[CentOS] fail2ban firewalld problems with current CentOS 7

Thu Apr 9 07:48:32 UTC 2020
Andreas Haumer <andreas at xss.co.at>

Hi!

I have a server running CentOS 7.7 (1908) with all current patches installed.
I think this server should be a quite standard installation with no specialities

On this server I have fail2ban with an apache and openvpn configuration.
I'm using firewalld to manage the firewall rules.

Fail2an is configured to use firewalld:

[root at server ~]# ll /etc/fail2ban/jail.d/
insgesamt 12
-rw-r--r--. 1 root root 356 21. Jan 05:12 00-firewalld.conf
-rw-r--r--. 1 root root 610 15. Nov 19:55 apache.local
-rw-r--r--. 1 root root 115 15. Nov 19:10 openvpn.local

[root at server ~]# cat /etc/fail2ban/jail.d/00-firewalld.conf
# This file is part of the fail2ban-firewalld package to configure the use of
# the firewalld actions as the default actions.  You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-ipset[actiontype=<multiport>]
banaction_allports = firewallcmd-ipset[actiontype=<allports>]

A few days ago I noticed that on restart firewalld complains about a missing ipset:

[root at server ~]# systemctl restart firewalld
[root at server ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Do 2020-04-09 09:25:28 CEST; 5s ago
     Docs: man:firewalld(1)
 Main PID: 8324 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─8324 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Apr 09 09:25:28 server.my.domain systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 09 09:25:28 server.my.domain systemd[1]: Started firewalld - dynamic firewall daemon.
Apr 09 09:25:30 server.my.domain firewalld[8324]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-apache doesn't exist.

                                                 Error occurred at line: 2...
Apr 09 09:25:30 server.my.domain firewalld[8324]: ERROR: COMMAND_FAILED: Direct: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-apache doesn't exist.

                                                 Error occurred at line: 2...
Hint: Some lines were ellipsized, use -l to show in full.


Indeed there is no ipset named "f2b-apache", there is no set configured at all:

[root at server ~]# ipset list


There is no error when restarting fail2ban:

[root at server ~]# systemctl restart fail2ban
[root at server ~]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Do 2020-04-09 09:26:13 CEST; 4s ago
     Docs: man:fail2ban(1)
  Process: 8539 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
  Process: 8543 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
 Main PID: 8545 (f2b/server)
   CGroup: /system.slice/fail2ban.service
           └─8545 /usr/bin/python -s /usr/bin/fail2ban-server -xf start

Apr 09 09:26:13 server.my.domain systemd[1]: Stopped Fail2Ban Service.
Apr 09 09:26:13 server.my.domain systemd[1]: Starting Fail2Ban Service...
Apr 09 09:26:13 server.my.domain systemd[1]: Started Fail2Ban Service.
Apr 09 09:26:13 server.my.domain fail2ban-server[8545]: Server ready

Fail2ban seems to be running fine:

[root at server ~]# fail2ban-client status
Status
|- Number of jail:      6
`- Jail list:   apache, apache-badbots, apache-nohome, apache-noscript, apache-overflows, openvpn

