Can't upgrade fail2ban after upgrade to SNG7

ivana72 · May 17, 2020, 1:08pm

Hello, after upgrade to SNG7 I was not able to run yum update. Looking to it I noticed that the reason was that fail2ban was preventing that. Then I did yum update --exclude fail2ban and all went through. Now still trying to upgrade fail2ban. The error:

Transaction check error:
file /etc/logrotate.d/fail2ban from install of fail2ban-server-0.9.7-1.el7.noarch conflicts with file from package fail2ban-fpbx-0.8.14-76.sng7.noarch
file /etc/fail2ban/action.d/badips.conf from install of fail2ban-server-0.9.7-1.el7.noarch conflicts with file from package fail2ban-fpbx-0.8.14-76.sng7.noarch
file /etc/fail2ban/action.d/blocklist_de.conf from install of fail2ban-server-0.9.7-1.el7.noarch conflicts with file from package fail2ban-fpbx-0.8.14-76.sng7.noarch
file /etc/fail2ban/action.d/firewallcmd-ipset.conf from install of fail2ban-server-0.9.7-1.el7.noarch conflicts with file from package fail2ban-fpbx-0.8.14-76.sng7.noarch
file /etc/fail2ban/action.d/firewallcmd-new.conf from install of fail2ban-server-0.9.7-1.el7.noarch conflicts with file from package fail2ban-fpbx-0.8.14-76.sng7.noarch
file /etc/fail2ban/action.d/iptables-allports.conf from install of fail2ban-server-0.9.7-1.el7.noarch conflicts with file from package fail2ban-fpbx-0.8.14-76.sng7.noarch
file /etc/fail2ban/action.d/iptables-ipset-proto4.conf from install of fail2ban-server-0.9.7-1.el7.noarch conflicts with file from package fail2ban-fpbx-0.8.14-76.sng7.noarch
file /etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf from install of fail2ban-server-0.9.7-1.el7.noarch conflicts with file from package fail2ban-fpbx-0.8.14-76.sng7.noarch
file /etc/fail2ban/action.d/iptables-ipset-proto6.conf from install of fail2ban-server-0.9.7-1.el7.noar …and etc.

yum info shows:

yum info fail2ban
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
Installed Packages
Name : fail2ban
Arch : noarch
Version : 0.8.14
Release : 1.shmz65.1.129
Size : 851 k
Repo : installed
From repo : anaconda-SHMZ-201501302108.x86_64
Summary : Scan logfiles and ban ip addresses with too many password failures
URL : http://fail2ban.sourceforge.net/
License : GPL
Description : Fail2Ban monitors log files like /var/log/pwdfail or /var/log/apache/error_log
: and bans failure-prone addresses. It updates firewall rules to reject the IP
: address or executes user defined commands.

Available Packages
Name : fail2ban
Arch : noarch
Version : 0.9.7
Release : 1.el7
Size : 11 k
Repo : sng-epel/7/x86_64
Summary : Daemon to ban hosts that cause multiple authentication errors
URL : http://fail2ban.sourceforge.net/
License : GPLv2+
Description : Fail2Ban scans log files and bans IP addresses that makes too many password
: failures. It updates firewall rules to reject the IP address. These rules can
: be defined by the user. Fail2Ban can read multiple log files such as sshd or
: Apache web server ones.
:
: Fail2Ban is able to reduce the rate of incorrect authentications attempts
: however it cannot eliminate the risk that weak authentication presents.
: Configure services to use only two factor or public/private authentication
: mechanisms if you really want to protect services.
:
: This is a meta-package that will install the default configuration. Other
: sub-packages are available to install support for other actions and
: configurations.

Any suggestions how to fix that?

Thanks

slobera · May 17, 2020, 11:21pm

Hi @ivana72 !
If this was an upgrade from 13 to 14, you can try running this command:

wget http: //package1 .sangoma.net /post_upgrade

chmod 755 . /post_upgrade

. /post_upgrade

ivana72 · May 18, 2020, 5:22am

Sergio, ran the post_upgrade. Same result. Fail2-ban can’t be upgraded with the same transact check error. Anything else?
Thanks

snazir · May 18, 2020, 9:01am

@ivana72

Pls try to remove exist old F2B version on your PBX.
Then you can install below version.

I can see on my test system running same version 0.9.7.

$ yum info fail2ban
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
Available Packages
Name : fail2ban
Arch : noarch
Version : 0.9.7
Release : 1.el7
Size : 11 k
Repo : sng-epel/7/x86_64
Summary : Daemon to ban hosts that cause multiple authentication errors
URL : http://fail2ban.sourceforge.net/
Licence : GPLv2+
Description : Fail2Ban scans log files and bans IP addresses that makes too many password
: failures. It updates firewall rules to reject the IP address. These rules can
: be defined by the user. Fail2Ban can read multiple log files such as sshd or
: Apache web server ones.
:
: Fail2Ban is able to reduce the rate of incorrect authentications attempts
: however it cannot eliminate the risk that weak authentication presents.
: Configure services to use only two factor or public/private authentication
: mechanisms if you really want to protect services.
:
: This is a meta-package that will install the default configuration. Other
: sub-packages are available to install support for other actions and
: configurations.

