Debian Bug report logs - #554162
fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails

version graph

Package: fail2ban; Maintainer for fail2ban is Yaroslav Halchenko <debian@onerussian.com>; Source for fail2ban is src:fail2ban.

Reported by: Libor Klepac <libor.klepac@bcom.cz>

Date: Tue, 3 Nov 2009 14:12:02 UTC

Severity: important

Found in versions fail2ban/0.8.4-1, fail2ban/0.8.4+svn20110323-1

Fixed in version fail2ban/0.8.5-2

Done: Yaroslav Halchenko <debian@onerussian.com>

Bug is archived. No further changes may be made.

Forwarded to Yaroslav Halchenko <debian@onerussian.com>

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Tue, 03 Nov 2009 14:12:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Libor Klepac <libor.klepac@bcom.cz>:
New Bug report received and forwarded. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Tue, 03 Nov 2009 14:12:14 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Libor Klepac <libor.klepac@bcom.cz>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Tue, 03 Nov 2009 14:37:48 +0100
Package: fail2ban
Version: 0.8.4-1
Severity: important

Hi,
I have problems with using several jails. It was there before, but didn't hit so hard as today, when i was unable to restart fail2ban cleanly , i was trying it for maybe 50 times (changing configs, installing python2.4 ...etc).
I seems to fail to execute iptables in correct orderd leading to something like this in its output

-----
iptables: Resource temporarily unavailable.
iptables: No chain/target/match by that name.
iptables v1.4.4: Couldn't load target `fail2ban-proftpd':/lib/xtables/libipt_fail2ban-proftpd.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
2009-11-03 14:29:14,591 fail2ban.actions.action: ERROR  iptables -N fail2ban-proftpd
iptables -A fail2ban-proftpd -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd returned 200
-----
Seems like last rule is executed when chain is not ready

This problem is reported upstream, i think
http://sourceforge.net/tracker/?func=detail&aid=2870788&group_id=121032&atid=689044

With patch
http://sourceforge.net/tracker/?func=detail&aid=2857096&group_id=121032&atid=689046

Patch applies fine and seems to help, but I have to use
action = %(action_)s

instead of action_m
action_m = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
          %(mta)s[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
action = %(action_m)s

or provided
action = %(action_mw)s


With regards
Libor

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages fail2ban depends on:
ii  lsb-base                      3.2-20     Linux Standard Base 3.2 init scrip
ii  python                        2.5.4-2    An interactive high-level object-o
ii  python-central                0.6.11     register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables                      1.4.4-2    administration tools for packet fi
ii  whois                         4.7.32     an intelligent whois client

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]  8.1.2-0.20081101cvs-2 A simple mail user agent
pn  python-gamin       <none>                (no description available)

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#554162; Package fail2ban. (Tue, 03 Nov 2009 16:03:25 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <debian@onerussian.com>:
Extra info received and forwarded to list. (Tue, 03 Nov 2009 16:03:25 GMT) Full text and rfc822 format available.

Message #10 received at 554162@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: Libor Klepac <libor.klepac@bcom.cz>, 554162@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Tue, 3 Nov 2009 10:00:30 -0500
brr... are you sure you just have some problem with iptables? what if
whenever there is no fail2ban running you run those commands while being
root

iptables -N fail2ban-proftpd
iptables -A fail2ban-proftpd -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd

will you get at some point that 
iptables v1.4.4: Couldn't load target `fail2ban-proftpd':/lib/xtables/libipt_fail2ban-proftpd.so: cannot open shared object file: No such file or directory

or would be there any other error reported?

On Tue, 03 Nov 2009, Libor Klepac wrote:

> Package: fail2ban
> Version: 0.8.4-1
> Severity: important

> Hi,
> I have problems with using several jails. It was there before, but didn't hit so hard as today, when i was unable to restart fail2ban cleanly , i was trying it for maybe 50 times (changing configs, installing python2.4 ...etc).
> I seems to fail to execute iptables in correct orderd leading to something like this in its output

-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]






Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Tue, 03 Nov 2009 18:39:55 GMT) Full text and rfc822 format available.

Acknowledgement sent to Libor Klepáč <libor.klepac@bcom.cz>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Tue, 03 Nov 2009 18:39:55 GMT) Full text and rfc822 format available.

Message #15 received at 554162@bugs.debian.org (full text, mbox):

From: Libor Klepáč <libor.klepac@bcom.cz>
To: 554162@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Tue, 3 Nov 2009 18:24:09 +0100
[Message part 1 (text/plain, inline)]
Hi,
there seems to be some problem with sequence of commands run from python.
Maybe our server is too powerfull? (poweredge 2950 with two 4 core processors, 
old server was some old pentium4 with ht, there were no such problems)

If i run those commands separately from command line ,there is no problem.

But if whole (multiline) actionstart is run, there seems to be problem with 
order of commands.
Problem is, that
iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j 
fail2ban-proftpd
is run in time, when there is no such chain, so kernel tries to autoload 
module for it (but there is no such module) (you can try it by running this 
command)

You get this
iptables v1.4.4: Couldn't load target `fail2ban-
proftpd':/lib/xtables/libipt_fail2ban-proftpd.so: cannot open shared object 
file: No such file or directory

Patch from sf explodes actionstart by newline and launches each line 
separately (maybe with some locking? I can't read python)

With regards
Libor


Dne úterý 03 Listopad 2009 16:00:30 Yaroslav Halchenko napsal(a):
> brr... are you sure you just have some problem with iptables? what if
> whenever there is no fail2ban running you run those commands while being
> root
> 
> iptables -N fail2ban-proftpd
> iptables -A fail2ban-proftpd -j RETURN
> iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data
>  -j fail2ban-proftpd
> 
> will you get at some point that
> iptables v1.4.4: Couldn't load target
>  `fail2ban-proftpd':/lib/xtables/libipt_fail2ban-proftpd.so: cannot open
>  shared object file: No such file or directory
> 
> or would be there any other error reported?
> 
> On Tue, 03 Nov 2009, Libor Klepac wrote:
> > Package: fail2ban
> > Version: 0.8.4-1
> > Severity: important
> >
> > Hi,
> > I have problems with using several jails. It was there before, but didn't
> > hit so hard as today, when i was unable to restart fail2ban cleanly , i
> > was trying it for maybe 50 times (changing configs, installing python2.4
> > ...etc). I seems to fail to execute iptables in correct orderd leading to
> > something like this in its output
> 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#554162; Package fail2ban. (Tue, 03 Nov 2009 19:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <debian@onerussian.com>:
Extra info received and forwarded to list. (Tue, 03 Nov 2009 19:27:03 GMT) Full text and rfc822 format available.

