Nasty Fail2Ban Update For CentOS 7

Home » CentOS » Nasty Fail2Ban Update For CentOS 7
CentOS 8 Comments

Hi all…

Recently a new Fail2Ban was available among some other updates for my CentOS 7 system, and I just updated all. It seems that was a very BAD idea.

Just noticed that Fail2Ban have generated a 6MB error log because of the update, and FirewallD a 1MB log of errors !
(not sure if any of those were really working after this)

ok, I’ll just run yum downgrade fail2ban I thought. Naa, no way back – Epel doesn’t have a fallback option !

Then gotta dig into Koji, to find the old version, download it, and downgrade to that – and pew, everything is back to normal.

The old one seems to be version 0.9.7 and the new one is 0.10.4

I haven’t had time to look into Fail2Bans info about these 2 version, but since there is a major version change – is it really possible to just upgrade these ?

Sure, I would love to have a working 0.10.4 for my CentOS 7 – but it shouldn’t destroy my existing system – or it should at least warn me about that – or what to fix.

Allan.

8 thoughts on - Nasty Fail2Ban Update For CentOS 7

  • Le 31/12/2019 à 03:14, Allan a écrit :

    I have automatic updates with yum-cron on all my production servers. Fail2ban has been recently upgraded to 0.10.4 and still works perfectly.

    tl;dr : don’t worry be happy :o)

    Cheers,

    Niki


    Microlinux – Solutions informatiques durables
    7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32
    Mob. : 06 51 80 12 12

  • Just a random stab in the dark, but CentOS6 was iptables, and CentOS7 is firewalld. They take different fail2ban packages.

    CentOS6 = fail2ban CentOS7 = fail2ban-firewalld

    Are you sure you are running the correct fail2ban package for your firewall? (I screwed this up myself before I noticed and fixed it…)

    Good Luck!
    Thanks,

    John H. Nyhuis Desk: (206)-685-8334
    jnyhuis@uw.edu Box 359461, 15th floor, 106

  • På Tue, 31 Dec 2019 10:19:26 +0100
    Nicolas Kovacs skrev:

    Well, tend to worry a lot, when the logs suddanly have nothing but errors in them…

    ..but thx for letting me know it works for you.

    Allan.

  • På Tue, 31 Dec 2019 18:53:38 +0000
    John H Nyhuis skrev:

    I do have the f2b-firewalld package installed yes. Since it was an update – it only replaced same installed packages.

    A standard install of F2B on CentOS7 do also include the f2b-systemd package – which would seem logical. However, after I started using the recidive filter – which IMHO is one of the most important ones – it didn’t work. Removing the f2b-systemd package fixed that – and didn’t hurt anything else.

    I have no idea why that is – or if that could be part of the problem with the update here on my system.

    Allan.

  • Le 31/12/2019 à 19:53, John H Nyhuis a écrit :

    On my CentOS 7 servers, I have removed firewalld and I’m still using fail2ban with my custom iptables script.

    In this case, the only package you have to install is fail2ban-server.

    Happy New Year,

    Niki


    Microlinux – Solutions informatiques durables
    7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32
    Mob. : 06 51 80 12 12

  • If it helps to have another data point, my C7 server has two fail2ban packages installed:

    * fail2ban-firewalld-0.10.4-1.el7.noarch
    * fail2ban-server-0.10.4-1.el7.noarch

    They were upgraded back on December 9 and have worked without any major hiccups.

    The fail2ban-server package provides the systemd unit file,
    /usr/lib/systemd/system/fail2ban.service, so I was curious to know what the the fail2ban-systemd package actually does. The description field for the fail2ban-systemd rpm says,

    All of the logpath entries in my fail2ban configuration point to ordinary /var/log/* files. I don’t know how fail2ban-systemd repoints the logpath entries to use inputs from systemd-journald, but I suspect that’s where the mismatch may be happening.


    Paul Heinlein heinlein@madboa.com
    45°38′ N, 122°6′ W

  • Once upon a time, Allan said:

    It might be helpful to actually post some of the errors and your local config (what you have changed from defaults). Without that, nobody can help figure out what is happening on your system.

    I’m the person that asked for the update – the previous firewalld config was incomplete (set banaction but not banaction_allports), and I wanted to see IPv6 support. I’m using the update on multiple CentOS 7 systems
    (some with firewalld and some with iptables) without errors.

  • We also had it updated and fail2ban worked perfectly except it did not ban anymore on the sshd jail. This was caused by the
    /etc/fail2ban/filter.d/sshd.conf file which should have been replaced with a new one from the rpm (there was a sshd.conf.rpmnew file).

    Below the error we found in /var/log/fail2ban.log :
    2019-12-09 10:02:15,294 fail2ban.filtersystemd [13628]: INFO [sshd]
    Added journal match for: ‘_SYSTEMD_UNIT=sshd.service + _COMM=sshd’
    2019-12-09 10:02:15,295 fail2ban.filter [13628]: ERROR No failure-id group in ‘normal’
    2019-12-09 10:02:15,295 fail2ban.transmitter [13628]: WARNING
    Command [‘set’, ‘sshd’, ‘addfailregex’, ‘normal’] has failed. Received RegexException(“No failure-id group in ‘normal'”,)
    2019-12-09 10:02:15,295 fail2ban [13628]: ERROR NOK:
    (“No failure-id group in ‘normal'”,)

    Regards,

    Michel

    ——————————————————————————

    De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Het Universitair Medisch Centrum Utrecht is een publiekrechtelijke rechtspersoon in de zin van de W.H.W.
    (Wet Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat geregistreerd bij de Kamer van Koophandel voor Midden-Nederland onder nr. 30244197.

    Denk s.v.p aan het milieu voor u deze e-mail afdrukt.

    ——————————————————————————

    This message may contain confidential information and is intended exclusively for the addressee. If you receive this message unintentionally, please do not use the contents but notify the sender immediately by return e-mail. University Medical Center Utrecht is a legal person by public law and is registered at the Chamber of Commerce for Midden-Nederland under no. 30244197.

    Please consider the environment before printing this e-mail.