Join Log in
Score:1
Michael T avatar Server

Fail2ban ban action error on debian

in flag
Michael T

I'm not sure where to start looking for the issue here This is on debian 11 (using nftables)

It seems like the nft add set ... command is failing

nft add set inet f2b-table addr-set-wordpress \{ type ipv4_addr\; \}

My jail.local

[DEFAULT]
# configure nftables
banaction = nftables
chain = input

[sshd]
enabled = true
port = 1984
banaction = nftables[type=multiport]
maxretry = 3
bantime = 600
findtime = 1200

[wordpress]
enabled = true
banaction = nftables[type=multiport]
filter = wordpress
maxretry = 2
bantime = 1h
findtime = 1d
port = http,https
logpath = /var/log/apache2/*access*.log

[modsec]
enabled = true
banaction = nftables[type=multiport]
filter = apache-modsecurity
maxretry = 2
bantime = 1h
findtime = 6h
port = http,https
logpath = /var/log/apache2/*error*.log

part of my nft ruleset

table inet f2b-table {
    chain f2b-chain {
        type filter hook input priority filter - 1; policy accept;
    }
}

And the error

2023-04-08 12:19:26,582 fail2ban.actions        [73157]: NOTICE  [wordpress] Restore Ban 107.180.77.81
2023-04-08 12:19:26,652 fail2ban.utils          [73157]: ERROR   7f21bc2b26b0 -- exec: nft add table inet f2b-table
nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}
nft add set inet f2b-table addr-set-wordpress \{ type ipv4_addr\; \}
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip saddr @addr-set-wordpress reject
done
2023-04-08 12:19:26,652 fail2ban.utils          [73157]: ERROR   7f21bc2b26b0 -- stderr: 'Error: Could not process rule: Numerical result out of range'
2023-04-08 12:19:26,652 fail2ban.utils          [73157]: ERROR   7f21bc2b26b0 -- stderr: 'add set inet f2b-table addr-set-wordpress { type ipv4_addr; }'
2023-04-08 12:19:26,652 fail2ban.utils          [73157]: ERROR   7f21bc2b26b0 -- stderr: '^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^'
2023-04-08 12:19:26,652 fail2ban.utils          [73157]: ERROR   7f21bc2b26b0 -- stderr: 'Error: No such file or directory'
2023-04-08 12:19:26,652 fail2ban.utils          [73157]: ERROR   7f21bc2b26b0 -- stderr: 'add rule inet f2b-table f2b-chain tcp dport { http,https } ip saddr @addr-set-wordpress reject'
2023-04-08 12:19:26,652 fail2ban.utils          [73157]: ERROR   7f21bc2b26b0 -- stderr: '                                                                    ^^^^^^^^^^^^^^^^^^^'
2023-04-08 12:19:26,652 fail2ban.utils          [73157]: ERROR   7f21bc2b26b0 -- returned 1
2023-04-08 12:19:26,652 fail2ban.actions        [73157]: ERROR   Failed to execute ban jail 'wordpress' action 'nftables' info 'ActionInfo({'ip': '107.180.77.81', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f21bc8f48b0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f21bc8f4f70>})': Error starting action Jail('wordpress')/nftables: 'Script error'
2```
496
2 + 1
Michael T avatar
in flag
Michael T
Figured out the problem - the chain name in nftables is limited to 15 characters max length
0
Reply
Score:0
Saxtheowl avatar Server
by flag
Saxtheowl

edit: if the nft table is failling here is what you can try, check if you have the package sudo apt-get install nftables, that the directory exist /etc/nftables/ if not, sudo mkdir /etc/nftables/, and give it the proper permission, check for syntax error in /etc/nftables.conf

There is a problem with the nftables rules generated by the Fail2Ban, fix the port value in your jail.local file, fix it like that

[wordpress]
...
port = 80,443
...
[modsec]
...
port = 80,443
...

then lets modify the banaction directive like this

[wordpress]
...
banaction = nftables-allports
...

[modsec]
...
banaction = nftables-allports
...

you can then restart Fail2ban sudo systemctl restart fail2ban

+ 2
Michael T avatar
in flag
Michael T
I've updated the question - it's the `nft add set ...` command which is failing. It also fails if I do this manually.
0
Reply
Saxtheowl avatar
by flag
Saxtheowl
I have updated my anwer
0
Reply
Score:0
Michael T avatar Server
in flag
Michael T

This issue is actually caused by a limit in nftables for names for tables, chains and set ... The max length is 15 characters.

So if you have the following section in fail2ban

[wordpress]
enabled = true
banaction = nftables[type=multiport]
filter = wordpress
maxretry = 2
bantime = 1h
findtime = 1d
port = http,https
logpath = /var/log/apache2/*access*.log

Fail2ban tries to create a set called addr-set-wordpress which is > 15 characters. Changing the section name to [wp] resolves the issue because the set name is addr-set-wp

If think the error message returned by fail2ban needs to be fixed to something helpful.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.