[pkg-netfilter-team] Bug#888154: iptables: ip4/6 handling ambiguous and f2b no longer starts
Christoph Anton Mitterer
calestyo at scientia.net
Tue Jan 23 17:22:14 UTC 2018
Package: iptables
Version: 1.6.1-2+b1
Severity: important
Hi.
Seems with the new version no chains/rules get added to netfilter for me.
What I do is, I have dummy-hook-rules in my system's ip[6]tables rule-sets loaded
at start by netfilter-persistence... and I've modified:
/etc/fail2ban/action.d/iptables-multiport.conf
To add/remove any rules from exactly the desired positions, by replacing/adding back
the dummy hook:
That looks e.g. like this:
actionstart = <iptables> -N f2b-<name>
<iptables> -A f2b-<name> -j <returntype>
rulenum="$( <iptables> -L <chain> --line-numbers | grep '/\* f2b-hook-<name> \*/' | cut -d ' ' -f 1 )"
<iptables> -R <chain> "${rulenum}" -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstop = rulenum="$( <iptables> -L <chain> --line-numbers | grep f2b-<name> | cut -d ' ' -f 1 )"
<iptables> -R <chain> "${rulenum}" --in-interface lo -m comment --comment f2b-hook-<name>
<actionflush>
<iptables> -X f2b-<name>
First I get the number of the hook-rule, then I replace it (on start) with f2b's rule, or vice wersa.
But now, nothing seems to happen (on starting f2b) no chains/rules get added, and the debug log
doesn't prove to be really useful to me:
2018-01-23 18:14:58,579 fail2ban.server [4689]: INFO --------------------------------------------------
2018-01-23 18:14:58,580 fail2ban.server [4689]: INFO Starting Fail2ban v0.10.2
2018-01-23 18:14:58,580 fail2ban.server [4689]: DEBUG Creating PID file /var/run/fail2ban/fail2ban.pid
2018-01-23 18:14:58,580 fail2ban.server [4689]: DEBUG Starting communication
2018-01-23 18:14:58,584 fail2ban.database [4689]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-01-23 18:14:58,585 fail2ban.jail [4689]: INFO Creating new jail 'sshd'
2018-01-23 18:14:58,591 fail2ban.jail [4689]: INFO Jail 'sshd' uses pyinotify {}
2018-01-23 18:14:58,592 fail2ban.filter [4689]: DEBUG Setting usedns = warn for FilterPyinotify(Jail('sshd'))
2018-01-23 18:14:58,592 fail2ban.filter [4689]: DEBUG Created FilterPyinotify(Jail('sshd'))
2018-01-23 18:14:58,595 fail2ban.filterpyinotify[4689]: DEBUG Created FilterPyinotify
2018-01-23 18:14:58,595 fail2ban.jail [4689]: INFO Initiated 'pyinotify' backend
2018-01-23 18:14:58,597 fail2ban.filter [4689]: INFO maxLines: 1
2018-01-23 18:14:58,598 fail2ban.server [4689]: DEBUG prefregex: '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$'
2018-01-23 18:14:58,605 fail2ban.server [4689]: DEBUG failregex: '^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$'
2018-01-23 18:14:58,607 fail2ban.server [4689]: DEBUG failregex: '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>\\s*(?: \\[preauth\\])?\\s*$'
2018-01-23 18:14:58,609 fail2ban.server [4689]: DEBUG failregex: '^Failed \\S+ for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2018-01-23 18:14:58,611 fail2ban.server [4689]: DEBUG failregex: '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2018-01-23 18:14:58,616 fail2ban.server [4689]: DEBUG failregex: '^<F-USER>ROOT</F-USER> LOGIN REFUSED.* FROM <HOST>\\s*(?: \\[preauth\\])?\\s*$'
2018-01-23 18:14:58,619 fail2ban.server [4689]: DEBUG failregex: '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$'
2018-01-23 18:14:58,622 fail2ban.server [4689]: DEBUG failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$'
2018-01-23 18:14:58,625 fail2ban.server [4689]: DEBUG failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$'