Message #20 received at 554162@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: Libor Klepáč <libor.klepac@bcom.cz>, 554162@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Tue, 3 Nov 2009 14:14:07 -0500
d'oh me -- I've read your original incorrectly (that you applied patch
and it didn't help ;-)) .

Just out of "research" -- could you please run in shell all 3 commands
in a single line like

iptables -N fail2ban-proftpd; iptables -A fail2ban-proftpd -j RETURN; iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd

I would really not expect some out of order execution from Python's
os.system and it might be that real problem is buried deeper.


On Tue, 03 Nov 2009, Libor Klepáč wrote:

> Hi,
> there seems to be some problem with sequence of commands run from python.
> Maybe our server is too powerfull? (poweredge 2950 with two 4 core processors, 
> old server was some old pentium4 with ht, there were no such problems)

> If i run those commands separately from command line ,there is no problem.

> But if whole (multiline) actionstart is run, there seems to be problem with 
> order of commands.
> Problem is, that
> iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j 
> fail2ban-proftpd
> is run in time, when there is no such chain, so kernel tries to autoload 
> module for it (but there is no such module) (you can try it by running this 
> command)

-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]






Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Tue, 03 Nov 2009 20:30:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Libor Klepáč <libor.klepac@bcom.cz>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Tue, 03 Nov 2009 20:30:09 GMT) Full text and rfc822 format available.

Message #25 received at 554162@bugs.debian.org (full text, mbox):

From: Libor Klepáč <libor.klepac@bcom.cz>
To: 554162@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Tue, 3 Nov 2009 21:15:17 +0100
[Message part 1 (text/plain, inline)]
Hi,
i usually write little confusing ;)

Patch is working, but i can't use action_mw 
(output goes like this
---------------
2009-11-03 21:04:02,138 fail2ban.actions.action: ERROR  printf %b "Subject: 
[Fail2Ban] cyrus: started
From: Fail2Ban <fail2ban>
To: fail2ban@xxx\n
Hi,\n
The jail cyrus has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban fail2ban@xxx FAILED
/bin/sh: -c: line 0: unexpected EOF while looking for matching `"'
/bin/sh: -c: line 1: syntax error: unexpected end of file
2009-11-03 21:04:02,142 fail2ban.actions.action: ERROR  printf %b "Hi,\n 
returned 200
/bin/sh: The: command not found
2009-11-03 21:04:02,145 fail2ban.actions.action: ERROR  The jail http has been 
started successfully.\n returned 7f00
/bin/sh: Regards,n: command not found
2009-11-03 21:04:02,148 fail2ban.actions.action: ERROR  Regards,\n returned 
7f00
/bin/sh: -c: line 0: unexpected EOF while looking for matching `"'
/bin/sh: -c: line 1: syntax error: unexpected end of file
2009-11-03 21:04:02,151 fail2ban.actions.action: ERROR  Fail2Ban"|mail -s 
"[Fail2Ban] http: started" fail2ban@xxx returned 200
2009-11-03 21:04:03,152 fail2ban.actions.action: ERROR  printf %b "Hi,\n
The jail http has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] http: started" fail2ban@xxx FAILED
---------------

All commands in one line work ok from command line.

I tried little python script
------
import os

realCmd = "echo 1\necho 2\necho 3\necho 11\necho 12\necho 13\necho 21\necho 
22\necho 23\necho 31\necho 32\necho 33"
retcode = os.system(realCmd)
------

Sequence is also ok. Fail2ban launches actions in threads?

Libor



Dne úterý 03 Listopad 2009 20:14:07 Yaroslav Halchenko napsal(a):
> d'oh me -- I've read your original incorrectly (that you applied patch
> and it didn't help ;-)) .
> 
> Just out of "research" -- could you please run in shell all 3 commands
> in a single line like
> 
> iptables -N fail2ban-proftpd; iptables -A fail2ban-proftpd -j RETURN;
>  iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data
>  -j fail2ban-proftpd
> 
> I would really not expect some out of order execution from Python's
> os.system and it might be that real problem is buried deeper.
> 
> On Tue, 03 Nov 2009, Libor Klepáč wrote:
> > Hi,
> > there seems to be some problem with sequence of commands run from python.
> > Maybe our server is too powerfull? (poweredge 2950 with two 4 core
> > processors, old server was some old pentium4 with ht, there were no such
> > problems)
> >
> > If i run those commands separately from command line ,there is no
> > problem.
> >
> > But if whole (multiline) actionstart is run, there seems to be problem
> > with order of commands.
> > Problem is, that
> > iptables -I INPUT -p tcp -m multiport --dports
> > ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd
> > is run in time, when there is no such chain, so kernel tries to autoload
> > module for it (but there is no such module) (you can try it by running
> > this command)
> 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#554162; Package fail2ban. (Tue, 03 Nov 2009 21:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <debian@onerussian.com>:
Extra info received and forwarded to list. (Tue, 03 Nov 2009 21:24:03 GMT) Full text and rfc822 format available.

