Question about Fail2Ban errors

Hello again!

I wondered if I might ask a question question about Fail2Ban configuration, since you recommended it in the last ticket? I did have Fail2Ban setup and working on my old server (from which I migrated earlier this week). And I did set it up on my new server earlier this week too, and it did seem to be running.

However, when I went to check the logs just now at var/log/fail2ban.log, I see some errors as that last status in today's entries (after I just reboot the server). I have searched around a bit in forums, but I'm not quite clear as to what's going on, and I wondered if you might recognize what's going on, and if it's something I should be worried about? In case it's important (some threads mentioned it), the virtualization software running my DigitalOcean droplet is KVM.

I don't know if it was the right thing to do, but I installed iptables-services and stopped/masked firewalld, mainly because I'm accustomed to the former. I kind of wonder if I did that hastily now, but iptables is certainly running and doing its thing when I check if certain ports are closed using nmap.

My default Jail options are:

Matches before applying action: 2
Max delay between matches: 86400
Time to ban IP for: 86400
IP addresses to never ban: 127.0.0.1/8
Check for log file updates using: Decide automatically
Default notification email: root@localhost
Default action to apply: iptables-allports
Default protocol for actions: TCP

I've included the last 200 lines of the Fail2Ban log file, where one can see it was working yesterday, and then see the errors reported after rebooting the server this morning:

