Debian Bug report logs - #650678
fail2ban: Random iptables errors on start

version graph

Package: fail2ban; Maintainer for fail2ban is Yaroslav Halchenko <debian@onerussian.com>; Source for fail2ban is src:fail2ban.

Reported by: Michael Moritz <michael@gn.apc.org>

Date: Thu, 1 Dec 2011 20:24:01 UTC

Severity: grave

Tags: security, squeeze

Found in version fail2ban/0.8.4-3

Fixed in versions fail2ban/0.8.5-2, fail2ban/0.8.4-3+squeeze1

Done: Yaroslav Halchenko <debian@onerussian.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#650678; Package fail2ban. (Thu, 01 Dec 2011 20:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Moritz <michael@gn.apc.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Yaroslav Halchenko <debian@onerussian.com>. (Thu, 01 Dec 2011 20:24:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Moritz <michael@gn.apc.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: fail2ban: Random iptables errors on start
Date: Thu, 01 Dec 2011 20:13:49 +0000
Package: fail2ban
Version: 0.8.4-3
Severity: grave
Tags: security
Justification: user security hole

I have used fail2ban but this is very strange. According to fail2ban log
and the output of iptables some of the iptables commands in the
iptables-multiport action script fail. I can't see any sytem behind the
errors. This is a fairly mixed system (packages from lenny & squeeze,
some fron even older versions) but I don't see how that would cause
that. iptables & python are from squeeze.

Here is a typical log output

2011-12-01 20:03:00,662 fail2ban.filter : INFO   Set findtime = 600
2011-12-01 20:03:00,662 fail2ban.actions: INFO   Set banTime = 600
2011-12-01 20:03:00,675 fail2ban.jail   : INFO   Jail 'ssh-ddos' started
2011-12-01 20:03:00,683 fail2ban.jail   : INFO   Jail 'introspection'
started
2011-12-01 20:03:00,687 fail2ban.jail   : INFO   Jail 'apache-overflows'
started
2011-12-01 20:03:00,693 fail2ban.jail   : INFO   Jail 'ssh' started
2011-12-01 20:03:00,695 fail2ban.jail   : INFO   Jail 'proftpd' started
2011-12-01 20:03:00,712 fail2ban.actions.action: ERROR  iptables -N
fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
returned 200

But this is totally random. Sometimes one jail fails, sometimes another,
sometimes more than one.

Note that due to fail2ban's architecture it doesn't report that
something failed on start-up. Admins relying on fail2ban (a bad idea
IMHO) are facing a potential security risk!

Thanks 

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (1, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.26-2-amd64
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages fail2ban depends on:
ii  lsb-base                3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii  python                  2.6.6-3+squeeze6 interactive high-level object-orie
ii  python-central          0.6.16+nmu1      register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables                      1.4.8-3    administration tools for packet fi
ii  whois                         4.7.30     an intelligent whois client

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#650678; Package fail2ban. (Thu, 01 Dec 2011 20:36:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <debian@onerussian.com>:
Extra info received and forwarded to list. (Thu, 01 Dec 2011 20:36:07 GMT) Full text and rfc822 format available.

Message #10 received at 650678@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: Michael Moritz <michael@gn.apc.org>, 650678@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#650678: fail2ban: Random iptables errors on start
Date: Thu, 1 Dec 2011 15:33:56 -0500
tags 650678 + squeeze
thanks

this is a duplicate of #554162, which was fixed in 0.8.5-2.  I will keep
this one open and tag it against squeeze and will suggest a
security update (although as I have argued in the original report it is
not really a security hole, rather lack of additional promised security
protection)

Cheers,
-- 
=------------------------------------------------------------------=
Keep in touch                                     www.onerussian.com
Yaroslav Halchenko                 www.ohloh.net/accounts/yarikoptic




Added tag(s) squeeze. Request was from Yaroslav Halchenko <debian@onerussian.com> to control@bugs.debian.org. (Thu, 01 Dec 2011 20:36:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#650678; Package fail2ban. (Sun, 04 Dec 2011 12:57:49 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luciano Bello <luciano@debian.org>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Sun, 04 Dec 2011 12:57:53 GMT) Full text and rfc822 format available.

Message #17 received at 650678@bugs.debian.org (full text, mbox):

From: Luciano Bello <luciano@debian.org>
To: 650678@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#650678: fail2ban: Random iptables errors on start
Date: Sun, 4 Dec 2011 13:50:21 +0100
Hi Yaroslav,
	If you consider this problem a security hole, it can be fixed through a 
point update. Take a look to:
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Regards,
/luciano




Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#650678; Package fail2ban. (Sat, 07 Jan 2012 11:30:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to JulHer <julher@escomposlinux.org>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Sat, 07 Jan 2012 11:30:25 GMT) Full text and rfc822 format available.