Message #30 received at 554162@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: Libor Klepáč <libor.klepac@bcom.cz>, 554162@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Tue, 3 Nov 2009 16:09:10 -0500
> Patch is working, but i can't use action_mw 
> (output goes like this
> ---------------
> 2009-11-03 21:04:02,138 fail2ban.actions.action: ERROR  printf %b "Subject: 
> [Fail2Ban] cyrus: started
> From: Fail2Ban <fail2ban>

well -- that is what the patch you've applied accomplished
unfortunately :-/ since the mailing command is a multiline printf
command.  imho instead of that patch I would simple tune up the action
for banning -- just add sleep 1 (or sleep 0.1 if system has that recent
sleep ;)) after each command  and see how that helps

or may be alternatively just placing all commands on 1 line with ";"
between them -- so they should start as a one command (you said that
system tolerated that fine)

> All commands in one line work ok from command line.
interesting -- thanks for checking

> Sequence is also ok. Fail2ban launches actions in threads?
to say the truth -- I don't know exactly... from what I know, it just
calls system() from stdlib, which should call "/bin/sh -c '.....'"

I still think that the issue is deeper underground (iptables return
before actually completing modification of the table etc) although
myself could not replicate it on none of boxes (biefie enough: 8 cores,
64GB RAM etc) with smth like

for f in {1..100}; do /bin/sh -c "iptables -N fail2ban-proftpd; iptables -A fail2ban-proftpd -j RETURN; iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd; iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd; iptables -F fail2ban-proftpd; iptables -X fail2ban-proftpd"; done

now the question -- what is your /bin/sh? ;)
could you try different kernel? I've tried on 2.6.26-2-amd64

-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]






Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Wed, 04 Nov 2009 15:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Libor Klepáč <libor.klepac@bcom.cz>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Wed, 04 Nov 2009 15:15:05 GMT) Full text and rfc822 format available.

Message #35 received at 554162@bugs.debian.org (full text, mbox):

From: Libor Klepáč <libor.klepac@bcom.cz>
To: 554162@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Wed, 4 Nov 2009 09:55:29 +0100
[Message part 1 (text/plain, inline)]
Hi,
I have done some testing without the patch
I have tested 
 - putting sleep between commands (I have tested this yesterday too) - it 
didn't help
 - putting all commands in one line, separated with ; - it didn't help
 - putting all commands in one line, separated with &&  - it didn't help
 - putting all commands in one line, separated with ; and I put () around 
whole line - it failed differently, it seems, it separates commands somewhere 
on it's own
-----
sh: -c: line 1: syntax error: unexpected end of file                                                                        
2009-11-04 09:34:33,313 fail2ban.actions.action: ERROR  (iptables -N fail2ban-
postfix returned 200
-----

> now the question -- what is your /bin/sh? ;)
> could you try different kernel? I've tried on 2.6.26-2-amd64

/bin/sh is bash 3.2-5

Sorry , I cannot use another kernel now, this is our main production server.

Well, I really don't know, where the problem might be, so I'll stick to this 
patch for now, it works for me.
We have some filtering of smtp port based on results from amavis and 554 from 
postfix, we have around 100-200 hosts banned in this jail (for 30 minutes) all 
day, I think it filtres lots of spam - I can send it as some wishlist bug - but 
i think it's based on some filter I have downloaded somewhere, so I don't 
remember licence


Libor


Dne úterý 03 Listopad 2009 22:09:10 Yaroslav Halchenko napsal(a):
> > Patch is working, but i can't use action_mw
> > (output goes like this
> > ---------------
> > 2009-11-03 21:04:02,138 fail2ban.actions.action: ERROR  printf %b
> > "Subject: [Fail2Ban] cyrus: started
> > From: Fail2Ban <fail2ban>
> 
> well -- that is what the patch you've applied accomplished
> unfortunately :-/ since the mailing command is a multiline printf
> command.  imho instead of that patch I would simple tune up the action
> for banning -- just add sleep 1 (or sleep 0.1 if system has that recent
> sleep ;)) after each command  and see how that helps
> 
> or may be alternatively just placing all commands on 1 line with ";"
> between them -- so they should start as a one command (you said that
> system tolerated that fine)
> 
> > All commands in one line work ok from command line.
> 
> interesting -- thanks for checking
> 
> > Sequence is also ok. Fail2ban launches actions in threads?
> 
> to say the truth -- I don't know exactly... from what I know, it just
> calls system() from stdlib, which should call "/bin/sh -c '.....'"
> 
> I still think that the issue is deeper underground (iptables return
> before actually completing modification of the table etc) although
> myself could not replicate it on none of boxes (biefie enough: 8 cores,
> 64GB RAM etc) with smth like
> 
> for f in {1..100}; do /bin/sh -c "iptables -N fail2ban-proftpd; iptables -A
>  fail2ban-proftpd -j RETURN; iptables -I INPUT -p tcp -m multiport --dports
>  ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd; iptables -D INPUT -p tcp
>  -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd;
>  iptables -F fail2ban-proftpd; iptables -X fail2ban-proftpd"; done
> 
> now the question -- what is your /bin/sh? ;)
> could you try different kernel? I've tried on 2.6.26-2-amd64
> 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#554162; Package fail2ban. (Wed, 04 Nov 2009 17:54:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <debian@onerussian.com>:
Extra info received and forwarded to list. (Wed, 04 Nov 2009 17:54:07 GMT) Full text and rfc822 format available.

Message #40 received at 554162@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: Libor Klepáč <libor.klepac@bcom.cz>, 554162@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Wed, 4 Nov 2009 12:07:09 -0500
Thank you Libor for all the testing!
sorry that none has helped

how many jails do you have?  fail2ban is threading to handle each jail
in a separate thread (iirc) -- I guess problem might lie there and
some people reported similar issue in the context of high number of
jails

On Wed, 04 Nov 2009, Libor Klepáč wrote:

> Hi,
> I have done some testing without the patch
> I have tested 
>  - putting sleep between commands (I have tested this yesterday too) - it 
> didn't help
>  - putting all commands in one line, separated with ; - it didn't help
>  - putting all commands in one line, separated with &&  - it didn't help
>  - putting all commands in one line, separated with ; and I put () around 
> whole line - it failed differently, it seems, it separates commands somewhere 
> on it's own
> -----
> sh: -c: line 1: syntax error: unexpected end of file                                                                        
> 2009-11-04 09:34:33,313 fail2ban.actions.action: ERROR  (iptables -N fail2ban-
> postfix returned 200
> -----
-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]






Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Thu, 05 Nov 2009 11:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Libor Klepáč <libor.klepac@bcom.cz>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Thu, 05 Nov 2009 11:33:03 GMT) Full text and rfc822 format available.