2017-07-06 05:56:40,277 fail2ban.actions        [21270]: NOTICE  [postfix-sasl] 221.126.229.173 already banned
2017-07-06 05:56:44,877 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:56:50,272 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:56:50,288 fail2ban.actions        [21270]: NOTICE  [postfix-sasl] 221.126.229.173 already banned
2017-07-06 05:56:55,411 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:57:00,735 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:57:01,301 fail2ban.actions        [21270]: NOTICE  [postfix-sasl] 221.126.229.173 already banned
2017-07-06 05:57:05,476 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:57:11,406 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:57:12,313 fail2ban.actions        [21270]: NOTICE  [postfix-sasl] 221.126.229.173 already banned
2017-07-06 05:57:16,911 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:57:22,933 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:57:23,319 fail2ban.actions        [21270]: NOTICE  [postfix-sasl] 221.126.229.173 already banned
2017-07-06 05:57:28,515 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:57:34,358 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:57:35,332 fail2ban.actions        [21270]: NOTICE  [postfix-sasl] 221.126.229.173 already banned
2017-07-06 05:57:39,674 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:57:45,779 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:57:46,345 fail2ban.actions        [21270]: NOTICE  [postfix-sasl] 221.126.229.173 already banned
2017-07-06 05:57:51,015 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:57:56,193 fail2ban.filter         [21270]: INFO    [postfix-sasl] Found 221.126.229.173
2017-07-06 05:57:56,356 fail2ban.actions        [21270]: NOTICE  [postfix-sasl] 221.126.229.173 already banned
2017-07-06 21:48:45,468 fail2ban.actions        [21270]: NOTICE  [dovecot] Unban 24.6.116.188
2017-07-06 21:48:46,091 fail2ban.actions        [21270]: NOTICE  [postfix-sasl] Unban 24.6.116.188
2017-07-06 21:48:46,579 fail2ban.actions        [21270]: NOTICE  [dovecot] Unban 45.55.7.12
2017-07-07 05:35:24,531 fail2ban.actions        [21270]: NOTICE  [postfix-sasl] Unban 221.126.229.173
2017-07-07 09:38:55,704 fail2ban.filter         [21270]: INFO    [webmin-auth] Found 74.99.150.56
2017-07-07 09:39:20,924 fail2ban.filter         [21270]: INFO    [webmin-auth] Found 74.99.150.56
2017-07-07 09:39:21,736 fail2ban.actions        [21270]: NOTICE  [webmin-auth] Ban 74.99.150.56
2017-07-07 09:46:57,778 fail2ban.filter         [21270]: INFO    [sshd] Found 24.6.116.188
2017-07-07 11:47:50,905 fail2ban.filter         [21270]: INFO    [sshd] Found 24.6.116.188
2017-07-07 11:47:50,954 fail2ban.filter         [21270]: WARNING Determined IP using DNS Lookup: c-24-6-116-188.hsd1.ca.comcast.net = ['24.6.116.188']
2017-07-07 11:47:50,954 fail2ban.filter         [21270]: INFO    [sshd] Found 24.6.116.188
2017-07-07 11:47:51,835 fail2ban.actions        [21270]: NOTICE  [sshd] Ban 24.6.116.188
2017-07-07 11:47:52,770 fail2ban.filter         [21270]: INFO    [sshd] Found 24.6.116.188
2017-07-07 11:47:52,949 fail2ban.actions        [21270]: NOTICE  [sshd] 24.6.116.188 already banned
2017-07-08 00:03:02,703 fail2ban.filter         [21270]: INFO    [dovecot] Found 45.55.9.46
2017-07-08 00:03:07,690 fail2ban.filter         [21270]: INFO    [dovecot] Found 45.55.9.46
2017-07-08 00:03:08,673 fail2ban.actions        [21270]: NOTICE  [dovecot] Ban 45.55.9.46
2017-07-08 09:18:17,473 fail2ban.server         [21270]: INFO    Stopping all jails
2017-07-08 09:18:18,006 fail2ban.actions        [21270]: NOTICE  [sshd] Unban 24.6.116.188
2017-07-08 09:18:18,420 fail2ban.jail           [21270]: INFO    Jail 'sshd' stopped
2017-07-08 09:18:19,292 fail2ban.jail           [21270]: INFO    Jail 'postfix-sasl' stopped
2017-07-08 09:18:19,744 fail2ban.jail           [21270]: INFO    Jail 'proftpd' stopped
2017-07-08 09:18:20,591 fail2ban.jail           [21270]: INFO    Jail 'postfix' stopped
2017-07-08 09:18:21,076 fail2ban.actions        [21270]: NOTICE  [webmin-auth] Unban 74.99.150.56
2017-07-08 09:18:21,592 fail2ban.jail           [21270]: INFO    Jail 'webmin-auth' stopped
2017-07-08 09:18:22,555 fail2ban.actions        [21270]: NOTICE  [dovecot] Unban 45.55.9.46
2017-07-08 09:18:22,964 fail2ban.jail           [21270]: INFO    Jail 'dovecot' stopped
2017-07-08 09:18:22,967 fail2ban.server         [21270]: INFO    Exiting Fail2ban
2017-07-08 16:18:41,915 fail2ban.server         [1096]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2017-07-08 16:18:41,943 fail2ban.database       [1096]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2017-07-08 16:18:41,960 fail2ban.jail           [1096]: INFO    Creating new jail 'sshd'
2017-07-08 16:18:42,194 fail2ban.jail           [1096]: INFO    Jail 'sshd' uses systemd {}
2017-07-08 16:18:42,250 fail2ban.jail           [1096]: INFO    Initiated 'systemd' backend
2017-07-08 16:18:42,262 fail2ban.filter         [1096]: INFO    Set maxRetry = 2
2017-07-08 16:18:42,263 fail2ban.filter         [1096]: INFO    Set jail log file encoding to UTF-8
2017-07-08 16:18:42,264 fail2ban.actions        [1096]: INFO    Set banTime = 86400
2017-07-08 16:18:42,264 fail2ban.filter         [1096]: INFO    Set findtime = 86400
2017-07-08 16:18:42,265 fail2ban.filter         [1096]: INFO    Set maxlines = 10
2017-07-08 16:18:42,403 fail2ban.filtersystemd  [1096]: INFO    Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2017-07-08 16:18:42,435 fail2ban.jail           [1096]: INFO    Creating new jail 'webmin-auth'
2017-07-08 16:18:42,435 fail2ban.jail           [1096]: INFO    Jail 'webmin-auth' uses systemd {}
2017-07-08 16:18:42,436 fail2ban.jail           [1096]: INFO    Initiated 'systemd' backend
2017-07-08 16:18:42,438 fail2ban.filter         [1096]: INFO    Set maxRetry = 2
2017-07-08 16:18:42,441 fail2ban.filter         [1096]: INFO    Set jail log file encoding to UTF-8
2017-07-08 16:18:42,441 fail2ban.actions        [1096]: INFO    Set banTime = 86400
2017-07-08 16:18:42,443 fail2ban.filter         [1096]: INFO    Set findtime = 86400
2017-07-08 16:18:42,485 fail2ban.jail           [1096]: INFO    Creating new jail 'proftpd'
2017-07-08 16:18:42,486 fail2ban.jail           [1096]: INFO    Jail 'proftpd' uses systemd {}
2017-07-08 16:18:42,487 fail2ban.jail           [1096]: INFO    Initiated 'systemd' backend
2017-07-08 16:18:42,498 fail2ban.filter         [1096]: INFO    Set maxRetry = 2
2017-07-08 16:18:42,499 fail2ban.filter         [1096]: INFO    Set jail log file encoding to UTF-8
2017-07-08 16:18:42,499 fail2ban.actions        [1096]: INFO    Set banTime = 86400
2017-07-08 16:18:42,500 fail2ban.filter         [1096]: INFO    Set findtime = 86400
2017-07-08 16:18:42,550 fail2ban.jail           [1096]: INFO    Creating new jail 'postfix'
2017-07-08 16:18:42,550 fail2ban.jail           [1096]: INFO    Jail 'postfix' uses systemd {}
2017-07-08 16:18:42,551 fail2ban.jail           [1096]: INFO    Initiated 'systemd' backend
2017-07-08 16:18:42,555 fail2ban.filter         [1096]: INFO    Set maxRetry = 2
2017-07-08 16:18:42,555 fail2ban.filter         [1096]: INFO    Set jail log file encoding to UTF-8
2017-07-08 16:18:42,556 fail2ban.actions        [1096]: INFO    Set banTime = 86400
2017-07-08 16:18:42,557 fail2ban.filter         [1096]: INFO    Set findtime = 86400
2017-07-08 16:18:42,619 fail2ban.filtersystemd  [1096]: INFO    Added journal match for: '_SYSTEMD_UNIT=postfix.service'
2017-07-08 16:18:42,650 fail2ban.jail           [1096]: INFO    Creating new jail 'dovecot'
2017-07-08 16:18:42,650 fail2ban.jail           [1096]: INFO    Jail 'dovecot' uses systemd {}
