Bug 222997 - security/py-fail2ban upgrade to 0.10.0 will break pf rules on system
Summary: security/py-fail2ban upgrade to 0.10.0 will break pf rules on system
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Wen Heping
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-14 08:54 UTC by Matthias Fechner
Modified: 2017-10-15 10:59 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (theis)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Fechner freebsd_committer freebsd_triage 2017-10-14 08:54:20 UTC
Upgraded to new version 0.10.0 causes that fail2ban is removeing all existing pf rules.

While starting fail2ban I can see some error messsages in the fail2ban log file:

2017-10-14 10:48:38,302 fail2ban.server         [95430]: INFO    --------------------------------------------------
2017-10-14 10:48:38,303 fail2ban.server         [95430]: INFO    Starting Fail2ban v0.10.0
2017-10-14 10:48:38,303 fail2ban.server         [95430]: INFO    Daemon started
2017-10-14 10:48:38,433 fail2ban.database       [95430]: INFO    Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban.sqlite3'
2017-10-14 10:48:38,457 fail2ban.jail           [95430]: INFO    Creating new jail 'pure-ftpd'
2017-10-14 10:48:38,476 fail2ban.jail           [95430]: INFO    Jail 'pure-ftpd' uses poller {}
2017-10-14 10:48:38,476 fail2ban.jail           [95430]: INFO    Initiated 'polling' backend
2017-10-14 10:48:38,503 fail2ban.server         [95430]: INFO    Jail pure-ftpd is not a JournalFilter instance
2017-10-14 10:48:38,504 fail2ban.filter         [95430]: INFO    Added logfile: '/var/log/xferlog' (pos = 33943, hash = c0fde45278c4bda31a75b73a4ed13092)
2017-10-14 10:48:38,505 fail2ban.filter         [95430]: INFO      maxRetry: 3
2017-10-14 10:48:38,508 fail2ban.filter         [95430]: INFO      encoding: US-ASCII
2017-10-14 10:48:38,509 fail2ban.actions        [95430]: INFO      banTime: 21600
2017-10-14 10:48:38,510 fail2ban.filter         [95430]: INFO      findtime: 259200
2017-10-14 10:48:38,514 fail2ban.jail           [95430]: INFO    Creating new jail 'postfix'
2017-10-14 10:48:38,516 fail2ban.jail           [95430]: INFO    Jail 'postfix' uses poller {}
2017-10-14 10:48:38,516 fail2ban.jail           [95430]: INFO    Initiated 'polling' backend
2017-10-14 10:48:38,549 fail2ban.server         [95430]: INFO    Jail postfix is not a JournalFilter instance
2017-10-14 10:48:38,550 fail2ban.filter         [95430]: INFO    Added logfile: '/var/log/maillog' (pos = 8010576, hash = 19ee1e8548b2c189396190b75a3ce0b6)
2017-10-14 10:48:38,551 fail2ban.filter         [95430]: INFO      maxRetry: 3
2017-10-14 10:48:38,554 fail2ban.filter         [95430]: INFO      encoding: US-ASCII
2017-10-14 10:48:38,555 fail2ban.actions        [95430]: INFO      banTime: 21600
2017-10-14 10:48:38,556 fail2ban.filter         [95430]: INFO      findtime: 259200
2017-10-14 10:48:38,559 fail2ban.jail           [95430]: INFO    Creating new jail 'dovecot'
2017-10-14 10:48:38,561 fail2ban.jail           [95430]: INFO    Jail 'dovecot' uses poller {}
2017-10-14 10:48:38,561 fail2ban.jail           [95430]: INFO    Initiated 'polling' backend
2017-10-14 10:48:38,598 fail2ban.server         [95430]: INFO    Jail dovecot is not a JournalFilter instance
2017-10-14 10:48:38,599 fail2ban.filter         [95430]: INFO    Added logfile: '/var/log/maillog' (pos = 8010576, hash = 19ee1e8548b2c189396190b75a3ce0b6)
2017-10-14 10:48:38,600 fail2ban.filter         [95430]: INFO      maxRetry: 3
2017-10-14 10:48:38,603 fail2ban.filter         [95430]: INFO      encoding: US-ASCII
2017-10-14 10:48:38,604 fail2ban.actions        [95430]: INFO      banTime: 21600
2017-10-14 10:48:38,605 fail2ban.filter         [95430]: INFO      findtime: 259200
2017-10-14 10:48:38,608 fail2ban.jail           [95430]: INFO    Creating new jail 'sieve'
2017-10-14 10:48:38,610 fail2ban.jail           [95430]: INFO    Jail 'sieve' uses poller {}
2017-10-14 10:48:38,610 fail2ban.jail           [95430]: INFO    Initiated 'polling' backend
2017-10-14 10:48:38,621 fail2ban.filter         [95430]: INFO    Added logfile: '/var/log/maillog' (pos = 8010576, hash = 19ee1e8548b2c189396190b75a3ce0b6)
2017-10-14 10:48:38,622 fail2ban.filter         [95430]: INFO      maxRetry: 3
2017-10-14 10:48:38,624 fail2ban.filter         [95430]: INFO      encoding: US-ASCII
2017-10-14 10:48:38,625 fail2ban.actions        [95430]: INFO      banTime: 21600
2017-10-14 10:48:38,626 fail2ban.filter         [95430]: INFO      findtime: 259200
2017-10-14 10:48:38,630 fail2ban.jail           [95430]: INFO    Creating new jail 'ssh'
2017-10-14 10:48:38,631 fail2ban.jail           [95430]: INFO    Jail 'ssh' uses poller {}
