Fail2ban won't start after update


(Jkalber) #21

Alright I have deleted “firewall.enable” - is there anything else I need to do?


#22

firewall.enabled file did exist, deleted.

As far as I can tell the firewall is running.

in the Gui click the start button under Firewall > Intrusion detection

and… nuthin… not even an entry in the fail2ban.log

Can’t reboot this system right now because it’s in active use. I did however reboot it several times this morning with no joy.


#23

OK, iptables is a complicated list of rules that filter network connections, current versions of Fail2ban better coexist with extant rules as it insert it’s rules, but as as a “service” it is “rather bossy” @yois is taming that beast to play nice with the FreePBX firewall which although well considered, needed some work.

I suggest you let him finish his work or go back to “what was”. Every-time you mess with iptables without understanding it, you will get a “half warmed fish” (that’s called a spoonerism)

Kudos to @yois for taking it on, you guys just settle down and wait. . . . Please . . . No edge in case you fall over it :wink:


(Yois) #24

I can’t reproduce this issue.

Again, can someone post back which version of fail2ban service is causing this problem? I was working on 0.11.1 but that shouldn’t have been pushed yet.


(Yois) #25

Also, what version of firewall? Current should be 15.0.11


#26

where do I find the version of Fail2ban?

Firewall Was the current edge version but has been downgraded to: 15.0.8.14


(Yois) #27

yum list installed | grep fail2ban


#28

Hello All, I’m seeing the same issue on several PBX’s, my concern is while we do have the firewall enabled, I’m not seeing anything being blocked via iptables-save.

Below are results of trying to restart manually (System Restart did not solve either):

Jul 14 01:31:40 bpbx.t.net systemd[1]: fail2ban.service: control process exited, code=exited status=255
Jul 14 01:31:40 bpbx.t.net systemd[1]: Failed to start Fail2Ban Service.
Jul 14 01:31:40 bpbx.t.net systemd[1]: Unit fail2ban.service entered failed state.
Jul 14 01:31:40 bpbx.t.net systemd[1]: fail2ban.service failed.
Jul 14 01:31:40 bpbx.t.net systemd[1]: fail2ban.service holdoff time over, scheduling restart.
Jul 14 01:31:40 bpbx.t.net systemd[1]: Stopped Fail2Ban Service.
Jul 14 01:31:40 bpbx.t.net systemd[1]: start request repeated too quickly for fail2ban.service
Jul 14 01:31:40 bpbx.t.net systemd[1]: Failed to start Fail2Ban Service.
Jul 14 01:31:40 bpbx.t.net systemd[1]: Unit fail2ban.service entered failed state.
Jul 14 01:31:40 bpbx.t.net systemd[1]: fail2ban.service failed.

Jul 14 01:33:01 bpbx.t.net crond[1866]: (asterisk) RELOAD (/var/spool/cron/asterisk)
Jul 14 01:33:01 bpbx.t.net CROND[30678]: (asterisk) CMD ([ -e /usr/sbin/fwconsole ] && sleep $((RANDOM%30)) && /usr/sbin/fwconsole job --run --quiet 2>&1 > /dev/null)
Jul 14 01:33:01 bpbx.t.net CROND[30679]: (asterisk) CMD (/usr/local/sbin/fwconsole queuestats --syncall >> /tmp/reader.log 2>&1)
Jul 14 01:33:01 bpbx.t.net CROND[30681]: (asterisk) CMD (/var/www/html/admin/modules/iotserver/bin/check_system_settings.php 2>&1 >/dev/null)
Jul 14 01:33:10 bpbx.t.net crontab[30725]: (asterisk) LIST (asterisk)
Jul 14 01:33:10 bpbx.t.net crontab[30727]: (asterisk) LIST (asterisk)
Jul 14 01:33:10 bpbx.t.net crontab[30748]: (asterisk) LIST (asterisk)
Jul 14 01:33:10 bpbx.t.net crontab[30750]: (asterisk) LIST (asterisk)
Jul 14 01:33:10 bpbx.t.net crontab[30752]: (asterisk) LIST (asterisk)
Jul 14 01:33:10 bpbx.t.net crontab[30753]: (asterisk) REPLACE (asterisk)
Jul 14 01:33:10 bpbx.t.net crontab[30755]: (asterisk) LIST (asterisk)
Jul 14 01:33:10 bpbx.t.net crontab[30757]: (asterisk) LIST (asterisk)
Jul 14 01:33:10 bpbx.t.net crontab[30758]: (asterisk) REPLACE (asterisk)
Jul 14 01:33:10 bpbx.t.net crontab[30760]: (asterisk) LIST (asterisk)
Jul 14 01:33:22 bpbx.t.net runuser[30765]: pam_unix(runuser:session): session opened for user asterisk by (uid=0)
Jul 14 01:33:22 bpbx.t.net runuser[30765]: pam_unix(runuser:session): session closed for user asterisk