2017-07-08 16:18:42,651 fail2ban.jail           [1096]: INFO    Initiated 'systemd' backend
2017-07-08 16:18:42,657 fail2ban.filter         [1096]: INFO    Set maxRetry = 2
2017-07-08 16:18:42,658 fail2ban.filter         [1096]: INFO    Set jail log file encoding to UTF-8
2017-07-08 16:18:42,660 fail2ban.actions        [1096]: INFO    Set banTime = 86400
2017-07-08 16:18:42,661 fail2ban.filter         [1096]: INFO    Set findtime = 86400
2017-07-08 16:18:42,710 fail2ban.filtersystemd  [1096]: INFO    Added journal match for: '_SYSTEMD_UNIT=dovecot.service'
2017-07-08 16:18:42,732 fail2ban.jail           [1096]: INFO    Creating new jail 'postfix-sasl'
2017-07-08 16:18:42,732 fail2ban.jail           [1096]: INFO    Jail 'postfix-sasl' uses systemd {}
2017-07-08 16:18:42,734 fail2ban.jail           [1096]: INFO    Initiated 'systemd' backend
2017-07-08 16:18:42,744 fail2ban.filter         [1096]: INFO    Set maxRetry = 2
2017-07-08 16:18:42,746 fail2ban.filter         [1096]: INFO    Set jail log file encoding to UTF-8
2017-07-08 16:18:42,746 fail2ban.actions        [1096]: INFO    Set banTime = 86400
2017-07-08 16:18:42,747 fail2ban.filter         [1096]: INFO    Set findtime = 86400
2017-07-08 16:18:42,758 fail2ban.filtersystemd  [1096]: INFO    Added journal match for: '_SYSTEMD_UNIT=postfix.service'
2017-07-08 16:18:42,855 fail2ban.jail           [1096]: INFO    Jail 'sshd' started
2017-07-08 16:18:42,880 fail2ban.filtersystemd  [1096]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2017-07-08 16:18:43,433 fail2ban.jail           [1096]: INFO    Jail 'webmin-auth' started
2017-07-08 16:18:43,484 fail2ban.filtersystemd  [1096]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2017-07-08 16:18:43,488 fail2ban.jail           [1096]: INFO    Jail 'proftpd' started
2017-07-08 16:18:43,586 fail2ban.jail           [1096]: INFO    Jail 'postfix' started
2017-07-08 16:18:43,648 fail2ban.jail           [1096]: INFO    Jail 'dovecot' started
2017-07-08 16:18:43,764 fail2ban.jail           [1096]: INFO    Jail 'postfix-sasl' started
2017-07-08 16:18:44,449 fail2ban.action         [1096]: ERROR   ipset create fail2ban-sshd hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- stdout: ''
2017-07-08 16:18:44,449 fail2ban.action         [1096]: ERROR   ipset create fail2ban-sshd hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- stderr: '\x1b[91mFirewallD is not running\x1b[00m\n'
2017-07-08 16:18:44,450 fail2ban.action         [1096]: ERROR   ipset create fail2ban-sshd hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- killed with signal 124 (return code: 252)
2017-07-08 16:18:44,450 fail2ban.actions        [1096]: ERROR   Failed to start jail 'sshd' action 'firewallcmd-ipset': Error starting action
2017-07-08 16:18:45,443 fail2ban.action         [1096]: ERROR   ipset create fail2ban-webmin-auth hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports 10000 -m set --match-set fail2ban-webmin-auth src -j REJECT --reject-with icmp-port-unreachable -- stdout: ''
2017-07-08 16:18:45,443 fail2ban.action         [1096]: ERROR   ipset create fail2ban-webmin-auth hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports 10000 -m set --match-set fail2ban-webmin-auth src -j REJECT --reject-with icmp-port-unreachable -- stderr: '\x1b[91mFirewallD is not running\x1b[00m\n'
2017-07-08 16:18:45,443 fail2ban.action         [1096]: ERROR   ipset create fail2ban-webmin-auth hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports 10000 -m set --match-set fail2ban-webmin-auth src -j REJECT --reject-with icmp-port-unreachable -- killed with signal 124 (return code: 252)
2017-07-08 16:18:45,443 fail2ban.actions        [1096]: ERROR   Failed to start jail 'webmin-auth' action 'firewallcmd-ipset': Error starting action
2017-07-08 16:18:46,003 fail2ban.action         [1096]: ERROR   ipset create fail2ban-proftpd hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -m set --match-set fail2ban-proftpd src -j REJECT --reject-with icmp-port-unreachable -- stdout: ''
2017-07-08 16:18:46,003 fail2ban.action         [1096]: ERROR   ipset create fail2ban-proftpd hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -m set --match-set fail2ban-proftpd src -j REJECT --reject-with icmp-port-unreachable -- stderr: '\x1b[91mFirewallD is not running\x1b[00m\n'
2017-07-08 16:18:46,003 fail2ban.action         [1096]: ERROR   ipset create fail2ban-proftpd hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -m set --match-set fail2ban-proftpd src -j REJECT --reject-with icmp-port-unreachable -- killed with signal 124 (return code: 252)
2017-07-08 16:18:46,003 fail2ban.actions        [1096]: ERROR   Failed to start jail 'proftpd' action 'firewallcmd-ipset': Error starting action
2017-07-08 16:18:46,329 fail2ban.action         [1096]: ERROR   ipset create fail2ban-postfix hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission -m set --match-set fail2ban-postfix src -j REJECT --reject-with icmp-port-unreachable -- stdout: ''
2017-07-08 16:18:46,329 fail2ban.action         [1096]: ERROR   ipset create fail2ban-postfix hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission -m set --match-set fail2ban-postfix src -j REJECT --reject-with icmp-port-unreachable -- stderr: '\x1b[91mFirewallD is not running\x1b[00m\n'
2017-07-08 16:18:46,329 fail2ban.action         [1096]: ERROR   ipset create fail2ban-postfix hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission -m set --match-set fail2ban-postfix src -j REJECT --reject-with icmp-port-unreachable -- killed with signal 124 (return code: 252)
2017-07-08 16:18:46,329 fail2ban.actions        [1096]: ERROR   Failed to start jail 'postfix' action 'firewallcmd-ipset': Error starting action
2017-07-08 16:18:46,975 fail2ban.action         [1096]: ERROR   ipset create fail2ban-dovecot hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable -- stdout: ''
2017-07-08 16:18:46,975 fail2ban.action         [1096]: ERROR   ipset create fail2ban-dovecot hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable -- stderr: '\x1b[91mFirewallD is not running\x1b[00m\n'
2017-07-08 16:18:46,975 fail2ban.action         [1096]: ERROR   ipset create fail2ban-dovecot hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports pop3,pop3s,imap,imaps,submission,465,sieve -m set --match-set fail2ban-dovecot src -j REJECT --reject-with icmp-port-unreachable -- killed with signal 124 (return code: 252)
2017-07-08 16:18:46,975 fail2ban.actions        [1096]: ERROR   Failed to start jail 'dovecot' action 'firewallcmd-ipset': Error starting action
2017-07-08 16:18:46,975 fail2ban.actions        [1096]: NOTICE  [dovecot] Ban 45.55.9.46
2017-07-08 16:18:47,633 fail2ban.action         [1096]: ERROR   ipset create fail2ban-postfix-sasl hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -m set --match-set fail2ban-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable -- stdout: ''
2017-07-08 16:18:47,633 fail2ban.action         [1096]: ERROR   ipset create fail2ban-postfix-sasl hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -m set --match-set fail2ban-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable -- stderr: '\x1b[91mFirewallD is not running\x1b[00m\n'
2017-07-08 16:18:47,634 fail2ban.action         [1096]: ERROR   ipset create fail2ban-postfix-sasl hash:ip timeout 86400
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -m set --match-set fail2ban-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable -- killed with signal 124 (return code: 252)
2017-07-08 16:18:47,634 fail2ban.actions        [1096]: ERROR   Failed to start jail 'postfix-sasl' action 'firewallcmd-ipset': Error starting action
Status: 
Closed (fixed)