Message #45 received at 554162@bugs.debian.org (full text, mbox):

From: Libor Klepáč <libor.klepac@bcom.cz>
To: 554162@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Thu, 5 Nov 2009 12:22:02 +0100
[Message part 1 (text/plain, inline)]
Hi,
You are welcome.
Let's see if someone else can confirm this behaviour. Maybe they will have 
other ideas.

We use 5 jails
 - one blocks website which members section is frequently subject of 
bruteforce password cracking - it watches it's errorlog
- one blocks ftp - jail is [proftpd] from default config
- one watches sasl logons, jail is [sasl] from default config
- another is named [cyrus], it has similar regexps as sasl so maybe it's 
redundant (filter is not part of debian package, i have downloaded it somewhere 
- aha, there is cyrus-imap.conf in package now, it seems like newer version of 
"my" cyrus.conf, so I'm switching to it now)
- another is named [postfix] and it blocks access to port 25 for 35 minutes, it 
watches output from amavis, searching for SPAM and SPAMMY results, also for 
"reject: RCPT .... 554" messages from postfix (dnsbl mostly) - again, filter 
(amavis.conf) is downloaded from somewhere, i have added regex for SPAMMY and 
ignoreregex  to it.
I have appended this filter , but as I say, I don't know, where I downloaded it

Libor

Dne středa 04 Listopad 2009 18:07:09 Yaroslav Halchenko napsal(a):
> Thank you Libor for all the testing!
> sorry that none has helped
> 
> how many jails do you have?  fail2ban is threading to handle each jail
> in a separate thread (iirc) -- I guess problem might lie there and
> some people reported similar issue in the context of high number of
> jails
> 
> On Wed, 04 Nov 2009, Libor Klepáč wrote:
> > Hi,
> > I have done some testing without the patch
> > I have tested
> >  - putting sleep between commands (I have tested this yesterday too) - it
> > didn't help
> >  - putting all commands in one line, separated with ; - it didn't help
> >  - putting all commands in one line, separated with &&  - it didn't help
> >  - putting all commands in one line, separated with ; and I put () around
> > whole line - it failed differently, it seems, it separates commands
> > somewhere on it's own
> > -----
> > sh: -c: line 1: syntax error: unexpected end of file
> > 2009-11-04 09:34:33,313 fail2ban.actions.action: ERROR  (iptables -N
> > fail2ban- postfix returned 200
> > -----
> 
[amavis.conf (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#554162; Package fail2ban. (Thu, 05 Nov 2009 15:57:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <debian@onerussian.com>:
Extra info received and forwarded to list. (Thu, 05 Nov 2009 15:57:10 GMT) Full text and rfc822 format available.

Message #50 received at 554162@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: Libor Klepáč <libor.klepac@bcom.cz>, 554162@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Thu, 5 Nov 2009 10:17:13 -0500
oki doki... it is indeed the fact here -- whenever multiple
processes/threads/whatever  contact iptables in parallel 

$> for f in {1..5}; do cn=fail2ban-proftpd$f; echo $cn; /bin/sh -c "iptables -N $cn; iptables -A $cn -j RETURN; iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j $cn" ; done                                        
fail2ban-proftpd1
fail2ban-proftpd2
fail2ban-proftpd3
fail2ban-proftpd4
fail2ban-proftpd5
$> for f in {1..5}; do cn=fail2ban-proftpd$f; echo $cn; iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j $cn; iptables -F $cn; iptables -X $cn; done                         
fail2ban-proftpd1 
fail2ban-proftpd2
fail2ban-proftpd3
fail2ban-proftpd4
fail2ban-proftpd5

So -- everything was cool, lets try now start them in parallel:

$> for f in {1..5}; do cn=fail2ban-proftpd$f; echo $cn; /bin/sh -c "iptables -N $cn; iptables -A $cn -j RETURN; iptables -I INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j $cn" & ; done
fail2ban-proftpd1
[2] 7312
fail2ban-proftpd2
[3] 7314
fail2ban-proftpd3
[4] 7315
fail2ban-proftpd4
[5] 7322
fail2ban-proftpd5
iptables: Invalid argument. Run `dmesg' for more information.
iptables: Resource temporarily unavailable.
$> 
$> for f in {1..5}; do cn=fail2ban-proftpd$f; echo $cn; iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j $cn; iptables -F $cn; iptables -X $cn; done                          
fail2ban-proftpd1                                                
fail2ban-proftpd2
fail2ban-proftpd3
iptables: No chain/target/match by that name.
fail2ban-proftpd4
fail2ban-proftpd5

So, here we got it -- iptables might not digest nicely a bulk of requests done
in parallel.  Even if I set affinity for children tasks to run on the same core
with taskset (so there could not be real parallelism) -- same shit.

You get more fun if you go beyond 5 ;) (all those missing .so etc messages)

BTW -- there were no further information in dmesg

So, as a temporary solution I would just advise you to add arbitrary sleep time
at the beginning of each chain initiation/shutdown(just in case), smth
like:

actionstart = sleep ${RANDOM:0:1}
              iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

actionstop = sleep ${RANDOM:0:1}
             iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>


I guess average delay of 5 sec would be tolerable, right? ;)
if you have "better sleep" then use 0.${RANDOM:0:1} ;-)

On Thu, 05 Nov 2009, Libor Klepáč wrote:

> Hi,
> You are welcome.
> Let's see if someone else can confirm this behaviour. Maybe they will have 
> other ideas.