No errors loged in fail2ban.log on restart:
[...]
2020-04-09 09:26:13,773 fail2ban.server         [8545]: INFO    Starting Fail2ban v0.10.5
2020-04-09 09:26:13,799 fail2ban.database       [8545]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2020-04-09 09:26:13,801 fail2ban.jail           [8545]: INFO    Creating new jail 'apache-badbots'
2020-04-09 09:26:13,805 fail2ban.jail           [8545]: INFO    Jail 'apache-badbots' uses poller {}
2020-04-09 09:26:13,805 fail2ban.jail           [8545]: INFO    Initiated 'polling' backend
2020-04-09 09:26:13,838 fail2ban.filter         [8545]: INFO      maxRetry: 1
2020-04-09 09:26:13,838 fail2ban.filter         [8545]: INFO      encoding: UTF-8
2020-04-09 09:26:13,839 fail2ban.actions        [8545]: INFO      banTime: 172800
2020-04-09 09:26:13,839 fail2ban.filter         [8545]: INFO      findtime: 3600
2020-04-09 09:26:13,840 fail2ban.filter         [8545]: INFO    Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766)
2020-04-09 09:26:13,840 fail2ban.filter         [8545]: INFO    Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7)
2020-04-09 09:26:13,841 fail2ban.jail           [8545]: INFO    Creating new jail 'apache-noscript'
2020-04-09 09:26:13,843 fail2ban.jail           [8545]: INFO    Jail 'apache-noscript' uses poller {}
2020-04-09 09:26:13,843 fail2ban.jail           [8545]: INFO    Initiated 'polling' backend
2020-04-09 09:26:13,851 fail2ban.filter         [8545]: INFO      maxRetry: 3
2020-04-09 09:26:13,851 fail2ban.filter         [8545]: INFO      encoding: UTF-8
2020-04-09 09:26:13,851 fail2ban.actions        [8545]: INFO      banTime: 10800
2020-04-09 09:26:13,852 fail2ban.filter         [8545]: INFO      findtime: 3600
2020-04-09 09:26:13,853 fail2ban.filter         [8545]: INFO    Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766)
2020-04-09 09:26:13,854 fail2ban.filter         [8545]: INFO    Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7)
2020-04-09 09:26:13,855 fail2ban.jail           [8545]: INFO    Creating new jail 'apache-overflows'
2020-04-09 09:26:13,857 fail2ban.jail           [8545]: INFO    Jail 'apache-overflows' uses poller {}
2020-04-09 09:26:13,857 fail2ban.jail           [8545]: INFO    Initiated 'polling' backend
2020-04-09 09:26:13,863 fail2ban.filter         [8545]: INFO      maxRetry: 2
2020-04-09 09:26:13,863 fail2ban.filter         [8545]: INFO      encoding: UTF-8
2020-04-09 09:26:13,864 fail2ban.actions        [8545]: INFO      banTime: 10800
2020-04-09 09:26:13,864 fail2ban.filter         [8545]: INFO      findtime: 3600
2020-04-09 09:26:13,865 fail2ban.filter         [8545]: INFO    Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766)
2020-04-09 09:26:13,865 fail2ban.filter         [8545]: INFO    Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7)
2020-04-09 09:26:13,866 fail2ban.jail           [8545]: INFO    Creating new jail 'apache-nohome'
