Fail2ban won't start after update


#1

FreePBX 15
Asterisk 16
Edge Modules turn on

System was rebooted and showed very high CPU. Looking at top it was Fail2Ban that was the culprit eating 98% of the CPU.

I stopped Fail2ban, ran updates on both modules and SNG7 and applied. CPU has returned to normal levels but Fail2Ban will not start.


Fail2ban wont start
(Itzik) #2

How are you trying to start it, and does it five you any errors?


(Yois) #3

If you disable the firewall with:
fwconsole firewall disable

Can you then run:
systemctl start fail2ban

Can you also show what version of fail2ban you’re running:
yum list installed | grep fail2ban


#4

Is your new firewall still dependant on ‘system admin’ ?


(Yois) #5

Yes, I need incron to do root commands and it’s easier to use the built-in signature verification with sysadmin then to create my own hacky way of doing it.


#6

Thank you.


(Jkalber) #7

I’m in the same boat - ran some module updates over the weekend and Fail2Ban will not start back up.


(Jkalber) #8

[root@freepbx ~]# fwconsole firewall disable

Broadcast message from root@freepbx.sangoma.local (Tue Jul 13 13:27:40 2021):

/etc/aterisk/firewall.lock or /etc/asterisk/firewall.enabled exists!
Refusing to shut down.
[root@freepbx ~]# systemctl start fail2ban
Job for fail2ban.service failed because the control process exited with error code. See “systemctl status fail2ban.service” and “journalctl -xe” for details.
[root@freepbx ~]#


#9

that’s exactly what I get


#10

exactly ? typo? cut and paste error? or maybe /etc/aterisk/firewall.lock does exists :wink:


(Jkalber) #11

Very new to PBX and not quite sure what you’re insinuating. Just need a little help :slight_smile:


#12

This part…


(Dave Burgess) #13

He means that the error is right there in what got posted. Check to see if either of those files exist and, if they do, delete them.


#14

Not insinuating anything, if you posted exactly what you saw there is a problem, the directory /etc/aterisk should NEVER exist unless someone effed up. You can however expect the directory /etc/asterisk to exists and if there is a file called firewall.lock in that directory , well, that’s a different story . . .


(Jkalber) #15

Using WinSCP I was able to navigate to the directory. I do not see a /etc/aterisk however I do see /etc/asterisk and when I expand that folder there is a file called “firewall.enable”

Just to confirm - it is okay to delete “firewall.enable” ??

thanks for all the help!


#16

Not my bailiwick nor @cynjut 's , wait for authoritative advice


#17

[root@advcardhackpbx asterisk]# systemctl start fail2ban
Job for fail2ban.service failed because the control process exited with error code. See “systemctl status fail2ban.service” and “journalctl -xe” for details.

[root@advcardhackpbx asterisk]# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Tue 2021-07-13 15:25:42 EDT; 12s ago
Process: 12487 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=255)
Process: 12486 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)

Jul 13 15:25:42 advcardhackpbx.ashcortechnologies.com systemd[1]: fail2ban.service: control process exited, code=exited status=255
Jul 13 15:25:42 advcardhackpbx.ashcortechnologies.com systemd[1]: Failed to start Fail2Ban Service.
Jul 13 15:25:42 advcardhackpbx.ashcortechnologies.com systemd[1]: Unit fail2ban.service entered failed state.
Jul 13 15:25:42 advcardhackpbx.ashcortechnologies.com systemd[1]: fail2ban.service failed.
Jul 13 15:25:42 advcardhackpbx.ashcortechnologies.com systemd[1]: fail2ban.service holdoff time over, scheduling restart.
Jul 13 15:25:42 advcardhackpbx.ashcortechnologies.com systemd[1]: Stopped Fail2Ban Service.
Jul 13 15:25:42 advcardhackpbx.ashcortechnologies.com systemd[1]: start request repeated too quickly for fail2ban.service
Jul 13 15:25:42 advcardhackpbx.ashcortechnologies.com systemd[1]: Failed to start Fail2Ban Service.
Jul 13 15:25:42 advcardhackpbx.ashcortechnologies.com systemd[1]: Unit fail2ban.service entered failed state.
Jul 13 15:25:42 advcardhackpbx.ashcortechnologies.com systemd[1]: fail2ban.service failed.
[root@advcardhackpbx asterisk]#


#18

You too, cool your jets :slight_smile:

It is unlikely that any fail2ban service should be enabled or started until the presumably authoritative "firewall service " tells it to


(Dave Burgess) #19

You have to to proceed from where you are. The program died and left the enable file; with that still on the system, the new instance can’t start.


(Dave Burgess) #20

Seems to me like there should be a problem here. I think @dicko is on the right track; you may need to start the firewall service first. In fact, if you can, it might be time to “Windows debug” the system and power cyc le it.