-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]






Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Wed, 11 Nov 2009 07:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Libor Klepáč <libor.klepac@bcom.cz>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Wed, 11 Nov 2009 07:51:03 GMT) Full text and rfc822 format available.

Message #55 received at 554162@bugs.debian.org (full text, mbox):

From: Libor Klepáč <libor.klepac@bcom.cz>
To: 554162@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Wed, 11 Nov 2009 08:45:44 +0100
[Message part 1 (text/plain, inline)]
Hi,
sorry for late answer.
I have removed action.py patch and put 

sleep ${RANDOM:0:1}.${RANDOM: -1:1}

onto first line of actionstart and actionstop
So I get more sleep values without big delay - it should be from 0.0 to 3.9, I 
think

It seems to work nicely now


With regards
Libor

Dne čtvrtek 05 Listopad 2009 16:17:13 Yaroslav Halchenko napsal(a):
> oki doki... it is indeed the fact here -- whenever multiple
> processes/threads/whatever  contact iptables in parallel
> 
> $> for f in {1..5}; do cn=fail2ban-proftpd$f; echo $cn; /bin/sh -c
>  "iptables -N $cn; iptables -A $cn -j RETURN; iptables -I INPUT -p tcp -m
>  multiport --dports ftp,ftp-data,ftps,ftps-data -j $cn" ; done
>  fail2ban-proftpd1
> fail2ban-proftpd2
> fail2ban-proftpd3
> fail2ban-proftpd4
> fail2ban-proftpd5
> $> for f in {1..5}; do cn=fail2ban-proftpd$f; echo $cn; iptables -D INPUT
>  -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j $cn; iptables
>  -F $cn; iptables -X $cn; done fail2ban-proftpd1
> fail2ban-proftpd2
> fail2ban-proftpd3
> fail2ban-proftpd4
> fail2ban-proftpd5
> 
> So -- everything was cool, lets try now start them in parallel:
> 
> $> for f in {1..5}; do cn=fail2ban-proftpd$f; echo $cn; /bin/sh -c
>  "iptables -N $cn; iptables -A $cn -j RETURN; iptables -I INPUT -p tcp -m
>  multiport --dports ftp,ftp-data,ftps,ftps-data -j $cn" & ; done
>  fail2ban-proftpd1
> [2] 7312
> fail2ban-proftpd2
> [3] 7314
> fail2ban-proftpd3
> [4] 7315
> fail2ban-proftpd4
> [5] 7322
> fail2ban-proftpd5
> iptables: Invalid argument. Run `dmesg' for more information.
> iptables: Resource temporarily unavailable.
> $>
> $> for f in {1..5}; do cn=fail2ban-proftpd$f; echo $cn; iptables -D INPUT
>  -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j $cn; iptables
>  -F $cn; iptables -X $cn; done fail2ban-proftpd1
> fail2ban-proftpd2
> fail2ban-proftpd3
> iptables: No chain/target/match by that name.
> fail2ban-proftpd4
> fail2ban-proftpd5
> 
> So, here we got it -- iptables might not digest nicely a bulk of requests
>  done in parallel.  Even if I set affinity for children tasks to run on the
>  same core with taskset (so there could not be real parallelism) -- same
>  shit.
> 
> You get more fun if you go beyond 5 ;) (all those missing .so etc messages)
> 
> BTW -- there were no further information in dmesg
> 
> So, as a temporary solution I would just advise you to add arbitrary sleep
>  time at the beginning of each chain initiation/shutdown(just in case),
>  smth like:
> 
> actionstart = sleep ${RANDOM:0:1}
>               iptables -N fail2ban-<name>
>               iptables -A fail2ban-<name> -j RETURN
>               iptables -I INPUT -p <protocol> -m multiport --dports <port>
>  -j fail2ban-<name>
> 
> actionstop = sleep ${RANDOM:0:1}
>              iptables -D INPUT -p <protocol> -m multiport --dports <port>
>  -j fail2ban-<name> iptables -F fail2ban-<name>
>              iptables -X fail2ban-<name>
> 
> 
> I guess average delay of 5 sec would be tolerable, right? ;)
> if you have "better sleep" then use 0.${RANDOM:0:1} ;-)
> 
> On Thu, 05 Nov 2009, Libor Klepáč wrote:
> > Hi,
> > You are welcome.
> > Let's see if someone else can confirm this behaviour. Maybe they will
> > have other ideas.
> 
[signature.asc (application/pgp-signature, inline)]

Reply sent to Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>:
You have marked Bug as forwarded. (Wed, 11 Nov 2009 14:03:04 GMT) Full text and rfc822 format available.

Message #58 received at 554162-forwarded@bugs.debian.org (full text, mbox):

From: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
To: Yaroslav Halchenko <debian@onerussian.com>
Cc: Cyril Jaquier <cyril.jaquier@fail2ban.org>, Libor Klepác( <libor.klepac@bcom.cz>, 554162-forwarded@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Wed, 11 Nov 2009 10:56:46 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Yaroslav Halchenko wrote:
> Forwarding "upstream" now ;)

Thank you people! We hope to analize and fix this issue asap.

Yours,

- --
Arturo "Buanzo" Busleiman
Independent Linux and Security Consultant - OWASP - SANS - OISSG
http://www.buanzo.com.ar/pro/eng.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEAREKAAYFAkr6wpsACgkQAlpOsGhXcE2I/ACeIDEmBAiIBledhrYE0tp8lJZ8
fygAnA78cIo9xkAZIVz1ZhZow219Pb1I
=+v54
-----END PGP SIGNATURE-----




Message #59 received at 554162-forwarded@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: Cyril Jaquier <cyril.jaquier@fail2ban.org>, Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
Cc: Libor Klepáč <libor.klepac@bcom.cz>, 554162-forwarded@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load iptable rules with multiple jails
Date: Wed, 11 Nov 2009 08:49:33 -0500
[Message part 1 (text/plain, inline)]
Cool... I added comments to the original bugreports...