2020-04-09 09:26:13,867 fail2ban.jail           [8545]: INFO    Jail 'apache-nohome' uses poller {}
2020-04-09 09:26:13,868 fail2ban.jail           [8545]: INFO    Initiated 'polling' backend
2020-04-09 09:26:13,872 fail2ban.filter         [8545]: INFO      maxRetry: 2
2020-04-09 09:26:13,873 fail2ban.filter         [8545]: INFO      encoding: UTF-8
2020-04-09 09:26:13,873 fail2ban.actions        [8545]: INFO      banTime: 10800
2020-04-09 09:26:13,873 fail2ban.filter         [8545]: INFO      findtime: 3600
2020-04-09 09:26:13,874 fail2ban.filter         [8545]: INFO    Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766)
2020-04-09 09:26:13,875 fail2ban.filter         [8545]: INFO    Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7)
2020-04-09 09:26:13,876 fail2ban.jail           [8545]: INFO    Creating new jail 'apache'
2020-04-09 09:26:13,878 fail2ban.jail           [8545]: INFO    Jail 'apache' uses poller {}
2020-04-09 09:26:13,879 fail2ban.jail           [8545]: INFO    Initiated 'polling' backend
2020-04-09 09:26:13,898 fail2ban.filter         [8545]: INFO      maxRetry: 3
2020-04-09 09:26:13,899 fail2ban.filter         [8545]: INFO      encoding: UTF-8
2020-04-09 09:26:13,899 fail2ban.actions        [8545]: INFO      banTime: 10800
2020-04-09 09:26:13,900 fail2ban.filter         [8545]: INFO      findtime: 3600
2020-04-09 09:26:13,900 fail2ban.filter         [8545]: INFO    Added logfile: '/var/log/httpd/ssl_error_log' (pos = 588859, hash = 755a00cfc09ef9b2f76d78cff61ea766)
2020-04-09 09:26:13,901 fail2ban.filter         [8545]: INFO    Added logfile: '/var/log/httpd/error_log' (pos = 27101, hash = 53ba5e7041d49628af3b86be05de6fa7)
2020-04-09 09:26:13,902 fail2ban.jail           [8545]: INFO    Creating new jail 'openvpn'
2020-04-09 09:26:13,931 fail2ban.jail           [8545]: INFO    Jail 'openvpn' uses systemd {}
2020-04-09 09:26:13,932 fail2ban.jail           [8545]: INFO    Initiated 'systemd' backend
2020-04-09 09:26:13,944 fail2ban.filtersystemd  [8545]: INFO    [openvpn] Added journal match for: '_SYSTEMD_UNIT=openvpn-server at xss.service + _COMM=openvpn'
2020-04-09 09:26:13,944 fail2ban.actions        [8545]: INFO      banTime: 10800
2020-04-09 09:26:13,944 fail2ban.filter         [8545]: INFO      maxRetry: 2
2020-04-09 09:26:13,944 fail2ban.filter         [8545]: INFO      encoding: UTF-8
2020-04-09 09:26:13,945 fail2ban.filter         [8545]: INFO      findtime: 3600
2020-04-09 09:26:13,949 fail2ban.jail           [8545]: INFO    Jail 'apache-badbots' started
2020-04-09 09:26:13,952 fail2ban.jail           [8545]: INFO    Jail 'apache-noscript' started
2020-04-09 09:26:13,954 fail2ban.jail           [8545]: INFO    Jail 'apache-overflows' started
2020-04-09 09:26:13,956 fail2ban.jail           [8545]: INFO    Jail 'apache-nohome' started
2020-04-09 09:26:13,961 fail2ban.jail           [8545]: INFO    Jail 'apache' started
2020-04-09 09:26:13,964 fail2ban.jail           [8545]: INFO    Jail 'openvpn' started
[...]


