System status shows "Fail2Ban should always be running"

We have fail2ban running on the server just fine, but this shows up with a fire icon next to it on every login. What conditions need to be met to satisfy the server gods? The SysAdmin Pro module shows that fail2ban is running.

By default, fail2ban logs to

less /var/log/fail2ban.log

you should look inside that file initially, if it is running without bitching then maybe the “commercial modules” forum would be a better place to ask as sysadmin it is not part of FreePBX itself.

I was asking since FPBX bitches at me when I log in; the sysadmin module was added as more of a “this module reports no problems” tidbit. This is concerning the config.php/index page.

The commercial sysadmin module only works with a valid license and on some subset of hardware and some subset of OS’s

fail2ban works on everything.

Perhaps you asked in the wrong forum, FreePBX is not the same as the “FreePBX distro” (yes I do understand that that is confusing . . .) and FreePBX will never “bitch” about fail2ban because it has absolutely no knowledge of fail2ban.

Screenshot

Yep, that’s the sysinfo commercial module doing that.

@dicko no it’s not. That is an open source module. Non commercial.

I will look into tweaking this tomorrow

Silly me

It is only available from the commercial repos and the “description” is quite confusing:-

System Administration - COMMERCIAL MODULE REQUIRES A LICENSE FOR PRO FEATURES TO BE ENABLED ABOVE THE INCLUDED FREE FEATURES. Please visit www.schmoozecom.com/oss.php System Administration - provides access to various system administration tools. This module is designed to work with some very specific distributions such as the FreePBX Distro and PBXact. There are dependencies that are not all listed in this module.xml package so the module should not be used except on the distributions that it is designed for.

So either it only works on " some very specific distributions" and “should not be used except on the distributions that it is designed for” or not, My apologies for any confusion I caused.

Thanks for handling this confusion.

@dicko. Again. This is not sysadmin. This is dashboard. It is not commercial. It is not sysadmin. It’s open source. It’s what dashboard looks like in 12. This has nothing to do with sysadmin. Why are we referencing sysadmin.

You are the only one making this confusing at this point.

Then someone could perhaps go back to the front end of the thread, “fail2ban is on fire” !!, If 12 watches the status of the fail2ban service and fail2ban is running but the dashboard does not see that, then you need to adjust for that case, if it is not running then your status is flamingly correct, if it is as the OP suggests actually running,then two options, either that the fail2ban service was installed by the System Administration module and something is wrong, or otherwise and possibly, it was reasonable installed from the fail2ban guys and it wasn’t caught by the “dashboard”, no?

If the sysinfo module only looks for /etc/fail2ban/jail.local then I suggest it will probably fail the second use-case. Maybe just checking the result of

service fail2ban status

would work on most OS’s.

I’ve already checked the service status via SSH, and it’s definitely on.

What has me wondering is that SysAdmin shows this:

I don’t see where the issue is that the dashboard doesn’t detect it but everything else does. Everything is configured properly for FreePBX to see it, AFAIK. It is configured to start @ boot with rlevel 3/4/5, is running currently, and I don’t know what else I can do to fix it. Thanks for looking into this.

Actually, Dicko may have been right:

nano /var/www/html/admin/modules/sysadmin/Sysadmin.class.php

   private function checkfail2ban() {
            exec("service fail2ban status 2>&1", $output, $ret);
            if ($ret === 0) {
                    return $this->genAlertGlyphicon('ok', "Fail2ban running");
            }
            return $this->genAlertGlyphicon('critical', "Fail2Ban should always be running");
    }

As it turns out, the error in my case is due to insufficient privileges (asterisk user cannot run service commands). If we change the error output to this:

            return $this->genAlertGlyphicon('critical', implode($output) . " (" . $ret . ")");

We get the reason and error code for the failure:

fail2ban-server status unknown due to insufficient privileges. (4)

I confirmed my problem using

runuser -l asterisk service fail2ban status

I’m not sure how to fix this - I’m on CentOS 6.5 64-bit.

No he was wrong in the fact that he was trying to assert it was “sysadmin” doing this. Which is not true. That is all though.

That said in the FreePBX Distro and other distros the Asterisk user can check status of fail2ban and a few other services.

I would check selinux. It might be enabled.

[root@pbxserver init.d]# sestatus
SELinux status: disabled

I’m not using the distro; I installed v2.11 on CentOS 6.5 (using the guide for v2.11/6.3) and have since upgraded to 12.

How would I add permission for asterisk to do this?

I’ve just added this, based on your (helpful, thanks!) debug:

   exec("service fail2ban status 2>&1", $output, $ret);
   if ($ret === 0) {
     return $this->genAlertGlyphicon('ok', "Fail2ban running");
   } elseif ($ret === 4 && preg_match('/insufficient/', $output)) {
     return $this->genAlertGlyphicon('unknown', "Unable to detect service status");
   }

That should fix your problem! I’ll publish it shortly, but if you could test that, that would be awesome

I had to implode output; it ouputs “Array” if used directly. Will test anyway.

I’m not sure what other options there are for the $ret/$output, but shouldn’t we leave that to the administrators to figure out? This is how I’d handle it (untested atm)

private function checkfail2ban() {
	exec("service fail2ban status 2>&1", $output, $ret);
	if ($ret === 0) {
		return $this->genAlertGlyphicon('ok', "Fail2ban running");
	} elseif (is_array($output)) {
		return $this->genAlertGlyphicon('critical', implode($output) . " (" . $ret . ")");
	} else {
	return $this->genAlertGlyphicon('critical', $output . " (" . $ret . ")");
	}
}

Edit: I see what you did. I’m going to try to mix our methods…also, testing failed until implode was added around $ouput in your code.

I just published 12.0.9.1 which has this fixed properly :sunglasses:

Downloaded/Installed/Tested. Awesome!

I would have gone with wording that informed the user of permission issues; “Insufficient privileges to check service status” or something. I’d like to figure out how to give asterisk permission to access this info and it would be nice to have known that from the start. In that spirit, I also feel like $output should be in the catchall at the end so that the poor admin can have something useful to start with.

EDIT: If you poke around there’s nothing you can’t do :smiley:
added this line to start/restart in /etc/init.d/fail2ban:

chmod 644 /var/run/fail2ban/fail2ban.pid

Now the check succeeds.