But I guess actual fix should add that within fail2ban upon
actionstart/stop... may be conditionally as instructed with some
parameter of the action

Forwarding "upstream" now ;)
See details on

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=554162

On Wed, 11 Nov 2009, Libor Klepáč wrote:

> Hi,
> sorry for late answer.
> I have removed action.py patch and put 

> sleep ${RANDOM:0:1}.${RANDOM: -1:1}

> onto first line of actionstart and actionstop
> So I get more sleep values without big delay - it should be from 0.0 to 3.9, I 
> think

> It seems to work nicely now


-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Wed, 19 Jan 2011 09:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olivier Dousse <olivier@globi.homelinux.com>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Wed, 19 Jan 2011 09:06:03 GMT) Full text and rfc822 format available.

Message #64 received at 554162@bugs.debian.org (full text, mbox):

From: Olivier Dousse <olivier@globi.homelinux.com>
To: 554162@bugs.debian.org
Subject: Bug still around
Date: Wed, 19 Jan 2011 09:54:12 +0100
Hello,

I just upgraded my Lenny to Squeeze, and for some unclear reason, this bug now occurs on my machine (almost no successful start so far). I have tried to add the sleep trick, but this did not solve my problem: the error message is still as described in this thread.

It seems to be quite a bad bug, as it is hard to notice it unless one browses fail2ban.log. So I imagine that many people feel safe while fail2ban does probably not its job.

Cheers,
Olivier





Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Wed, 19 Jan 2011 10:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olivier Dousse <olivier@globi.homelinux.com>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Wed, 19 Jan 2011 10:00:03 GMT) Full text and rfc822 format available.

Message #69 received at 554162@bugs.debian.org (full text, mbox):

From: Olivier Dousse <olivier@globi.homelinux.com>
To: 554162@bugs.debian.org
Subject: Re: Bug still around
Date: Wed, 19 Jan 2011 10:56:28 +0100
I forgot to mention that the patch at http://sourceforge.net/tracker/?func=detail&aid=2857096&group_id=121032&atid=689046 worked fine in system. 
My suggestion would be to apply this patch to the package released in Squeeze.

-Olivier

On 19 janv. 2011, at 09:54, Olivier Dousse wrote:

> Hello,
> 
> I just upgraded my Lenny to Squeeze, and for some unclear reason, this bug now occurs on my machine (almost no successful start so far). I have tried to add the sleep trick, but this did not solve my problem: the error message is still as described in this thread.
> 
> It seems to be quite a bad bug, as it is hard to notice it unless one browses fail2ban.log. So I imagine that many people feel safe while fail2ban does probably not its job.
> 
> Cheers,
> Olivier
> 





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#554162; Package fail2ban. (Wed, 19 Jan 2011 13:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <debian@onerussian.com>:
Extra info received and forwarded to list. (Wed, 19 Jan 2011 13:51:05 GMT) Full text and rfc822 format available.

Message #74 received at 554162@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: Olivier Dousse <olivier@globi.homelinux.com>, 554162@bugs.debian.org
Subject: Re: Bug#554162: Bug still around
Date: Wed, 19 Jan 2011 08:47:33 -0500
[Message part 1 (text/plain, inline)]
I guess I did mediocre job maintaining fail2ban in the recent times
(partially since upstream is dead, only minor community
support/fixing and I have no free time for doing upstream scale
maintenance). for squeeze it is too late -- it is deeply frozen and bug
is not grave (although important).

The reason why I have not applied sleep patch is that it is just a
workaround -- not the solution, thus not reliably prevents the problem.

Proper solution requires queuing all iptables commands in a single pull
and executing them sequentially.

Rain (aka linuxoid.rain) in private communication did some "research"
and implemented it via a feeding iptables command to FIFO socket for execution
by a little listener on the other end.  Something like

# in init script
mkfifo -m 600 /var/run/fail2ban.com.sock
tail -f /var/run/fail2ban.com.sock | sh

# in action scripts
echo "command" > /var/run/fail2ban.com.sock

I am attaching his resultant init.d file and the iptables action configuration
for it.  It would be great if someone could verify its functioning with stock
(without sleeps) fail2ban.


Cheers

On Wed, 19 Jan 2011, Olivier Dousse wrote:

> I forgot to mention that the patch at http://sourceforge.net/tracker/?func=detail&aid=2857096&group_id=121032&atid=689046 worked fine in system. 
> My suggestion would be to apply this patch to the package released in Squeeze.

-- 
=------------------------------------------------------------------=
Keep in touch                                     www.onerussian.com
Yaroslav Halchenko                 www.ohloh.net/accounts/yarikoptic
[fail2ban (text/plain, attachment)]
[iptables-multiport.conf (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Mon, 04 Apr 2011 11:51:50 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Isaias M. A." <isaias.ma@gmail.com>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Mon, 04 Apr 2011 11:51:51 GMT) Full text and rfc822 format available.

Message #79 received at 554162@bugs.debian.org (full text, mbox):

From: "Isaias M. A." <isaias.ma@gmail.com>
To: 554162@bugs.debian.org
Subject: Re: Bug#554162: Bug still around
Date: Mon, 4 Apr 2011 13:50:31 +0200
Hi,

the socket fifo works for me but using in init scipt:

tail -n +1 -f /var/run/fail2ban.com.sock | sh

to force tail to read from the beginning (not only the last 10 lines),
I have several jails and a very slow router.

thanks,
Isaias.

>Rain (aka linuxoid.rain) in private communication did some "research"
>and implemented it via a feeding iptables command to FIFO socket for execution
>by a little listener on the other end.  Something like
>
># in init script
>mkfifo -m 600 /var/run/fail2ban.com.sock
>tail -f /var/run/fail2ban.com.sock | sh
>
># in action scripts
>echo "command" > /var/run/fail2ban.com.sock
>
>I am attaching his resultant init.d file and the iptables action configuration
>for it.  It would be great if someone could verify its functioning with stock
>(without sleeps) fail2ban.