Message #22 received at 650678@bugs.debian.org (full text, mbox):

From: JulHer <julher@escomposlinux.org>
To: 650678@bugs.debian.org
Subject: same error here
Date: Sat, 07 Jan 2012 11:59:21 +0100
Hi,

In my system, Debian stable ppc

2.6.32-5-powerpc #1 Thu Nov 3 03:46:21 UTC 2011 ppc GNU/Linux

the output log is

2012-01-07 09:50:33,409 fail2ban.actions.action: ERROR  iptables -N
fail2ban-exim
iptables -A fail2ban-exim -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp -j
fail2ban-exim returned 400
--
2012-01-07 09:50:59,463 fail2ban.actions.action: ERROR  iptables -N
fail2ban-exim2
iptables -A fail2ban-exim2 -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp -j
fail2ban-exim2 returned 400
2012-01-07 09:50:59,469 fail2ban.actions.action: ERROR  iptables -N
fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
returned 400
--
2012-01-07 11:29:16,116 fail2ban.actions.action: ERROR  iptables -N
fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
returned 400
--
2012-01-07 11:32:44,377 fail2ban.actions.action: ERROR  iptables -N
fail2ban-exim2
iptables -A fail2ban-exim2 -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp -j
fail2ban-exim2 returned 200
2012-01-07 11:34:37,514 fail2ban.actions.action: ERROR  iptables -D
INPUT -p tcp -m multiport --dports smtp,ssmtp -j fail2ban-exim2
iptables -F fail2ban-exim2
iptables -X fail2ban-exim2 returned 100

Regards





Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#650678; Package fail2ban. (Thu, 16 Feb 2012 11:21:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mathieu Bautista <mbautista@ircf.fr>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Thu, 16 Feb 2012 11:21:13 GMT) Full text and rfc822 format available.

Message #27 received at 650678@bugs.debian.org (full text, mbox):

From: Mathieu Bautista <mbautista@ircf.fr>
To: 650678@bugs.debian.org
Subject: how to upgrade package fail2ban on squeeze ?
Date: Thu, 16 Feb 2012 12:07:18 +0100
Hello,

May I override safely my fail2ban squeeze package with a newer deb
package like :
wget
http://ftp.fr.debian.org/debian/pool/main/f/fail2ban/fail2ban_0.8.6-2_all.deb
dpkg -i fail2ban_0.8.6-2_all.deb

Or will this make problems ?

I've read this bug makes fail2ban unsuable on any multi-core cpu, which
represent a huge part of linux server configurations so IMHO it IS
definitely a major bug.

Mathieu BAUTISTA
Sys admin at IRCF
www.ircf.fr





Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#650678; Package fail2ban. (Thu, 16 Feb 2012 13:39:21 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <yoh@onerussian.com>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Thu, 16 Feb 2012 13:39:21 GMT) Full text and rfc822 format available.

Message #32 received at 650678@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <yoh@onerussian.com>
To: Mathieu Bautista <mbautista@ircf.fr>,650678@bugs.debian.org
Subject: Re: Bug#650678: how to upgrade package fail2ban on squeeze ?
Date: Thu, 16 Feb 2012 08:35:51 -0500
I think other should be just fine
Give it a try and you will know for sure ;)

Mathieu Bautista <mbautista@ircf.fr> wrote:

>Hello,
>
>May I override safely my fail2ban squeeze package with a newer deb
>package like :
>wget
>http://ftp.fr.debian.org/debian/pool/main/f/fail2ban/fail2ban_0.8.6-2_all.deb
>dpkg -i fail2ban_0.8.6-2_all.deb
>
>Or will this make problems ?
>
>I've read this bug makes fail2ban unsuable on any multi-core cpu, which
>represent a huge part of linux server configurations so IMHO it IS
>definitely a major bug.
>
>Mathieu BAUTISTA
>Sys admin at IRCF
>www.ircf.fr

--
Sent from a phone which beats iPhone.




Information forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#650678; Package fail2ban. (Thu, 16 Feb 2012 13:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mathieu Bautista <mbautista@ircf.fr>:
Extra info received and forwarded to list. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Thu, 16 Feb 2012 13:57:05 GMT) Full text and rfc822 format available.

Message #37 received at 650678@bugs.debian.org (full text, mbox):

From: Mathieu Bautista <mbautista@ircf.fr>
To: Yaroslav Halchenko <yoh@onerussian.com>
Cc: 650678@bugs.debian.org
Subject: Re: Bug#650678: how to upgrade package fail2ban on squeeze ?
Date: Thu, 16 Feb 2012 14:52:23 +0100
Indeed, I tried it right after having posted and it worked like a
charm :)

I didn't have any warnings nor errors during install and fail2ban log is
now OK.

The "RANDOM" hack I've seen on forums didn't work for me because
fail2ban seems to run /bin/sh and the RANDOM command was not recognized.

I'm glad I could find a cooler and cleaner way to fix it :)

Mathieu BAUTISTA
Sys admin at IRCF
www.ircf.fr





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#650678; Package fail2ban. (Thu, 16 Feb 2012 15:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <debian@onerussian.com>:
Extra info received and forwarded to list. (Thu, 16 Feb 2012 15:15:03 GMT) Full text and rfc822 format available.