2018-01-23 18:14:58,627 fail2ban.server [4689]: DEBUG failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$'
2018-01-23 18:14:58,628 fail2ban.server [4689]: DEBUG failregex: '^refused connect from \\S+ \\(<HOST>\\)\\s*(?: \\[preauth\\])?\\s*$'
2018-01-23 18:14:58,629 fail2ban.server [4689]: DEBUG failregex: '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$'
2018-01-23 18:14:58,630 fail2ban.server [4689]: DEBUG failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$'
2018-01-23 18:14:58,631 fail2ban.server [4689]: DEBUG failregex: "^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"
2018-01-23 18:14:58,631 fail2ban.server [4689]: DEBUG failregex: '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=<F-USER>\\S*</F-USER>\\s*rhost=<HOST>\\s.*(?: \\[preauth\\])?\\s*$'
2018-01-23 18:14:58,632 fail2ban.server [4689]: DEBUG failregex: '^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$'
2018-01-23 18:14:58,633 fail2ban.server [4689]: DEBUG failregex: '^User <F-USER>.+</F-USER> not allowed because account is locked(?: \\[preauth\\])?\\s*'
2018-01-23 18:14:58,633 fail2ban.server [4689]: DEBUG failregex: '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?(?: \\[preauth\\])?\\s*'
2018-01-23 18:14:58,633 fail2ban.server [4689]: DEBUG failregex: '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:'
2018-01-23 18:14:58,634 fail2ban.server [4689]: DEBUG failregex: '^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST>(?: \\[preauth\\])?\\s*$'
2018-01-23 18:14:58,635 fail2ban.server [4689]: DEBUG failregex: '^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \\S+ from <HOST>(?:\\s|$)'
2018-01-23 18:14:58,635 fail2ban.server [4689]: DEBUG failregex: '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>'
2018-01-23 18:14:58,636 fail2ban.datetemplate [4689]: DEBUG constructed regex (?:^|\b|\W)((?P<Y>(?:202|201)\d)(?P<_sep>[-/.])(?P<m>1[0-2]|0[1-9]|[1-9])(?P=_sep)(?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])(?:T| ?)(?P<H>2[0-3]|[0-1]\d|\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:[.,](?P<f>[0-9]{1,6}))?(?:\s*(?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?))?)(?=\b|\W|$)
2018-01-23 18:14:58,636 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?((?P<Y>(?:202|201)\d)(?P<_sep>[-/.])(?P<m>1[0-2]|0[1-9]|[1-9])(?P=_sep)(?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])(?:T| ?)(?P<H>2[0-3]|[0-1]\d|\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:[.,](?P<f>[0-9]{1,6}))?(?:\s*(?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?))?)(?=\b|\W|$)
2018-01-23 18:14:58,637 fail2ban.datetemplate [4689]: DEBUG constructed regex (?:^|\b|\W)(?iu)((?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:202|201)\d))?)(?=\b|\W|$)
2018-01-23 18:14:58,637 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?(?iu)((?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:202|201)\d))?)(?=\b|\W|$)
2018-01-23 18:14:58,637 fail2ban.datetemplate [4689]: DEBUG constructed regex (?:^|\b|\W)(?iu)((?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) (?P<Y>(?:202|201)\d) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?)(?=\b|\W|$)
2018-01-23 18:14:58,637 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?(?iu)((?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) (?P<Y>(?:202|201)\d) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?)(?=\b|\W|$)
2018-01-23 18:14:58,637 fail2ban.datetemplate [4689]: DEBUG constructed regex (?:^|\b|\W)((?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])(?P<_sep>[-/])(?P<m>1[0-2]|0[1-9]|[1-9])(?P=_sep)(?:(?P<Y>(?:202|201)\d)|(?P<y>(?:2|1)\d)) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d))(?=\b|\W|$)