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#554162; Package fail2ban. (Mon, 04 Apr 2011 13:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <debian@onerussian.com>:
Extra info received and forwarded to list. (Mon, 04 Apr 2011 13:21:03 GMT) Full text and rfc822 format available.

Message #84 received at 554162@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: "Isaias M. A." <isaias.ma@gmail.com>, 554162@bugs.debian.org
Subject: Re: Bug#554162: Bug still around
Date: Mon, 4 Apr 2011 08:15:04 -0400
Thanks Isaias for the feedback

On Mon, 04 Apr 2011, Isaias M. A. wrote:
> the socket fifo works for me but using in init scipt:

> tail -n +1 -f /var/run/fail2ban.com.sock | sh

> to force tail to read from the beginning (not only the last 10 lines),
> I have several jails and a very slow router.
-- 
=------------------------------------------------------------------=
Keep in touch                                     www.onerussian.com
Yaroslav Halchenko                 www.ohloh.net/accounts/yarikoptic




Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Thu, 07 Jul 2011 09:06:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jesse Molina <jesse@opendreams.net>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Thu, 07 Jul 2011 09:06:18 GMT) Full text and rfc822 format available.

Message #89 received at 554162@bugs.debian.org (full text, mbox):

From: Jesse Molina <jesse@opendreams.net>
To: Debian Bug Tracking System <554162@bugs.debian.org>
Subject: fail2ban bug 554162, trainwrecks on updating iptables
Date: Thu, 07 Jul 2011 01:58:47 -0700
Package: fail2ban
Version: 0.8.4+svn20110323-1
Followup-For: Bug #554162


Meetoo.  Same issue.  I've been getting hits on my smtp and IMAP ports lately, so added some couriermta/imap rules.  Unfortunately, fail2ban trainwrecks about half the time when starting.

Hoping this get fixed, or there is an alternative to fail2ban



-- System Information:
Debian Release: wheezy/sid
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages fail2ban depends on:
ii  lsb-base                      3.2-27     Linux Standard Base 3.2 init scrip
ii  python                        2.6.6-14   interactive high-level object-orie
ii  python-central                0.6.17     register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables                      1.4.11.1-2 administration tools for packet fi
ii  whois                         5.0.11     an intelligent whois client

Versions of packages fail2ban suggests:
ii  heirloom-mailx [mailx]        12.5-1     feature-rich BSD mail(1)
pn  python-gamin                  <none>     (no description available)

-- Configuration Files:
/etc/logrotate.d/fail2ban changed [not included]

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Mon, 08 Aug 2011 15:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to lol@isalo.org:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Mon, 08 Aug 2011 15:06:03 GMT) Full text and rfc822 format available.

Message #94 received at 554162@bugs.debian.org (full text, mbox):

From: lol@isalo.org
To: <554162@bugs.debian.org>
Subject: fail2ban 0.8.4-3 fails to load iptable rules with multiple jails
Date: Mon, 08 Aug 2011 17:44:18 +0300
Hi,
I found a way to make it work easely (found it here: 
http://askubuntu.com/questions/27601/what-are-fail2bans-log-iptables-returned-nnn-entries-fail2ban-is-failing-to)

Edit /usr/bin/fail2ban-client

And add "time.sleep(0.2)" between "for c in cmd:" and 
"beautifier.setInputCmd(c)" (time.sleep(0.1) wasn't enought)

        def __processCmd(self, cmd, showRet = True):
                beautifier = Beautifier()
                for c in cmd:
                        time.sleep(0.2)
                        beautifier.setInputCmd(c)

apt-cache policy fail2ban
fail2ban:
  Installé : 0.8.4-3
  Candidat : 0.8.4-3
 Table de version :
 *** 0.8.4-3 0
        500 http://ftp.fr.debian.org/debian/ squeeze/main amd64 
Packages
        100 /var/lib/dpkg/status

uname -a
Linux vanille.zehome.org 2.6.32-5-amd64 #1 SMP Tue Jun 14 09:42:28 UTC 
2011 x86_64 GNU/Linux

I hope it will help someone.
Regards,

Laurent Lemoine




Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Mon, 08 Aug 2011 15:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <lists@onerussian.com>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Mon, 08 Aug 2011 15:15:06 GMT) Full text and rfc822 format available.

Message #99 received at 554162@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <lists@onerussian.com>
To: lol@isalo.org, 554162@bugs.debian.org
Cc: fail2ban-users@lists.sourceforge.net
Subject: Re: Bug#554162: fail2ban 0.8.4-3 fails to load iptable rules with multiple jails
Date: Mon, 8 Aug 2011 11:10:48 -0400
Thanks for sharing -- it is indeed a possible workaround but not an
ultimate solution (collisions might still occur, and you better of
delaying for different amount of time for that purpose, e.g.

import random
...

               time.sleep(random.random())

as far as I see reliable solution -- all processCmd should be
queued up/ran by a single thread, so there is a guarantee that none of
them would be invoked "in parallel"

if only someone took the burden/time of suggesting such a patch ;-)
anyone up for the contribution? ;-)

On Mon, 08 Aug 2011, lol@isalo.org wrote:
>         def __processCmd(self, cmd, showRet = True):
>                 beautifier = Beautifier()
>                 for c in cmd:
>                         time.sleep(0.2)
>                         beautifier.setInputCmd(c)

-- 
=------------------------------------------------------------------=
Keep in touch                                     www.onerussian.com
Yaroslav Halchenko                 www.ohloh.net/accounts/yarikoptic




Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Sat, 24 Sep 2011 01:45:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Saavedra <mtsaavedra@gmail.com>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Sat, 24 Sep 2011 01:45:09 GMT) Full text and rfc822 format available.

