file or directory

or would be there any other error reported?

On Tue, 03 Nov 2009, Libor Klepac wrote:

> Package: fail2ban
> Version: 0.8.4-1
> Severity: important

> Hi,
> I have problems with using several jails. It was there before, but didn't hit so hard as today, when i was unable to restart fail2ban cleanly , i was trying it for maybe 50 times (changing configs, installing python2.4 ...etc).
> I seems to fail to execute iptables in correct orderd leading to something like this in its output

--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]





--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org
Back to top
Login to vote
Yaroslav Halchenko

External


Since: Nov 22, 2006
Posts: 81



(Msg. 3) Posted: Tue Nov 03, 2009 3:20 pm
Post subject: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
d'oh me -- I've read your original incorrectly (that you applied patch
and it didn't help Wink) .

Just out of "research" -- could you please run in shell all 3 commands
in a single line like

iptables -N fail2ban-proftpd; iptables -A fail2ban-proftpd -j RETURN; iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd

I would really not expect some out of order execution from Python's
os.system and it might be that real problem is buried deeper.


On Tue, 03 Nov 2009, Libor KlepáÄŤ wrote:

> Hi,
> there seems to be some problem with sequence of commands run from python.
> Maybe our server is too powerfull? (poweredge 2950 with two 4 core processors,
> old server was some old pentium4 with ht, there were no such problems)

> If i run those commands separately from command line ,there is no problem.

> But if whole (multiline) actionstart is run, there seems to be problem with
> order of commands.
> Problem is, that
> iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j
> fail2ban-proftpd
> is run in time, when there is no such chain, so kernel tries to autoload
> module for it (but there is no such module) (you can try it by running this
> command)

--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]





--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org
Back to top
Login to vote
Yaroslav Halchenko

External


Since: Nov 22, 2006
Posts: 81



(Msg. 4) Posted: Tue Nov 03, 2009 5:20 pm
Post subject: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
> Patch is working, but i can't use action_mw
> (output goes like this
> ---------------
> 2009-11-03 21:04:02,138 fail2ban.actions.action: ERROR printf %b "Subject:
> [Fail2Ban] cyrus: started
> From: Fail2Ban <fail2ban>

well -- that is what the patch you've applied accomplished
unfortunately :-/ since the mailing command is a multiline printf
command. imho instead of that patch I would simple tune up the action
for banning -- just add sleep 1 (or sleep 0.1 if system has that recent
sleep Wink) after each command and see how that helps

or may be alternatively just placing all commands on 1 line with ";"
between them -- so they should start as a one command (you said that
system tolerated that fine)

> All commands in one line work ok from command line.
interesting -- thanks for checking

> Sequence is also ok. Fail2ban launches actions in threads?
to say the truth -- I don't know exactly... from what I know, it just
calls system() from stdlib, which should call "/bin/sh -c '.....'"

I still think that the issue is deeper underground (iptables return
before actually completing modification of the table etc) although
myself could not replicate it on none of boxes (biefie enough: 8 cores,
64GB RAM etc) with smth like

for f in {1..100}; do /bin/sh -c "iptables -N fail2ban-proftpd; iptables -A fail2ban-proftpd -j RETURN; iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd; iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd; iptables -F fail2ban-proftpd; iptables -X fail2ban-proftpd"; done

now the question -- what is your /bin/sh? Wink
could you try different kernel? I've tried on 2.6.26-2-amd64

--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]





--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org
Back to top
Login to vote
Yaroslav Halchenko

External


Since: Nov 22, 2006
Posts: 81



(Msg. 5) Posted: Thu Nov 05, 2009 7:20 am
Post subject: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Thank you Libor for all the testing!
sorry that none has helped

how many jails do you have? fail2ban is threading to handle each jail
in a separate thread (iirc) -- I guess problem might lie there and
some people reported similar issue in the context of high number of
jails

On Wed, 04 Nov 2009, Libor KlepáÄŤ wrote:

> Hi,
> I have done some testing without the patch
> I have tested
> - putting sleep between commands (I have tested this yesterday too) - it
> didn't help
> - putting all commands in one line, separated with ; - it didn't help
> - putting all commands in one line, separated with && - it didn't help
> - putting all commands in one line, separated with ; and I put () around
> whole line - it failed differently, it seems, it separates commands somewhere
> on it's own
> -----
> sh: -c: line 1: syntax error: unexpected end of file
> 2009-11-04 09:34:33,313 fail2ban.actions.action: ERROR (iptables -N fail2ban-
> postfix returned 200
> -----
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]





--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Bug#435560: linux-image-2.6.22-1-686: initrd creation fail.. - Package: linux-image-2.6.22-1-686 Version: 2.6.22-3 Severity: normal Here is a paste from aptitude's output: Setting...

Bug#435553: Add search on package names - Package: reportbug-ng Version: 0.2007.07.19 Severity: wishlist --- Please enter the report below this line. --- I..

Bug#431170: The way to keep entity is documented in debian.. - Hi, It was a bit ambiguous but debiandoc-sgml-doc has appendix which goes in details how to keep entity. Osamu -- ...

Bug#435552: Doesn't detect debcontrol files in non-debian/.. - Package: vim-runtime Version: 1:7.1-022+1 Severity: minor Tags: patch Hi, "vi control" on a debcon...

Bug#435554: pidgin: Info text in About dialog scrolls down - Package: pidgin Version: 2.1.0-1 Severity: minor -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When opening the About...

Bug#417674: new versions available - Dear Baishampayan, Please do consider packaging the latest version. Thanks. Kumar -- Kumar Appaiah, 458, Jamuna..
       Soft32 Home -> Linux -> Bugs Dist All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Categories:
 Windows
  Linux
 Mac
 PDA

[ Contact us | Terms of Service/Privacy Policy ]