2017-10-14 10:48:38,632 fail2ban.jail           [95430]: INFO    Initiated 'polling' backend
2017-10-14 10:48:38,689 fail2ban.filter         [95430]: INFO    Added logfile: '/var/log/auth.log' (pos = 77792, hash = 55771e37d99c2e7695c6a7b5fcb2e2d9)
2017-10-14 10:48:38,689 fail2ban.filter         [95430]: INFO      maxRetry: 3
2017-10-14 10:48:38,692 fail2ban.filter         [95430]: INFO      encoding: US-ASCII
2017-10-14 10:48:38,693 fail2ban.actions        [95430]: INFO      banTime: 21600
2017-10-14 10:48:38,694 fail2ban.filter         [95430]: INFO      findtime: 259200
2017-10-14 10:48:38,703 fail2ban.jail           [95430]: INFO    Jail 'pure-ftpd' started
2017-10-14 10:48:38,708 fail2ban.jail           [95430]: INFO    Jail 'postfix' started
2017-10-14 10:48:38,710 fail2ban.jail           [95430]: INFO    Jail 'dovecot' started
2017-10-14 10:48:38,713 fail2ban.jail           [95430]: INFO    Jail 'sieve' started
2017-10-14 10:48:38,723 fail2ban.jail           [95430]: INFO    Jail 'ssh' started
2017-10-14 10:48:38,734 fail2ban.utils          [95430]: Level 39 801b75cf0 -- exec: echo "table <f2b-pure-ftpd> persist counters" | pfctl -f-
echo "block proto tcp from <f2b-pure-ftpd> to any port ftp,ftp-data,ftps,ftps-data" | pfctl -f-
2017-10-14 10:48:38,735 fail2ban.utils          [95430]: ERROR   801b75cf0 -- stderr: 'stdin:1: syntax error'
2017-10-14 10:48:38,735 fail2ban.utils          [95430]: ERROR   801b75cf0 -- stderr: 'pfctl: Syntax error in config file: pf rules not loaded'
2017-10-14 10:48:38,735 fail2ban.utils          [95430]: ERROR   801b75cf0 -- returned 1
2017-10-14 10:48:38,736 fail2ban.actions        [95430]: ERROR   Failed to start jail 'pure-ftpd' action 'pf': Error starting action Jail('pure-ftpd')/pf
2017-10-14 10:48:38,762 fail2ban.utils          [95430]: Level 39 801b58e90 -- exec: echo "table <f2b-postfix> persist counters" | pfctl -f-
echo "block proto tcp from <f2b-postfix> to any port smtp,465,submission" | pfctl -f-
2017-10-14 10:48:38,763 fail2ban.utils          [95430]: ERROR   801b58e90 -- stderr: 'stdin:1: syntax error'
2017-10-14 10:48:38,763 fail2ban.utils          [95430]: ERROR   801b58e90 -- stderr: 'pfctl: Syntax error in config file: pf rules not loaded'
2017-10-14 10:48:38,763 fail2ban.utils          [95430]: ERROR   801b58e90 -- returned 1
2017-10-14 10:48:38,764 fail2ban.actions        [95430]: ERROR   Failed to start jail 'postfix' action 'pf': Error starting action Jail('postfix')/pf
2017-10-14 10:48:38,791 fail2ban.utils          [95430]: Level 39 80577c6b0 -- exec: echo "table <f2b-dovecot> persist counters" | pfctl -f-
echo "block proto tcp from <f2b-dovecot> to any port pop3,pop3s,imap,imaps,submission,465,sieve" | pfctl -f-
2017-10-14 10:48:38,791 fail2ban.utils          [95430]: ERROR   80577c6b0 -- stderr: 'stdin:1: syntax error'
2017-10-14 10:48:38,792 fail2ban.utils          [95430]: ERROR   80577c6b0 -- stderr: 'pfctl: Syntax error in config file: pf rules not loaded'
2017-10-14 10:48:38,792 fail2ban.utils          [95430]: ERROR   80577c6b0 -- returned 1
2017-10-14 10:48:38,793 fail2ban.actions        [95430]: ERROR   Failed to start jail 'dovecot' action 'pf': Error starting action Jail('dovecot')/pf
2017-10-14 10:48:38,820 fail2ban.utils          [95430]: Level 39 806588030 -- exec: echo "table <f2b-sieve> persist counters" | pfctl -f-
echo "block proto tcp from <f2b-sieve> to any port smtp,465,submission" | pfctl -f-
2017-10-14 10:48:38,820 fail2ban.utils          [95430]: ERROR   806588030 -- stderr: 'stdin:1: syntax error'
2017-10-14 10:48:38,821 fail2ban.utils          [95430]: ERROR   806588030 -- stderr: 'pfctl: Syntax error in config file: pf rules not loaded'
2017-10-14 10:48:38,821 fail2ban.utils          [95430]: ERROR   806588030 -- returned 1
2017-10-14 10:48:38,822 fail2ban.actions        [95430]: ERROR   Failed to start jail 'sieve' action 'pf': Error starting action Jail('sieve')/pf
2017-10-14 10:48:38,849 fail2ban.actions        [95430]: NOTICE  [ssh] Restore Ban 103.28.121.86
2017-10-14 10:48:38,878 fail2ban.actions        [95430]: NOTICE  [ssh] Restore Ban 179.99.236.29
2017-10-14 10:48:38,907 fail2ban.actions        [95430]: NOTICE  [ssh] Restore Ban 182.18.153.206
2017-10-14 10:48:38,936 fail2ban.actions        [95430]: NOTICE  [ssh] Restore Ban 37.49.225.93
2017-10-14 10:48:55,226 fail2ban.filter         [95430]: INFO    [postfix] Found 180.76.248.34 - 2017-10-14 10:48:55
2017-10-14 10:52:18,914 fail2ban.filter         [95430]: INFO    [ssh] Found 112.133.225.115 - 2017-10-14 10:52:18
2017-10-14 10:53:07,365 fail2ban.actions        [95430]: NOTICE  [ssh] Unban 103.28.121.86