Message #104 received at 554162@bugs.debian.org (full text, mbox):

From: Michael Saavedra <mtsaavedra@gmail.com>
To: 554162@bugs.debian.org
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load, iptable rules with multiple jails
Date: Fri, 23 Sep 2011 18:37:50 -0700
I created a patch for this bug. It is not very extensive. In fact it 
changes just the bare minimum needed to prevent the problem. I don't add 
a queue then have all the commands run by a single thread as Yaroslav 
suggested, I just added a lock to executeCmd() in the server/action.py 
file to prevent calling iptables or other shell commands concurrently.

The patch can be found at:
https://sourceforge.net/tracker/?func=detail&aid=3413485&group_id=121032&atid=689046

(my apologies if that link wraps to the next line)

Michael Saavedra




Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#554162; Package fail2ban. (Sat, 24 Sep 2011 02:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <lists@onerussian.com>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Sat, 24 Sep 2011 02:33:03 GMT) Full text and rfc822 format available.

Message #109 received at 554162@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <lists@onerussian.com>
To: Michael Saavedra <mtsaavedra@gmail.com>, 554162@bugs.debian.org
Cc: fail2ban-users@lists.sourceforge.net
Subject: Re: Bug#554162: fail2ban: sometimes(frequently) fails to load, iptable rules with multiple jails
Date: Fri, 23 Sep 2011 22:31:38 -0400
  it is awesome to have a brain and know where the hands come from,
  isn't it? ;-)

THANK YOU Michael -- that looks like you solved our biggest
problem and solved it right.  Shame on me that I had started envisioning
some complicated queue process -- locking imho is sufficient and due to
simplicity of the implementation -- preferable.

I have committed your patch upstream (sorry -- I haven't yet migrated it
once and for all from SVN to GIT, so authorship is only in the comment)
and uploaded fix to Debian.

thanks again ;-)

On Fri, 23 Sep 2011, Michael Saavedra wrote:

> I created a patch for this bug. It is not very extensive. In fact it
> changes just the bare minimum needed to prevent the problem. I don't
> add a queue then have all the commands run by a single thread as
> Yaroslav suggested, I just added a lock to executeCmd() in the
> server/action.py file to prevent calling iptables or other shell
> commands concurrently.

> The patch can be found at:
> https://sourceforge.net/tracker/?func=detail&aid=3413485&group_id=121032&atid=689046

> (my apologies if that link wraps to the next line)

> Michael Saavedra
-- 
=------------------------------------------------------------------=
Keep in touch                                     www.onerussian.com
Yaroslav Halchenko                 www.ohloh.net/accounts/yarikoptic




Reply sent to Yaroslav Halchenko <debian@onerussian.com>:
You have taken responsibility. (Sat, 24 Sep 2011 03:06:04 GMT) Full text and rfc822 format available.

Notification sent to Libor Klepac <libor.klepac@bcom.cz>:
Bug acknowledged by developer. (Sat, 24 Sep 2011 03:06:04 GMT) Full text and rfc822 format available.

Message #114 received at 554162-close@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: 554162-close@bugs.debian.org
Subject: Bug#554162: fixed in fail2ban 0.8.5-2
Date: Sat, 24 Sep 2011 03:03:09 +0000
Source: fail2ban
Source-Version: 0.8.5-2

We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive:

fail2ban_0.8.5-2.diff.gz
  to main/f/fail2ban/fail2ban_0.8.5-2.diff.gz
fail2ban_0.8.5-2.dsc
  to main/f/fail2ban/fail2ban_0.8.5-2.dsc
fail2ban_0.8.5-2_all.deb
  to main/f/fail2ban/fail2ban_0.8.5-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 554162@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yaroslav Halchenko <debian@onerussian.com> (supplier of updated fail2ban package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 23 Sep 2011 22:12:08 -0400
Source: fail2ban
Binary: fail2ban
Architecture: source all
Version: 0.8.5-2
Distribution: unstable
Urgency: low
Maintainer: Yaroslav Halchenko <debian@onerussian.com>
Changed-By: Yaroslav Halchenko <debian@onerussian.com>
Description: 
 fail2ban   - ban hosts that cause multiple authentication errors
Closes: 554162
Changes: 
 fail2ban (0.8.5-2) unstable; urgency=low
 .
   * [5242e73] BF: (cherry-picked from upstream, DEP-3 yet TODO) Lock
     server's executeCmd to prevent racing among iptables calls (Closes:
     #554162) Many kudos go to Michael Saavedra for the patch
Checksums-Sha1: 
 f760f9b74d8f3ea6052e7564bc3c627b7b1ac0d2 1211 fail2ban_0.8.5-2.dsc
 0c9ce1a4bf6b604787af8cffdb1325033e0b0532 30828 fail2ban_0.8.5-2.diff.gz
 557cb5e47b84bc637c2c14cbcde98890067a6d3c 98940 fail2ban_0.8.5-2_all.deb
Checksums-Sha256: 
 b5f31f19370447f627512377b16e6b52425025e893c1cac7b400c2fa843d3984 1211 fail2ban_0.8.5-2.dsc
 225b1780fbb73d08a5db9d3b51868cc0fdffe197d7f0e6b97cee84f13be0aa34 30828 fail2ban_0.8.5-2.diff.gz
 188d5856b20078ee4991798ad620798dbb17781d8e3fcba69b88b23747394d3a 98940 fail2ban_0.8.5-2_all.deb
Files: 
 5fcc95cbd5d386167bcd93fec3fdefda 1211 net optional fail2ban_0.8.5-2.dsc
 6d3cf4924e62453bec9e8badb2a8daae 30828 net optional fail2ban_0.8.5-2.diff.gz
 0155c6860c74a204554c993dc7ad09eb 98940 net optional fail2ban_0.8.5-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk59QEIACgkQjRFFY3XAJMgkrwCdGcVGtIOBod3CI/my35jKrR5l
2x0AoKc+UCStUIS5/UZNgS/2HegUkJ0v
=2Gel
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 01 Nov 2011 07:36:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:44:40 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.