Comments

itmustbe's picture
Submitted by itmustbe on Sat, 07/08/2017 - 19:08 Pro Licensee

I'm just updating this issue with a little fresh info (but I realize it's a weekend, and this isn't high priority).

I thought just now that Fail2ban must be working after all, going by the lines below added since the ones I mentioned above. These lines show me testing adding SSH keys to my FTP program so as to avoid password authentication altogether.

But oddly enough, I was able to login over SFTP anyway after my IP address was banned (and well before I unbanned it manually later in the day). So now I wonder if something's not being written correctly to the firewall?

2017-07-08 11:25:36,118 fail2ban.filter         [1096]: WARNING Determined IP using DNS Lookup: c-24-6-116-188.hsd1.ca.comcast.net = ['24.6.116.188']
2017-07-08 11:25:36,119 fail2ban.filter         [1096]: INFO    [sshd] Found 24.6.116.188
2017-07-08 11:25:38,403 fail2ban.filter         [1096]: INFO    [sshd] Found 24.6.116.188
2017-07-08 11:25:38,725 fail2ban.actions        [1096]: NOTICE  [sshd] Ban 24.6.116.188
2017-07-08 16:54:58,873 fail2ban.actions        [1096]: NOTICE  [sshd] Unban 24.6.116.188
Joe's picture
Submitted by Joe on Sat, 07/08/2017 - 19:29 Pro Licensee

So, one tricky thing and a sort of misbehavior on the part of the Webmin fail2ban module (that we're working on) can make it look like you've got the right default action when you really don't, which can lead to rules being added that don't actually block anything. fail2ban has potentially infinite configuration files (jail.conf, jail.local, and any .conf file in jail.d), so it can be hard to know what rule is actually working (and Webmin doesn't get the order of parsing right in current versions so it can sometimes report the wrong default action).

Anyway, to guarantee the right banaction is working, add it to jail.local; this is always the last config file parsed and it overrides all other earlier configuration, including those in jail.d.

Since you've switched to iptables on your system from firewalld, you probably still have a rule that uses firewall-cmd to add rules. So, to override that, edit (or create) a jail.local file in the /etc/fail2ban directory with a DEFAULT section like this:

[DEFAULT]
banaction = iptables-multiport

Then restart fail2ban, and see if it starts adding rules that are actually working.

itmustbe's picture
Submitted by itmustbe on Sat, 07/08/2017 - 20:28 Pro Licensee

Thank you so much for your help! I created /etc/fail2ban/jail.local and added the new [DEFAULT] section you advised. On restarting fail2ban all the errors I had above have disappeared.

And I've just successfully banned myself over SSHD as a test ;) I did of course keep a connection open already over SSH, and unbanned myself just afterwards after checking to be sure the rule was added to iptables (and verifying that I could no longer connect).

One of the lines below jumped out at me: NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons. I searched some forum threads but I'm not quite sure how to solve it, do you happen to know how? I've noticed that Fail2ban certainly consumes sizable system resources (1.25GB RAM), though usage was similarly high on my old server too.