#29

Same Topic Different Question: Are we pulling Intrusion Detection Settings out of System Admin?
(currently seeing it under firewall as well as system admin)

Thanks


(Yois) #30

Wow, so strange. It’s probable that I wrote the code that broke something… But I can’t reproduce this. I’ve even started with fresh SNG7 install and it’s just not happening to me. I have Firewall 15.0.11 running on several production systems without any hiccups.

@VoIPTek @ashcortech @jkalber - Are your systems activated? Are you using Intrusion Detection? What version of fail2ban are you running? If you just update Sysadmin does this happen? If you just update Firewall does this happen? Does the problem begin immediately after updating the modules?

Really, fail2ban is controlled by the Sysadmin module’s management of Intrusion Detection. The work I did (regarding fail2ban) was just to ensure that the fail2ban rules in iptables wouldn’t be wiped out by the Responsive Firewall. It will help greatly if we can narrow down whether Sysadmin or Firewall module is the cause of the problem, and in which version the problem surfaced.

I would work on this but I can’t reproduce.


#31

fail2ban-fpbx.noarch 0.8.14-76.sng7 @anaconda/2104


#32

Yes fully activated

Yes intrusion was being used

Current Sysadmin 15.0.21.66, no update available

Somethiing definitely happened in the updates over the weekend. Too many people seeing the same issue at the same time. Whether it’s because of your work or not remains to be seen.


(Jkalber) #33

Just wanted to provide an update that I rebooted the pbx system this morning and everything is back to normal, Fail2ban and Intrusion detection is on and running. I did have to delete that “firewall.enable”

I manage five other PBX’s and the other are having the same issue so I will follow these steps and hopefully fix the others.

Thanks for all your help guys, cheers!


(Lorne Gaetz) #34

Repeated attempts to repro this have been unsuccessful for me, but I did have hands on a system just now where fail2ban wouldn’t start. I don’t know the cause but it appears to be related to System Admin module

15.0.21.65 - fail2ban fails to start
15.0.21.66 - fail2ban starts like normal

You can get .66 from the stable repo with:

fwconsole ma upgrade sysadmin

confirm sysadmin version with:

fwconsole ma list | grep sysadmin

start fail2ban

systemctl start fail2ban.service

Confirm it’s running with

systemctl status fail2ban.service

Fail2ban wont start
(Yois) #35

/etc/aterisk/firewall.lock

Thanks for this, there’s a typo in the source code (that doesn’t affect functionality)


#36

I have .66 and it still won’t start. unfortunately I can’t reboot the phone system right now as the office is open. I’ll try tonight.


(Jared Busch) #37

So @lgaetz what can be done to fix this? Because until this is fixed, Firewall is a commercial product. No matter what this says…

| firewall  | 15.0.8.14  | Enabled and up to date   | AGPLv3+     |

(Yois) #38

@sorvani - I’m also slightly frustrated by this fact, but like I said earlier, the ability to do root tasks from the GUI requires some sanity checking and file verification. If you want to make this completely open, it’s only possible if the open-source community can agree on one signing authority… Once we do that why can’t it just be Sangoma?

If anyone wants to create an open-source fork of the firewall module, it’s easy enough to just create a new incron folder that processes the hook files without signature verification, and to drop hook files in that location… But don’t say I didn’t warn you that this is insecure.


(Yois) #39

(Jared Busch) #40

Of course it can be Sangoma. But it has to be done in something that can be installed on all systems, unlike SysAdmin.