2018-01-23 18:14:58,637 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?((?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])(?P<_sep>[-/])(?P<m>1[0-2]|0[1-9]|[1-9])(?P=_sep)(?:(?P<Y>(?:202|201)\d)|(?P<y>(?:2|1)\d)) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d))(?=\b|\W|$)
2018-01-23 18:14:58,638 fail2ban.datetemplate [4689]: DEBUG constructed regex (?:^|\b|\W)(?iu)((?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])(?P<_sep>[-/])(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)(?P=_sep)(?P<Y>(?:202|201)\d)[ :]?(?P<H>2[0-3]|[0-1]\d|\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?))?)(?=\b|\W|$)
2018-01-23 18:14:58,638 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?(?iu)((?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])(?P<_sep>[-/])(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)(?P=_sep)(?P<Y>(?:202|201)\d)[ :]?(?P<H>2[0-3]|[0-1]\d|\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?))?)(?=\b|\W|$)
2018-01-23 18:14:58,638 fail2ban.datetemplate [4689]: DEBUG constructed regex (?:^|\b|\W)((?P<m>1[0-2]|0[1-9]|[1-9])/(?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])/(?P<Y>(?:202|201)\d):(?P<H>2[0-3]|[0-1]\d|\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d))(?=\b|\W|$)
2018-01-23 18:14:58,638 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?((?P<m>1[0-2]|0[1-9]|[1-9])/(?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])/(?P<Y>(?:202|201)\d):(?P<H>2[0-3]|[0-1]\d|\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d))(?=\b|\W|$)
2018-01-23 18:14:58,638 fail2ban.datetemplate [4689]: DEBUG constructed regex (?:^|\b|\W)((?P<m>1[0-2]|0[1-9]|[1-9])-(?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])-(?P<Y>(?:202|201)\d) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?)(?=\b|\W|$)
2018-01-23 18:14:58,638 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?((?P<m>1[0-2]|0[1-9]|[1-9])-(?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])-(?P<Y>(?:202|201)\d) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?)(?=\b|\W|$)
2018-01-23 18:14:58,639 fail2ban.datetemplate [4689]: DEBUG constructed regex ((?:^|(?P<square>(?<=^\[))|(?P<selinux>(?<=\baudit\()))\d{10,11}\b(?:\.\d{3,6})?)(?:(?(selinux)(?=:\d+\)))|(?(square)(?=\])))(?=\b|\W|$)
2018-01-23 18:14:58,639 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?((?P<square>(?<=^\[))?\d{10,11}\b(?:\.\d{3,6})?)(?(square)(?=\]))(?=\b|\W|$)
2018-01-23 18:14:58,639 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?((?P<H>2[0-3]|[0-1]\d|\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d))(?=\b|\W|$)
2018-01-23 18:14:58,639 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(<(?P<m>1[0-2]|0[1-9]|[1-9])/(?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])/(?P<y>(?:2|1)\d)@(?P<H>2[0-3]|[0-1]\d|\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)>)(?=\b|\W|$)
2018-01-23 18:14:58,639 fail2ban.datetemplate [4689]: DEBUG constructed regex (?:^|\b|\W)((?P<y>(?:2|1)\d)(?P<m>1[0-2]|0[1-9])(?P<d>3[0-1]|[1-2]\d|0[1-9]) ?(?P<H>2[0-3]|[0-1]\d|\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d))(?=\b|\W|$)
2018-01-23 18:14:58,639 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?((?P<y>(?:2|1)\d)(?P<m>1[0-2]|0[1-9])(?P<d>3[0-1]|[1-2]\d|0[1-9]) ?(?P<H>2[0-3]|[0-1]\d|\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d))(?=\b|\W|$)
2018-01-23 18:14:58,640 fail2ban.datetemplate [4689]: DEBUG constructed regex (?:^|\b|\W)(?iu)((?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]), (?P<Y>(?:202|201)\d) (?P<I>1[0-2]|0[1-9]|[1-9]):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d) (?P<p>am|pm))(?=\b|\W|$)