2017-07-08 17:42:56,262 fail2ban.server         [1096]: INFO    Stopping all jails
2017-07-08 17:42:57,616 fail2ban.jail           [1096]: INFO    Jail 'sshd' stopped
2017-07-08 17:42:58,843 fail2ban.jail           [1096]: INFO    Jail 'postfix-sasl' stopped
2017-07-08 17:42:59,748 fail2ban.jail           [1096]: INFO    Jail 'proftpd' stopped
2017-07-08 17:43:00,291 fail2ban.jail           [1096]: INFO    Jail 'postfix' stopped
2017-07-08 17:43:00,967 fail2ban.jail           [1096]: INFO    Jail 'webmin-auth' stopped
2017-07-08 17:43:01,845 fail2ban.actions        [1096]: NOTICE  [dovecot] Unban 45.55.9.46
2017-07-08 17:43:02,355 fail2ban.jail           [1096]: INFO    Jail 'dovecot' stopped
2017-07-08 17:43:02,358 fail2ban.server         [1096]: INFO    Exiting Fail2ban
2017-07-08 17:54:04,347 fail2ban.server         [30162]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2017-07-08 17:54:04,348 fail2ban.database       [30162]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2017-07-08 17:54:04,349 fail2ban.jail           [30162]: INFO    Creating new jail 'sshd'
2017-07-08 17:54:04,368 fail2ban.jail           [30162]: INFO    Jail 'sshd' uses systemd {}
2017-07-08 17:54:04,388 fail2ban.jail           [30162]: INFO    Initiated 'systemd' backend
2017-07-08 17:54:04,390 fail2ban.filter         [30162]: INFO    Set maxRetry = 2
2017-07-08 17:54:04,391 fail2ban.filter         [30162]: INFO    Set jail log file encoding to UTF-8
2017-07-08 17:54:04,391 fail2ban.actions        [30162]: INFO    Set banTime = 86400
2017-07-08 17:54:04,392 fail2ban.filter         [30162]: INFO    Set findtime = 86400
2017-07-08 17:54:04,392 fail2ban.filter         [30162]: INFO    Set maxlines = 10
2017-07-08 17:54:04,464 fail2ban.filtersystemd  [30162]: INFO    Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2017-07-08 17:54:04,475 fail2ban.jail           [30162]: INFO    Creating new jail 'webmin-auth'
2017-07-08 17:54:04,475 fail2ban.jail           [30162]: INFO    Jail 'webmin-auth' uses systemd {}
2017-07-08 17:54:04,476 fail2ban.jail           [30162]: INFO    Initiated 'systemd' backend
2017-07-08 17:54:04,477 fail2ban.filter         [30162]: INFO    Set maxRetry = 2
2017-07-08 17:54:04,478 fail2ban.filter         [30162]: INFO    Set jail log file encoding to UTF-8
2017-07-08 17:54:04,478 fail2ban.actions        [30162]: INFO    Set banTime = 86400
2017-07-08 17:54:04,479 fail2ban.filter         [30162]: INFO    Set findtime = 86400
2017-07-08 17:54:04,494 fail2ban.jail           [30162]: INFO    Creating new jail 'proftpd'
2017-07-08 17:54:04,494 fail2ban.jail           [30162]: INFO    Jail 'proftpd' uses systemd {}
2017-07-08 17:54:04,495 fail2ban.jail           [30162]: INFO    Initiated 'systemd' backend
2017-07-08 17:54:04,496 fail2ban.filter         [30162]: INFO    Set maxRetry = 2
2017-07-08 17:54:04,497 fail2ban.filter         [30162]: INFO    Set jail log file encoding to UTF-8
2017-07-08 17:54:04,498 fail2ban.actions        [30162]: INFO    Set banTime = 86400
2017-07-08 17:54:04,498 fail2ban.filter         [30162]: INFO    Set findtime = 86400
2017-07-08 17:54:04,522 fail2ban.jail           [30162]: INFO    Creating new jail 'postfix'
2017-07-08 17:54:04,522 fail2ban.jail           [30162]: INFO    Jail 'postfix' uses systemd {}
2017-07-08 17:54:04,523 fail2ban.jail           [30162]: INFO    Initiated 'systemd' backend
2017-07-08 17:54:04,524 fail2ban.filter         [30162]: INFO    Set maxRetry = 2
2017-07-08 17:54:04,525 fail2ban.filter         [30162]: INFO    Set jail log file encoding to UTF-8
2017-07-08 17:54:04,525 fail2ban.actions        [30162]: INFO    Set banTime = 86400
2017-07-08 17:54:04,526 fail2ban.filter         [30162]: INFO    Set findtime = 86400
2017-07-08 17:54:04,553 fail2ban.filtersystemd  [30162]: INFO    Added journal match for: '_SYSTEMD_UNIT=postfix.service'
2017-07-08 17:54:04,563 fail2ban.jail           [30162]: INFO    Creating new jail 'dovecot'
2017-07-08 17:54:04,563 fail2ban.jail           [30162]: INFO    Jail 'dovecot' uses systemd {}
2017-07-08 17:54:04,565 fail2ban.jail           [30162]: INFO    Initiated 'systemd' backend
2017-07-08 17:54:04,566 fail2ban.filter         [30162]: INFO    Set maxRetry = 2
2017-07-08 17:54:04,566 fail2ban.filter         [30162]: INFO    Set jail log file encoding to UTF-8
2017-07-08 17:54:04,567 fail2ban.actions        [30162]: INFO    Set banTime = 86400
2017-07-08 17:54:04,567 fail2ban.filter         [30162]: INFO    Set findtime = 86400
2017-07-08 17:54:04,588 fail2ban.filtersystemd  [30162]: INFO    Added journal match for: '_SYSTEMD_UNIT=dovecot.service'
2017-07-08 17:54:04,598 fail2ban.jail           [30162]: INFO    Creating new jail 'postfix-sasl'
2017-07-08 17:54:04,598 fail2ban.jail           [30162]: INFO    Jail 'postfix-sasl' uses systemd {}
2017-07-08 17:54:04,599 fail2ban.jail           [30162]: INFO    Initiated 'systemd' backend
2017-07-08 17:54:04,600 fail2ban.filter         [30162]: INFO    Set maxRetry = 2
2017-07-08 17:54:04,601 fail2ban.filter         [30162]: INFO    Set jail log file encoding to UTF-8
2017-07-08 17:54:04,601 fail2ban.actions        [30162]: INFO    Set banTime = 86400
2017-07-08 17:54:04,602 fail2ban.filter         [30162]: INFO    Set findtime = 86400
2017-07-08 17:54:04,607 fail2ban.filtersystemd  [30162]: INFO    Added journal match for: '_SYSTEMD_UNIT=postfix.service'
2017-07-08 17:54:04,618 fail2ban.jail           [30162]: INFO    Jail 'sshd' started
2017-07-08 17:54:04,625 fail2ban.filtersystemd  [30162]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2017-07-08 17:54:04,643 fail2ban.filter         [30162]: WARNING Determined IP using DNS Lookup: c-24-6-116-188.hsd1.ca.comcast.net = ['24.6.116.188']
2017-07-08 17:54:04,645 fail2ban.filter         [30162]: INFO    [sshd] Found 24.6.116.188
2017-07-08 17:54:04,646 fail2ban.jail           [30162]: INFO    Jail 'webmin-auth' started
2017-07-08 17:54:04,647 fail2ban.filter         [30162]: INFO    [sshd] Found 24.6.116.188
2017-07-08 17:54:04,648 fail2ban.filtersystemd  [30162]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2017-07-08 17:54:04,656 fail2ban.jail           [30162]: INFO    Jail 'proftpd' started
2017-07-08 17:54:04,719 fail2ban.jail           [30162]: INFO    Jail 'postfix' started
2017-07-08 17:54:04,740 fail2ban.actions        [30162]: NOTICE  [sshd] Ban 24.6.116.188
2017-07-08 17:54:04,740 fail2ban.jail           [30162]: INFO    Jail 'dovecot' started
2017-07-08 17:54:04,766 fail2ban.jail           [30162]: INFO    Jail 'postfix-sasl' started
2017-07-08 17:54:05,152 fail2ban.actions        [30162]: NOTICE  [dovecot] Ban 45.55.9.46
2017-07-08 18:13:40,202 fail2ban.filter         [30162]: WARNING Determined IP using DNS Lookup: c-24-6-116-188.hsd1.ca.comcast.net = ['24.6.116.188']
2017-07-08 18:13:40,202 fail2ban.filter         [30162]: INFO    [sshd] Found 24.6.116.188
2017-07-08 18:13:42,689 fail2ban.filter         [30162]: INFO    [sshd] Found 24.6.116.188
2017-07-08 18:13:43,650 fail2ban.actions        [30162]: NOTICE  [sshd] 24.6.116.188 already banned
2017-07-08 18:14:42,249 fail2ban.actions        [30162]: NOTICE  [sshd] Unban 24.6.116.188
2017-07-08 18:21:04,849 fail2ban.filter         [30162]: WARNING Determined IP using DNS Lookup: c-24-6-116-188.hsd1.ca.comcast.net = ['24.6.116.188']
2017-07-08 18:21:04,849 fail2ban.filter         [30162]: INFO    [sshd] Found 24.6.116.188
2017-07-08 18:21:07,003 fail2ban.filter         [30162]: INFO    [sshd] Found 24.6.116.188
2017-07-08 18:21:07,151 fail2ban.actions        [30162]: NOTICE  [sshd] Ban 24.6.116.188
2017-07-08 18:23:06,071 fail2ban.actions        [30162]: NOTICE  [sshd] Unban 24.6.116.188
Chain f2b-sshd (1 references)
target     prot opt source               destination        
REJECT     all  --  c-24-6-116-188.hsd1.ca.comcast.net  anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere
Joe's picture
Submitted by Joe on Sat, 07/08/2017 - 20:36 Pro Licensee