slobera · May 18, 2020, 11:31am

Try to run this: rpm --erase --nodeps fail2ban-fpbx-0.8.14-76.sng7.noarch && yum update

ivana72 · May 18, 2020, 12:43pm

Thanks. It worked

slobera · May 18, 2020, 12:47pm

Thanks for letting us know Ivana

ivana72 · May 18, 2020, 1:07pm

Hmmm, can’t seem to be able to start now…

[root@hc-pbx ~]# service fail2ban start
Redirecting to /bin/systemctl start fail2ban.service
Job for fail2ban.service failed because the control process exited with error code. See “systemctl status fail2ban.service” and “journalctl -xe” for details.

slobera · May 18, 2020, 1:08pm

What do you see with systemctl status fail2ban.service ?

ivana72 · May 18, 2020, 4:23pm

[root@pbx ~]# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Mon 2020-05-18 10:37:55 EDT; 1h 45min ago
Process: 28591 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=255)
Process: 28588 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)

May 18 10:37:55 xxxxx systemd[1]: Failed to start Fail2Ban Service.
May 18 10:37:55 xxxxxx systemd[1]: Unit fail2ban.service entered failed state.
May 18 10:37:55 xxxxxx systemd[1]: fail2ban.service failed.
May 18 10:37:55 xxxxxxx systemd[1]: fail2ban.service holdoff time over, scheduling restart.
May 18 10:37:55 xxxxxxx systemd[1]: Stopped Fail2Ban Service.
May 18 10:37:55 xxxxxx systemd[1]: start request repeated too quickly for fail2ban.service
May 18 10:37:55 xxxxxxxxxxxxx systemd[1]: Failed to start Fail2Ban Service.
May 18 10:37:55 xxxxxxxxxxxx systemd[1]: Unit fail2ban.service entered failed state.
May 18 10:37:55 xxxxxxxxxxxx systemd[1]: fail2ban.service failed.

ivana72 · May 18, 2020, 4:34pm

I compared fail2ban.service of that system to another one and the file was different. Edited the file but that didn;t help much. Obviously is misconfigured somehow but I can’t seem to find a way to fix it. Thanks

slobera · May 18, 2020, 4:48pm

Try to run a fwconsole restart and see how it goes

ivana72 · May 18, 2020, 5:04pm

I wished to be that simple…I already did including restarting the server, reinstalling fail2ban and etc. I have a support ticket going but I’m waiting for the tech to contact me. Thanks

slobera · May 18, 2020, 5:29pm

Please share the out of these commands:

yum repolist
rpm -qa | grep fail2ban

ivana72 · May 18, 2020, 5:40pm

[root@pbx fail2ban]# yum repolist
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
repo id repo name status
sng-base/7/x86_64 Sangoma-7 - Base 10,019
sng-epel/7/x86_64 Sangoma-7 - Sangoma Epel mirror 16,253
sng-extras/7/x86_64 Sangoma-7 - Extras 419
sng-pkgs/7/x86_64 Sangoma-7 - Sangoma Open Source Packages 1,286
sng-updates/7/x86_64 Sangoma-7 - Updates 2,235
repolist: 30,212
[root@pbx fail2ban]# rpm -qa | grep fail2ban
fail2ban-server-0.9.7-1.el7.noarch
fail2ban-sendmail-0.9.7-1.el7.noarch
fail2ban-0.9.7-1.el7.noarch
fail2ban-firewalld-0.9.7-1.el7.noarch

ivana72 · May 18, 2020, 5:42pm

somehow whatever was installed was not related with the freepbx distro. I see differences between all fail2ban files on a working SNG7 system and the one I upgraded and installed fail2ban manually. Thanks.

slobera · May 18, 2020, 5:51pm

Run this: yum install fail2ban-fpbx.noarch && service fail2ban start

ivana72 · May 18, 2020, 5:55pm

still can’t start"

rpm -qa | grep fail2ban
fail2ban-0.9.7-1.el7.noarch
fail2ban-server-0.9.7-1.el7.noarch
fail2ban-sendmail-0.9.7-1.el7.noarch
fail2ban-mail-0.9.7-1.el7.noarch
fail2ban-all-0.9.7-1.el7.noarch
fail2ban-firewalld-0.9.7-1.el7.noarch
fail2ban-hostsdeny-0.9.7-1.el7.noarch
fail2ban-shorewall-0.9.7-1.el7.noarch

slobera · May 18, 2020, 6:00pm

I don’t know why your fail2ban went to 0.9.7, it should be 0.8 instead, I would try to to the following:

yum install fail2ban-fpbx.noarch (I guess that’s going to give you some conflicts with 0.9.7 so you should go to 2
rpm --erase --nodeps fail2ban-server-0.9.7-1.el7.noarch && rpm --erase --nodeps fail2ban-sendmail-0.9.7-1.el7.noarch && rpm --erase --nodeps fail2ban-mail-0.9.7-1.el7.noarch

Then retry yum install fail2ban-fpbx.noarch && service restart fail2ban

ivana72 · May 18, 2020, 6:10pm

sure, that what I was wondering all that time…if I do yum update it installs it. I removed all 0.9.7 versions and installed manually 0.8.14. Everything is back to normal with fail2ban. Thanks for your help