2018-01-23 18:14:58,640 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?(?iu)((?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]), (?P<Y>(?:202|201)\d) (?P<I>1[0-2]|0[1-9]|[1-9]):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d) (?P<p>am|pm))(?=\b|\W|$)
2018-01-23 18:14:58,640 fail2ban.datetemplate [4689]: DEBUG constructed regex (?iu)^((?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec)-(?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])-(?P<y>(?:2|1)\d) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d))(?=\b|\W|$)
2018-01-23 18:14:58,640 fail2ban.datetemplate [4689]: DEBUG constructed regex (?:^|\b|\W)((?P<Y>(?:202|201)\d)(?P<m>1[0-2]|0[1-9])(?P<d>3[0-1]|[1-2]\d|0[1-9])(?:T| ?)(?P<H>2[0-3]|[0-1]\d)(?P<M>[0-5]\d)(?P<S>6[0-1]|[0-5]\d)(?:[.,](?P<f>[0-9]{1,6}))?(?:\s*(?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?))?)(?=\b|\W|$)
2018-01-23 18:14:58,640 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?((?P<Y>(?:202|201)\d)(?P<m>1[0-2]|0[1-9])(?P<d>3[0-1]|[1-2]\d|0[1-9])(?:T| ?)(?P<H>2[0-3]|[0-1]\d)(?P<M>[0-5]\d)(?P<S>6[0-1]|[0-5]\d)(?:[.,](?P<f>[0-9]{1,6}))?(?:\s*(?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?))?)(?=\b|\W|$)
2018-01-23 18:14:58,641 fail2ban.datetemplate [4689]: DEBUG constructed regex (?:^|\b|\W)(?iu)((?:(?P<Z>Z|[A-Z]{3,5}) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:202|201)\d))?)(?=\b|\W|$)
2018-01-23 18:14:58,641 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?(?iu)((?:(?P<Z>Z|[A-Z]{3,5}) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:202|201)\d))?)(?=\b|\W|$)
2018-01-23 18:14:58,641 fail2ban.datetemplate [4689]: DEBUG constructed regex (?:^|\b|\W)(?iu)((?:(?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:202|201)\d))?)(?=\b|\W|$)
2018-01-23 18:14:58,642 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?(?iu)((?:(?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:202|201)\d))?)(?=\b|\W|$)
2018-01-23 18:14:58,642 fail2ban.datetemplate [4689]: DEBUG constructed regex (@[0-9a-f]{24})(?=\b|\W|$)
2018-01-23 18:14:58,642 fail2ban.datetemplate [4689]: DEBUG constructed regex ^(?:\W{0,2})?(@[0-9a-f]{24})(?=\b|\W|$)
2018-01-23 18:14:58,643 fail2ban.server [4689]: INFO Jail sshd is not a JournalFilter instance
2018-01-23 18:14:58,643 fail2ban.filter [4689]: INFO Added logfile: '/var/log/auth.log' (pos = 43654, hash = 84e83beb29ae32b76eb23a3b538cb0fed9db1e95)
2018-01-23 18:14:58,644 fail2ban.filterpyinotify[4689]: DEBUG New <Watch wd=1 path=/var/log mask=1073745280 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0x7fef3a987d90> dir=True >
2018-01-23 18:14:58,644 fail2ban.filterpyinotify[4689]: DEBUG Added monitor for the parent directory /var/log
2018-01-23 18:14:58,645 fail2ban.filterpyinotify[4689]: DEBUG New <Watch wd=2 path=/var/log/auth.log mask=2 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0x7fef3a987d90> dir=False >
2018-01-23 18:14:58,645 fail2ban.filterpyinotify[4689]: DEBUG Added file watcher for /var/log/auth.log
2018-01-23 18:14:58,645 fail2ban.filter [4689]: DEBUG Seek to find time 1516727098.6441097 (2018-01-23 18:04:58), file size 44630
2018-01-23 18:14:58,650 fail2ban.filter [4689]: DEBUG Position 43654 from 44630, found time 1516727683.0 (2018-01-23 18:14:43) within 1 seeks
2018-01-23 18:14:58,651 fail2ban.filter [4689]: INFO encoding: UTF-8
2018-01-23 18:14:58,652 fail2ban.filter [4689]: INFO maxRetry: 5
2018-01-23 18:14:58,654 fail2ban.filter [4689]: INFO findtime: 600
2018-01-23 18:14:58,655 fail2ban.actions [4689]: INFO banTime: 600