Hmmm...that's a weird one. I wonder which jail is using systemd but doesn't include a journalmatch.

On CentOS there's a fail2ban-systemd package that provides an /etc/fail2ban/00-systemd.conf file, which is what's making systemd your backend (which is usually what we want on a systemd system, AFAIK).

But, I don't fully understand the implications of that or the demand that everything have a journalmatch set; I believe this indicates there's a new jail (not provided by the default packages) that you've created that uses the default backend (one is not specified in the jail) which means it is using the systemd backend. And, they recommend you have a journalmatch.

The errors happen here right after sshd and webmin-auth jails are setup; so maybe it's those? Looking at filter.d/webmin-auth.conf (this isn't provided by us, it's part of the fail2ban distribution, so I would hope they got it right!), I don't see any backend specified and it has no journalmatch, so maybe this is just not doing everything it needs to do.

sshd on the other hand, does have journalmatch specified, so this may be a red herring. It's not entirely clear which filters/jails it's complaining about!

I'll have to do some more digging and experiment a bit here.

1.25GB does seem large, though it could just be cached in memory. Is that the RES or VIRT memory usage (if you're looking in top)?

itmustbe's picture
Submitted by itmustbe on Sat, 07/08/2017 - 20:51 Pro Licensee

I didn't create any new jails, I just enabled the ones that I wanted. What I did do though (because I'd done it on my old server, after considerable research online at the time) was to edit each of the few jails I enabled to use the correct filter and an updated log file path. So for sshd, proftpd, and webmin-auth I changed the log file path to /var/log/secure. And for dovecot, postfix, and postfix-sasl I changed the log file path to /var/log/maillog. I'm not sure that makes any difference, but just so you know what I changed from default.

I was actually looking in Virtualmin under Running Processes at memory usage. But if I check top I get this for Fail2ban:

30162 root 20 0 1314364 46980 35492 S 0.3 1.2 0:14.57 fail2ban-server

Is any of this a result of my switching to iptables from firewalld? I tried stopping the iptables service then unmasking and starting firewalld earlier today... promptly to get locked out completely from every service (including Virtualmin and email), saving myself only by having an open connection over SSH through which I stopped firewalld and once again regained access. That was scary enough not to try again!

Joe's picture
Submitted by Joe on Sat, 07/08/2017 - 21:14 Pro Licensee

No, you can use iptables or firewalld with fail2ban, and it shouldn't make any significant difference in the size of the service process. Looking at my own fail2ban instances, they hover around 900MB VIRT and 60MB RES. RES stands for "resident" which is usually the more useful number (and SHR indicates shared libraries which may or may not be used by other programs on the system...so it could indicate 35MB of that 47MB in your case might have to be in memory anyway for other programs that use the same shared libraries). Memory usage on modern systems is a tricky subject, but RES is the measure I most often look at to know where my memory is going.