BUT: SELinux complains about fail2ban:

type=AVC msg=audit(1586413496.76:53507): avc: denied { read } for pid=1324 comm="f2b/f.apache" name="disable" dev="sysfs" ino=1481 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0

So it seems somehow fail2ban does not add the required ip sets correctly.

From what I see in firewalld logfile it seems these problems started after the last updates on April 2nd.

On this day I did a "yum update" which executed without errors and installed:

augeas-libs-1.4.0-9.el7_7.1.x86_64            Do 02 Apr 2020 20:14:27 CEST
restic-0.9.6-1.el7.x86_64                     Do 02 Apr 2020 20:14:25 CEST
python-perf-3.10.0-1062.18.1.el7.x86_64       Do 02 Apr 2020 20:14:23 CEST
python3-pip-9.0.3-7.el7_7.noarch              Do 02 Apr 2020 20:14:23 CEST
borgbackup-1.1.11-1.el7.x86_64                Do 02 Apr 2020 20:14:19 CEST
libgudev1-219-67.el7_7.4.x86_64               Do 02 Apr 2020 20:14:18 CEST
kernel-tools-3.10.0-1062.18.1.el7.x86_64      Do 02 Apr 2020 20:14:16 CEST
pcp-4.3.2-5.el7_7.x86_64                      Do 02 Apr 2020 20:14:01 CEST
kernel-3.10.0-1062.18.1.el7.x86_64            Do 02 Apr 2020 20:13:44 CEST
systemd-python-219-67.el7_7.4.x86_64          Do 02 Apr 2020 20:13:27 CEST
systemd-sysv-219-67.el7_7.4.x86_64            Do 02 Apr 2020 20:13:26 CEST
rsyslog-8.24.0-41.el7_7.4.x86_64              Do 02 Apr 2020 20:13:26 CEST
python2-certbot-apache-1.3.0-1.el7.noarch     Do 02 Apr 2020 20:13:25 CEST
sssd-1.16.4-21.el7_7.3.x86_64                 Do 02 Apr 2020 20:13:24 CEST
firewalld-0.6.3-2.el7_7.4.noarch              Do 02 Apr 2020 20:13:24 CEST
sssd-proxy-1.16.4-21.el7_7.3.x86_64           Do 02 Apr 2020 20:13:23 CEST
sssd-krb5-1.16.4-21.el7_7.3.x86_64            Do 02 Apr 2020 20:13:23 CEST
sssd-ldap-1.16.4-21.el7_7.3.x86_64            Do 02 Apr 2020 20:13:22 CEST
sssd-ipa-1.16.4-21.el7_7.3.x86_64             Do 02 Apr 2020 20:13:22 CEST
sssd-ad-1.16.4-21.el7_7.3.x86_64              Do 02 Apr 2020 20:13:22 CEST
sssd-krb5-common-1.16.4-21.el7_7.3.x86_64     Do 02 Apr 2020 20:13:21 CEST
sssd-common-pac-1.16.4-21.el7_7.3.x86_64      Do 02 Apr 2020 20:13:21 CEST
sssd-common-1.16.4-21.el7_7.3.x86_64          Do 02 Apr 2020 20:13:20 CEST
http-parser-2.7.1-8.el7_7.2.x86_64            Do 02 Apr 2020 20:13:19 CEST
python-firewall-0.6.3-2.el7_7.4.noarch        Do 02 Apr 2020 20:13:18 CEST
certbot-1.3.0-1.el7.noarch                    Do 02 Apr 2020 20:13:11 CEST
python2-certbot-1.3.0-1.el7.noarch            Do 02 Apr 2020 20:13:10 CEST
python2-acme-1.3.0-1.el7.noarch               Do 02 Apr 2020 20:13:09 CEST
python-requests-2.6.0-9.el7_7.noarch          Do 02 Apr 2020 20:13:08 CEST
systemd-219-67.el7_7.4.x86_64                 Do 02 Apr 2020 20:13:05 CEST
kmod-20-25.el7_7.1.x86_64                     Do 02 Apr 2020 20:13:02 CEST
binutils-2.27-41.base.el7_7.3.x86_64          Do 02 Apr 2020 20:13:00 CEST
pcp-selinux-4.3.2-5.el7_7.x86_64              Do 02 Apr 2020 20:12:48 CEST
libsss_autofs-1.16.4-21.el7_7.3.x86_64        Do 02 Apr 2020 20:12:47 CEST
kernel-tools-libs-3.10.0-1062.18.1.el7.x86_64 Do 02 Apr 2020 20:12:46 CEST
python-sssdconfig-1.16.4-21.el7_7.3.noarch    Do 02 Apr 2020 20:12:45 CEST
libsss_sudo-1.16.4-21.el7_7.3.x86_64          Do 02 Apr 2020 20:12:45 CEST
firewalld-filesystem-0.6.3-2.el7_7.4.noarch   Do 02 Apr 2020 20:12:44 CEST
sssd-client-1.16.4-21.el7_7.3.x86_64          Do 02 Apr 2020 20:12:43 CEST
libsss_nss_idmap-1.16.4-21.el7_7.3.x86_64     Do 02 Apr 2020 20:12:42 CEST
libipa_hbac-1.16.4-21.el7_7.3.x86_64          Do 02 Apr 2020 20:12:42 CEST
pcp-libs-4.3.2-5.el7_7.x86_64                 Do 02 Apr 2020 20:12:41 CEST
pcp-conf-4.3.2-5.el7_7.x86_64                 Do 02 Apr 2020 20:12:41 CEST
kmod-libs-20-25.el7_7.1.x86_64                Do 02 Apr 2020 20:12:40 CEST
libsss_idmap-1.16.4-21.el7_7.3.x86_64         Do 02 Apr 2020 20:12:39 CEST
libsss_certmap-1.16.4-21.el7_7.3.x86_64       Do 02 Apr 2020 20:12:33 CEST
systemd-libs-219-67.el7_7.4.x86_64            Do 02 Apr 2020 20:12:32 CEST

The firewalld errors start exactly after the updates were installed.
Does anyone else see similar problems since the last updates?

I googled and found some older postings, but nothing matching the
problems I see exactly.

I have other CentOS 7 servers with fail2ban and firewalld which
should be updated soon, but before I do this I first want to solve
this issue.

Any idea?

Thanks!

- andreas

-- 
Andreas Haumer                     | mailto:andreas at xss.co.at
*x Software + Systeme              | http://www.xss.co.at/
Karmarschgasse 51/2/20             | Tel: +43-1-6060114-0
A-1100 Vienna, Austria             | Fax: +43-1-6060114-71

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20200409/086b7d1a/attachment-0004.sig>