After this all rules from the firewall are gone and I have to manually reload the firewall again with:
service pf reload
Comment 1 theis 2017-10-14 09:13:18 UTC
I don't use pf so I can't confirm that what I write below does the fix:

When 0.10 came out there was a discussion on GitHub about fail2ban deleting the rules of pf. The problem is that the definition of the action has changed, I added a warning about that to the installation message:

In jails, it is no longer sufficient to write
action = pf

You need to specify a  port (or port range) and name, e.g
action   = pf[port={80 443}, name=http]
Comment 2 Matthias Fechner freebsd_committer freebsd_triage 2017-10-14 10:23:11 UTC
This does not help. It drops the firewall (filter and translation) rules that are existing.
This will break every server that is using pf as firewall.

I really suggest to rollback this commit, till it is solved upstream.

I created a github issue here:
https://github.com/fail2ban/fail2ban/issues/1915
Comment 3 Lukasz Wasikowski 2017-10-14 20:34:44 UTC
It's solved upstream.

Update to 0.10.1 - update is simple, just change version in port's Makeconf, remove files/patch-fail2ban_server_ipdns.py (it's already in 0.10.1) and do make makesum to generate new checksum. Then install new version.

My working jail.local include those:

[DEFAULT]
banaction = pf[actiontype=<multiport>]
banaction_allports = pf[actiontype=<allports>]
action = %(action_mw)s

[sshd]
enabled  = true
filter   = bsd-sshd

[recidive]
enabled = true
logpath  = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime  = 1w
findtime = 1d
maxretry = 3
protocol  = { icmp udp tcp }
Comment 4 Lukasz Wasikowski 2017-10-14 20:38:26 UTC
(In reply to Lukasz Wasikowski from comment #3)

Makefile not Makeconf ;)

Forgot to mention that in /etc/pf.conf I had to add in filter section:

anchor f2b {
  anchor recidive
  anchor sshd
}

This works ok, fail2ban modify only it's own rules and don't clear existing ones.
Comment 5 theis 2017-10-15 07:54:31 UTC
I have submitted https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223022 which updates to 0.10.1
Comment 6 Matthias Fechner freebsd_committer freebsd_triage 2017-10-15 10:33:41 UTC
(In reply to Lukasz Wasikowski from comment #4)
Thanks, the upgrade to 0.10.1 fixed the removal of all pf rules and fail2ban now touches only the rules it should.

As the configuration changed a lot, I will start now reading the new manual to see what else I have to change, that fail2ban is just adding a block rule for the IP found (not restricted to a port).
Comment 7 Wen Heping freebsd_committer freebsd_triage 2017-10-15 10:59:32 UTC
It had been superceded by PR/223022