I think memory usage is an unimportant red herring here; it's not gonna cause performance problems for fail2ban to use 46MB.

itmustbe's picture
Submitted by itmustbe on Sat, 07/08/2017 - 21:56 Pro Licensee

Thank you so much again for your time on this. It looks like we do have various red herrings :)

And thank you for pointing me to top and explaining the different types of memory. I was worried about 1.25GB because that's what it appears to take out of my available 4GB of memory. And this server seems to operate using more memory than my old CentOS 6 system, but perhaps just because of CentOS 7 (so in total the system is using between 50-65% memory usage).

Out of curiosity, I disabled the six Fail2ban jails, then brought them online one at a time, restarting Fail2ban each time and checking the logs each time.

The two jails that generate the NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons. are: webmin-auth and proftpd

But perhaps, even though it's not advised, it's as it is for a reason for the moment?

I wouldn't have even thought to note that had I not been looking closely at these logs after seeing all those errors, which we definitely took care of by specifying the [DEFAULT] action in jail.local

Thank you again for your trouble, I'm so happy with your product and service :) I think that really should do it now... everything seems to be humming along quite well on my new server!

itmustbe's picture
Submitted by itmustbe on Sat, 07/08/2017 - 21:57 Pro Licensee

Status: Active » Fixed
Joe's picture
Submitted by Joe on Mon, 07/10/2017 - 19:22 Pro Licensee

One last follow up on this. I figured out the systemd thing. We actually don't want systemd to be the backend...there's a bunch of services that don't use the journal, and so setting everything to systemd is a bad thing.

The packaging of fail2ban on CentOS is weird. The package named "fail2ban" is actually a metapackage that depends on fail2ban-server and fail2ban-systemd.

The solution to the journalmatch problem (and probably some others that I don't fully understand) then is to just remove the fail2ban-systemd package (and the fail2ban metapackage). We only need fail2ban-server and fail2ban-sendmail (and fail2ban-firewalld on systems that use firewalld, but that's not you).

# rpm -e fail2ban-systemd

Should make those journalmatch errors go away.

Oh, and restart fail2ban after.

itmustbe's picture
Submitted by itmustbe on Wed, 07/12/2017 - 15:43 Pro Licensee

Thank you so much for following up on this :) It'd be nice if Fail2ban resource usage diminished as well by removing the fail2ban-systemd package (I realize it may or may not; either way, it'll still be good to have Fail2ban configured properly).

I just want to make doubly sure before typing in this command, shouldn't I use yum and not rpm on CentOS 7? This is a terribly newbie question I realize, but I really think typing yum -e fail2ban-systemd is probably what I should type? I just don't want to break anything, especially since it's all working currently!

It never hurts to double-check our syntax! I've accidentally mentioned the wrong commands in the past :-)

In this case, it looks like Joe is suggesting to remove a package.

To do that, you can use either yum or rpm to do that, I don't believe there's a right or wrong way.

"rpm -e PACKAGE_NAME" is one way to remove a package, or alternatively you could also run "yum remove PACKAGE_NAME" to do the same thing.

Let us know if you have any additional questions!

itmustbe's picture
Submitted by itmustbe on Thu, 07/13/2017 - 10:49 Pro Licensee

Thanks for re-verifying the command! I felt so silly asking, but I just like to make sure I'm typing the right thing, and I always use yum (but I realize CentOS is just an unbranded RedHat, and that RedHat uses rpm).

So, I tried both commands in the end, since the first didn't work, and in both cases was told that the package fail2ban-systemd package couldn't be uninstalled because it wasn't there to begin with. Hmm...

[elise@hive ~]$ sudo yum remove fail2ban-systemd
Loaded plugins: fastestmirror
No Match for argument: fail2ban-systemd
No Packages marked for removal
[elise@hive ~]$ sudo rpm -e fail2ban-systemd
error: package fail2ban-systemd is not installed

Hmm, that's an interesting issue!

How about this, what is the output of this command here:

rpm -qa | grep fail2ban

itmustbe's picture
Submitted by itmustbe on Thu, 07/13/2017 - 12:11 Pro Licensee

fail2ban-firewalld-0.9.6-3.el7.noarch
fail2ban-server-0.9.6-3.el7.noarch
fail2ban-sendmail-0.9.6-3.el7.noarch
fail2ban-0.9.6-3.el7.noarch

For the original installation when I setup the server, I followed your article for CentOS here: https://www.virtualmin.com/documentation/security/fail2ban So I installed from EPEL (then disabled EPEL afterwards).

Ah, it looks like that package is currently not installed on your system.

You guys talked about a few things above, my apologies for the question -- but which issue were you seeing that was seemingly related to that systemd package?

itmustbe's picture
Submitted by itmustbe on Thu, 07/13/2017 - 13:39 Pro Licensee

Ah yes we did discuss quite a lot, and fixed pretty much everything, hence my having marked this issue as Fixed!

The only oddity I'd noticed left in the Fail2ban log was this line NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons. just for these two jails of mine: webmin-auth and proftpd

I'd asked about it mainly because it seemed to suggest I was doing something I shouldn't, and also because Fail2ban is using a seemingly quite significant amount of resources on my system, which I'd hoped to lower :)

itmustbe's picture
Submitted by itmustbe on Thu, 07/13/2017 - 13:42 Pro Licensee

If you also look at Joe's response #9 above, you'll see what he had to say about that issue, which is why I tried uninstalling the package that it seems I don't have (fail2ban-systemd).

Note in the Fail2ban log lines above that I do see references to fail2ban.filtersystemd referencing Added journal match as well, which I think is why he suggested heading down this path.

Okay, I think I'm on the same page now.

What output do you receive if you run this command:

find /etc/fail2ban -type f | xargs grep systemd

Also, is fail2ban using a lot of resources all the time, or just in the first 15-20 minutes after it starts?