2018-01-23 18:14:58,655 fail2ban.filter [4689]: DEBUG Setting usedns = no for FilterPyinotify(Jail('sshd'))
2018-01-23 18:14:58,656 fail2ban.CommandAction [4689]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2018-01-23 18:14:58,656 fail2ban.CommandAction [4689]: DEBUG Set actionstart = '<iptables> -N f2b-sshd\n<iptables> -A f2b-sshd -j RETURN\nrulenum="$( <iptables> -L INPUT --line-numbers | grep \'/\\* f2b-hook-sshd \\*/\' | cut -d \' \' -f 1 )"\n<iptables> -R INPUT "${rulenum}" -p tcp -m multiport --dports ssh -j f2b-sshd'
2018-01-23 18:14:58,656 fail2ban.CommandAction [4689]: DEBUG Set actionstop = 'rulenum="$( <iptables> -L INPUT --line-numbers | grep f2b-sshd | cut -d \' \' -f 1 )"\n<iptables> -R INPUT "${rulenum}" --in-interface lo -m comment --comment f2b-hook-sshd\n<iptables> -F f2b-sshd\n<iptables> -X f2b-sshd'
2018-01-23 18:14:58,656 fail2ban.CommandAction [4689]: DEBUG Set actionflush = '<iptables> -F f2b-sshd'
2018-01-23 18:14:58,657 fail2ban.CommandAction [4689]: DEBUG Set actioncheck = "<iptables> -n -L INPUT | grep -q 'f2b-sshd[ \\t]'"
2018-01-23 18:14:58,657 fail2ban.CommandAction [4689]: DEBUG Set actionban = '<iptables> -I f2b-sshd 1 -s <ip> -j <blocktype>'
2018-01-23 18:14:58,657 fail2ban.CommandAction [4689]: DEBUG Set actionunban = '<iptables> -D f2b-sshd -s <ip> -j <blocktype>'
2018-01-23 18:14:58,657 fail2ban.CommandAction [4689]: DEBUG Set name = 'sshd'
2018-01-23 18:14:58,657 fail2ban.CommandAction [4689]: DEBUG Set bantime = '600'
2018-01-23 18:14:58,657 fail2ban.CommandAction [4689]: DEBUG Set port = 'ssh'
2018-01-23 18:14:58,657 fail2ban.CommandAction [4689]: DEBUG Set protocol = 'tcp'
2018-01-23 18:14:58,657 fail2ban.CommandAction [4689]: DEBUG Set chain = '<known/chain>'
2018-01-23 18:14:58,658 fail2ban.CommandAction [4689]: DEBUG Set actname = 'iptables-multiport'
2018-01-23 18:14:58,658 fail2ban.CommandAction [4689]: DEBUG Set blocktype = 'REJECT --reject-with icmp-port-unreachable'
2018-01-23 18:14:58,658 fail2ban.CommandAction [4689]: DEBUG Set returntype = 'RETURN'
2018-01-23 18:14:58,658 fail2ban.CommandAction [4689]: DEBUG Set lockingopt = '-w'
2018-01-23 18:14:58,658 fail2ban.CommandAction [4689]: DEBUG Set iptables = 'iptables <lockingopt>'
2018-01-23 18:14:58,658 fail2ban.CommandAction [4689]: DEBUG Set blocktype?family=inet6 = 'REJECT --reject-with icmp6-port-unreachable'
2018-01-23 18:14:58,658 fail2ban.CommandAction [4689]: DEBUG Set iptables?family=inet6 = 'ip6tables <lockingopt>'
2018-01-23 18:14:58,659 fail2ban.jail [4689]: DEBUG Starting jail 'sshd'
2018-01-23 18:14:58,659 fail2ban.filterpyinotify[4689]: DEBUG [sshd] filter started (pyinotifier)
2018-01-23 18:14:58,659 fail2ban.jail [4689]: INFO Jail 'sshd' started
2018-01-23 18:17:01,164 fail2ban.filterpyinotify[4689]: DEBUG Event queue size: 16
2018-01-23 18:17:01,166 fail2ban.filterpyinotify[4689]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
I'm also puzzled that there are no separate start/stop actions for v4 and v6.
Cause the above what I do means of course that the rule-number can be different
vor v4 and v6 rules... so it would only work, if the start and the stop action
is fully exectued for each, v4 and v6.
Any ideas?
Thanks,
Chris.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages iptables depends on:
ii libc6 2.26-4
ii libip4tc0 1.6.1-2+b1
ii libip6tc0 1.6.1-2+b1
ii libiptc0 1.6.1-2+b1
ii libnetfilter-conntrack3 1.0.6-2
ii libnfnetlink0 1.0.1-3+b1
ii libxtables12 1.6.1-2+b1
iptables recommends no packages.
Versions of packages iptables suggests:
ii kmod 25-1
-- no debconf information
More information about the pkg-netfilter-team
mailing list