Message #42 received at 650678@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: Mathieu Bautista <mbautista@ircf.fr>, 650678@bugs.debian.org
Subject: Re: Bug#650678: how to upgrade package fail2ban on squeeze ?
Date: Thu, 16 Feb 2012 10:11:43 -0500
> The "RANDOM" hack I've seen on forums didn't work for me because
> fail2ban seems to run /bin/sh and the RANDOM command was not recognized.

thanks for the feedback... well, indeed you should be better off with
the correct fix, RANDOM is present in bash, so if you made it your
default shell it should have worked

-- 
=------------------------------------------------------------------=
Keep in touch                                     www.onerussian.com
Yaroslav Halchenko                 www.ohloh.net/accounts/yarikoptic




Bug Marked as fixed in versions fail2ban/0.8.5-2. Request was from Yaroslav Halchenko <debian@onerussian.com> to control@bugs.debian.org. (Thu, 16 Feb 2012 18:36:04 GMT) Full text and rfc822 format available.

Reply sent to Yaroslav Halchenko <debian@onerussian.com>:
You have taken responsibility. (Sat, 07 Apr 2012 16:06:07 GMT) Full text and rfc822 format available.

Notification sent to Michael Moritz <michael@gn.apc.org>:
Bug acknowledged by developer. (Sat, 07 Apr 2012 16:06:07 GMT) Full text and rfc822 format available.

Message #49 received at 650678-close@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: 650678-close@bugs.debian.org
Subject: Bug#650678: fixed in fail2ban 0.8.4-3+squeeze1
Date: Sat, 07 Apr 2012 16:02:11 +0000
Source: fail2ban
Source-Version: 0.8.4-3+squeeze1

We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive:

fail2ban_0.8.4-3+squeeze1.diff.gz
  to main/f/fail2ban/fail2ban_0.8.4-3+squeeze1.diff.gz
fail2ban_0.8.4-3+squeeze1.dsc
  to main/f/fail2ban/fail2ban_0.8.4-3+squeeze1.dsc
fail2ban_0.8.4-3+squeeze1_all.deb
  to main/f/fail2ban/fail2ban_0.8.4-3+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yaroslav Halchenko <debian@onerussian.com> (supplier of updated fail2ban package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 16 Feb 2012 10:29:08 -0500
Source: fail2ban
Binary: fail2ban
Architecture: source all
Version: 0.8.4-3+squeeze1
Distribution: stable
Urgency: low
Maintainer: Yaroslav Halchenko <debian@onerussian.com>
Changed-By: Yaroslav Halchenko <debian@onerussian.com>
Description: 
 fail2ban   - bans IPs that cause multiple authentication errors
Closes: 544232 635746 650678
Changes: 
 fail2ban (0.8.4-3+squeeze1) stable; urgency=low
 .
   [ Jonathan Wiltshire ]
   * [e2232fc] Backport patch to fix CVE-2009-5023: Insecure creation of
     tempfile (Closes: #544232, #635746)
 .
   [ Yaroslav Halchenko ]
   * [6fc6c7b] Backport patch: Lock server's executeCmd to prevent racing
     among iptables calls (Closes: #650678)
Checksums-Sha1: 
 4366d067ac4069f36098d590931a4246903d0d71 1247 fail2ban_0.8.4-3+squeeze1.dsc
 e88c933c9e8cbbab2ee2cc138d1e38f317b6ea6d 31175 fail2ban_0.8.4-3+squeeze1.diff.gz
 4bfd4415bf60e531461b7537fc2e9ef51c62cf62 96234 fail2ban_0.8.4-3+squeeze1_all.deb
Checksums-Sha256: 
 9e101e3da2dd0edeeededeae9b6d350e095bb7c437a90a2d7cda42985f203712 1247 fail2ban_0.8.4-3+squeeze1.dsc
 79d0e4bc004e0cbb12b311e75ef4a404c53e43da09bf20dbad7ef76f221a0e8f 31175 fail2ban_0.8.4-3+squeeze1.diff.gz
 b402a3a5e98806dcbe7bb97d0bd55320e034d80ce1e3acf72755c8a315ad81f1 96234 fail2ban_0.8.4-3+squeeze1_all.deb
Files: 
 e9f88234c2dc53e290281ea60725dd5c 1247 net optional fail2ban_0.8.4-3+squeeze1.dsc
 c26505244602fe2b8e05f1730ea7b085 31175 net optional fail2ban_0.8.4-3+squeeze1.diff.gz
 ac0e02ef47b4388da34dccb882783abc 96234 net optional fail2ban_0.8.4-3+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk9/YWoACgkQjRFFY3XAJMgF9ACfevBUInbkKYYggpKcEI/vPRrm
1r8AnRz8n7eRUmZwkjsI5yF2j3BrqgzH
=oMGg
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Jun 2012 07:54:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 21:09:11 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.