For a bit after it starts is indeed normal, though if it's using a lot all the time that could be at least in part because of that issue.

itmustbe's picture
Submitted by itmustbe on Thu, 07/13/2017 - 15:14 Pro Licensee

Thank you so much for your help :)

Here is the output from find /etc/fail2ban -type f | xargs grep systemd:

/etc/fail2ban/paths-fedora.conf:syslog_backend = systemd
/etc/fail2ban/paths-fedora.conf:sshd_backend = systemd
/etc/fail2ban/paths-fedora.conf:dropbear_backend = systemd
/etc/fail2ban/paths-fedora.conf:proftpd_backend = systemd
/etc/fail2ban/paths-fedora.conf:pureftpd_backend = systemd
/etc/fail2ban/paths-fedora.conf:wuftpd_backend = systemd
/etc/fail2ban/paths-fedora.conf:postfix_backend = systemd
/etc/fail2ban/paths-fedora.conf:dovecot_backend = systemd
/etc/fail2ban/jail.conf:# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
/etc/fail2ban/jail.conf:# systemd:   uses systemd python library to access the systemd journal.
/etc/fail2ban/jail.conf:# Note: if systemd backend is chosen as the default but you enable a jail
/etc/fail2ban/filter.d/ejabberd-auth.conf:# Notes.:  systemd journalctl style match filter for journal based backend
/etc/fail2ban/paths-opensuse.conf:syslog_backend = systemd
/etc/fail2ban/paths-opensuse.conf:sshd_backend = systemd
/etc/fail2ban/paths-opensuse.conf:dropbear_backend = systemd
/etc/fail2ban/paths-opensuse.conf:proftpd_backend = systemd
/etc/fail2ban/paths-opensuse.conf:pureftpd_backend = systemd
/etc/fail2ban/paths-opensuse.conf:wuftpd_backend = systemd
/etc/fail2ban/paths-opensuse.conf:postfix_backend = systemd
/etc/fail2ban/paths-opensuse.conf:dovecot_backend = systemd
/etc/fail2ban/paths-opensuse.conf:mysql_backend = systemd

Fail2ban is using ever more resources over time, which does concern me; much more than on my old CentOS 6 box (from which I migrated last week). Under Webmin > System > Running Processes I see this under the Memory tab when sorting by Size:

ID Owner Size Command
30162 root 2.36 GB /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock ...
1649 mysql 1.84 GB /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/li ...

Okay, while I don't immediately see the issue there, it does give me an idea.

Could you either attach, or paste in the contents of, the files /etc/fail2ban/jail.conf and /etc/fail2ban/jail.local?

Thanks!

Joe's picture
Submitted by Joe on Thu, 07/13/2017 - 15:45 Pro Licensee

Sorry I missed some of this conversation as it was happening.

There actually does appear to be something amiss in Fail2ban on CentOS 7; I have one system where virtual memory usage is approaching 8GB! But, I don't think it is misconfiguration, in either my case or yours.

Looking over your configs there, it doesn't seem like systemd is being used in places where it shouldn't be (though the journalmatch warnings are still maybe an issue, and it may be that the fail2ban packages from EPEL are the culprit; they may be incomplete for use with systemd).

You don't have the fail2ban-systemd package installed which is good. Also, to clarify on the use of "rpm" vs "yum"; rpm is the package manager, while yum is a tool that fetches packages and resolves dependencies...both yum and rpm are used by RHEL and CentOS and you can't use yum without rpm; yum may be replaced by dnf in future CentOS versions, but rpm will remain. "yum remove" is similar, but not identical to "rpm -e". "yum remove packagename" will remove the package and anything that depends on the package. That's usually what you want..."rpm -e" would just print an error if you tried to remove a package that other packages depended on, because rpm doesn't automatically resolve dependencies.

So, to sum up: I don't know how to fix the memory usage. I'm still poking at it on my system that is affected. My "journalmatch" warnings (mostly) went away when I removed the fail2ban-systemd package. So, it's confusing that yours remain. But, otherwise, we're in the same boat: Got a big honkin' fail2ban daemon taking way more memory than it ought, and not a clear understanding about why.

itmustbe's picture
Submitted by itmustbe on Thu, 07/13/2017 - 16:54 Pro Licensee

StatusFileSize
new21.01 KB

Andrey, I'm attaching my jail.conf file, but it is simply the default as installed from EPEL. For my jail.local file, I created that file at Joe's request and included simply: [DEFAULT] banaction = iptables-multiport (because I'm using IPtables not Firewalld), and my default Fail2ban action that I'd set in Virtualmin was not being applied.

itmustbe's picture
Submitted by itmustbe on Thu, 07/13/2017 - 17:01 Pro Licensee

Joe, thank you so much for all of your help with this too :) I'm sorry to hear of the Fail2ban usage on one of your systems (8GB, wow!), but it's good to know that it's not just me. If you do get to the bottom of it, I'd love to know... it does feel like the package is misbehaving by continually growing in its resource usage. I may just have to turn it off at some point. It certainly behaved better on CentOS 6.

And thank you for clarifying the difference between using yum and rpm! I did feel bad asking about that when I knew that I should already know, but your explanation certainly helped make sense of it, and I've filed away that information where I'll find it again, should I ever forget (since I don't do this sort of stuff on the server often, thanks to Virtualmin :)

itmustbe's picture
Submitted by itmustbe on Sun, 07/16/2017 - 14:06 Pro Licensee

@TSC when I searched the Fail2ban GitHub repo for (open & closed) issues for RAM consumption problems, the only (older) thread I found was this one: https://github.com/fail2ban/fail2ban/issues/1234 I'm afraid my understanding of such code (Python) is extremely minimal, and in any case, this issue looked to be addressed and closed. But it did remind me of the excessive resource usage I've observed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.