ClearFoundation Tracker - ClearOS | |||||
| View Issue Details | |||||
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0017131 | ClearOS | app-attack-detector - Attack Detector | public | 2017-09-14 14:41 | 2017-09-21 19:54 |
| Reporter | NickH | ||||
| Assigned To | user2 | ||||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Platform | OS | OS Version | |||
| Product Version | |||||
| Target Version | 7.4.0 Beta 1 | Fixed in Version | 7.4.0 Beta 1 | ||
| Summary | 0017131: Race condition in app-attack-detector on boot | ||||
| Description | Please see the forum thread https://www.clearos.com/clearfoundation/social/community/attack-detector-fail2ban-sshd-iptables-rule-missing-at-boot-time# [^] On boot up, ip_set is not loaded by default so fail2ban loads it at some point when it starts. Unfortunately it appears that f2b starts applying firewall rules before ip_set loads and one of the rules fail. I've tested with all 5 ClearOS rules enabled on my G10 Microserver and each time I see the following in the logs: 2017-09-14 21:10:39,450 fail2ban.jail [3589]: INFO Jail 'sshd' started 2017-09-14 21:10:39,459 fail2ban.jail [3589]: INFO Jail 'sshd-ddos' started 2017-09-14 21:10:39,462 fail2ban.filtersystemd [3589]: NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons. 2017-09-14 21:10:39,468 fail2ban.jail [3589]: INFO Jail 'proftpd' started 2017-09-14 21:10:39,487 fail2ban.jail [3589]: INFO Jail 'postfix-sasl' started 2017-09-14 21:10:39,498 fail2ban.filtersystemd [3589]: NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons. 2017-09-14 21:10:39,508 fail2ban.jail [3589]: INFO Jail 'cyrus-imap' started 2017-09-14 21:10:39,557 fail2ban.action [3589]: ERROR ipset create f2b-sshd hash:ip timeout 600 iptables -w -I INPUT -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable -- stdout: '' 2017-09-14 21:10:39,558 fail2ban.action [3589]: ERROR ipset create f2b-sshd hash:ip timeout 600 iptables -w -I INPUT -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable -- stderr: "ipset v6.19: Cannot open session to kernel.\niptables v1.4.21: Set f2b-sshd doesn't exist.\n\nTry `iptables -h' or 'iptables --help' for more information.\n" 2017-09-14 21:10:39,563 fail2ban.action [3589]: ERROR ipset create f2b-sshd hash:ip timeout 600 iptables -w -I INPUT -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable -- returned 2 2017-09-14 21:10:39,564 fail2ban.actions [3589]: ERROR Failed to start jail 'sshd' action 'iptables-ipset-proto6-allports': Error starting action This is really an upstream bug and I'll report it to the f2b mailing list but it can be fixed simply in ClearOS by forcing ip_set to load earlier on boot. To do this we need to drop a file called anything.modules into /etc/sysconfig/modules and give it execute permissions. In it put: modprobe ip_set or, if you are more polite, something like: if [ "`lsmod | grep ip_set`" = "" ]; then modprobe ip_set fi This could be packaged into app-attack-detector. | ||||
| Steps To Reproduce | |||||
| Additional Information | |||||
| Tags | No tags attached. | ||||
| Relationships | |||||
| Attached Files | |||||
| Issue History | |||||
| Date Modified | Username | Field | Change | ||
| 2017-09-14 14:41 | NickH | New Issue | |||
| 2017-09-14 19:09 | user2 | Status | new => confirmed | ||
| 2017-09-14 19:14 | user2 | Note Added: 0006481 | |||
| 2017-09-14 19:15 | user2 | Target Version | => 7.4.0 Beta 1 | ||
| 2017-09-17 14:35 | user2 | Status | confirmed => resolved | ||
| 2017-09-17 14:35 | user2 | Fixed in Version | => 7.4.0 Beta 1 | ||
| 2017-09-17 14:35 | user2 | Resolution | open => fixed | ||
| 2017-09-17 14:35 | user2 | Assigned To | => user2 | ||
| 2017-09-21 19:54 | user2 | Status | resolved => closed | ||
| Notes | |||||
|
|
|||||
|
|
||||