Fail2ban: iptables: Couldn't load target xxx

Created on 9 Dec 2016  ·  15Comments  ·  Source: fail2ban/fail2ban

Each time I restart the Ubuntu 16.10 server including fail2ban, I see plenty of errors in the log like this one (and will paste all the details you need below)

2016-12-09 15:22:52,842 fail2ban.action         [30848]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission -j f2b-postfix-rb
l
iptables -w -F f2b-postfix-rbl
iptables -w -X f2b-postfix-rbl -- stdout: b''
2016-12-09 15:22:52,842 fail2ban.action         [30848]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission -j f2b-postfix-rb
l
iptables -w -F f2b-postfix-rbl
iptables -w -X f2b-postfix-rbl -- stderr: b"iptables v1.6.0: Couldn't load target `f2b-postfix-rbl':No such file or directory\n\nTry `iptables -h' or 'i
ptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2016-12-09 15:22:52,843 fail2ban.action         [30848]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission -j f2b-postfix-rb
l
iptables -w -F f2b-postfix-rbl
iptables -w -X f2b-postfix-rbl -- returned 1
2016-12-09 15:22:52,843 fail2ban.actions        [30848]: ERROR   Failed to stop jail 'postfix-rbl' action 'iptables-multiport': Error stopping action
2016-12-09 15:22:52,843 fail2ban.jail           [30848]: INFO    Jail 'postfix-rbl' stopped

Environment:

$ sudo fail2ban-client version
$ 0.9.5

Installed via apt-get through normal Ubuntu 16.10 distribution. And don't have applied any foreign patches.

Customisations. None, except these jail.local lines:

michael.heuberger@binarykitchen /e/fail2ban ❯❯❯ cat jail.local
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 58.28.215.108

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
# warn:  if a hostname is encountered, a reverse DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = yes

# "bantime" is the number of seconds that a host is banned.
bantime  = 518400

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 3600

# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = [email protected]

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = mail

# path overrides
postfix_log = /var/log/mail.log
dovecot_log = /var/log/dovecot.log

[sshd]
enabled   = true
port      = ssh,2222

[sshd-ddos]
enabled   = true
port      = ssh,2222

#
# Mail servers
#

[postfix]
enabled  = true

[postfix-sasl]
enabled  = true

[postfix-rbl]
enabled  = true

[dovecot]
enabled = true

#
# Webmail and groupware servers
#

[roundcube-auth]
enabled  = true
logpath  = /usr/share/roundcubemail/logs/errors

[monit]
#Ban clients brute-forcing the monit gui login
enabled = true
logpath = /var/log/monit.log

The issue:

As mentioned at top of this ticket, there are lots of iptables related errors during startup.

Steps to reproduce

Happens each time I restart server. But not when I do a sudo service fail2ban restart

Expected behavior

No errors in /var/log/fail2ban.log at all.

Configuration, dump and another helpful excerpts

Using this for the service:

michael.heuberger@binarykitchen /l/s/system ❯❯❯ cat fail2ban.service
[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service
PartOf=iptables.service firewalld.service

[Service]
Type=forking
ExecStartPre=/bin/mkdir -p /var/run/fail2ban
ExecStart=/usr/bin/fail2ban-client -x start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/var/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255

[Install]
WantedBy=multi-user.target

Additional stuff

When I switch to root user and run the command like iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission -j f2b-postfix-rbl then I dont see errors like these. This makes me question whether the startup sequence is really run under root or not?

Thanks for any advice

3rd party issue
Source
picture binarykitchen

Most helpful comment

sudo fail2ban-client status (will tell you if its up and running)

sudo fail2ban-client -vvv -x stop (manually stop the client - verbose)

sudo fail2ban-client -vvv -x start (manually start the client - verbose - if it starts up ok using this then run sudo fail2ban-client -vvv -x stop again)

and then

sudo service fail2ban restart

picture mitchellkrogza on 14 Dec 2016
🎉2

All 15 comments

This means likely the dependencies between services are incorrect...
Something other (firewall, etc, that flush all iptables entries) goes shutdown before fail2ban: so solution is easy: add a relation between both (in init.d-script or systemd.service).
The issue is thus an 3rd party issue (you can seek support by ubuntu maintainers).

BTW. Can be however on the fly "fixed", if either #980 or #1588 gets implemented

sebres picture sebres on 9 Dec 2016

@sebres well i already have a relation between these two here

michael.heuberger@binarykitchen /l/s/system ❯❯❯ cat fail2ban.service
[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service
PartOf=iptables.service firewalld.service

[Service]
Type=forking
ExecStartPre=/bin/mkdir -p /var/run/fail2ban
ExecStart=/usr/bin/fail2ban-client -x start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/var/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255

[Install]
WantedBy=multi-user.target

and

michael.heuberger@binarykitchen /e/init.d ❯❯❯ cat fail2ban
#! /bin/sh
### BEGIN INIT INFO
# Provides:          fail2ban
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Should-Start:      $time $network $syslog $named iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm ufw
# Should-Stop:       $network $syslog $named iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm ufw
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start/stop fail2ban
# Description:       Start/stop fail2ban, a daemon scanning the log files and
#                    banning potential attackers.
### END INIT INFO

# Author: Aaron Isotton <[email protected]>
# Modified: by Yaroslav Halchenko <[email protected]>
#  reindented + minor corrections + to work on sarge without modifications
# Modified: by Glenn Aaldering <[email protected]>
#  added exit codes for status command
# Modified: by Juan Karlo de Guzman <[email protected]>
#  corrected the DAEMON's path and the SOCKFILE
#  rename this file: (sudo) mv /etc/init.d/fail2ban.init /etc/init.d/fail2ban
#  same with the logrotate file: (sudo) mv /etc/logrotate.d/fail2ban.logrotate /etc/logrotate.d/fail2ban
#
PATH=/usr/sbin:/usr/bin:/sbin:/bin
DESC="authentication failure monitor"
NAME=fail2ban

# fail2ban-client is not a daemon itself but starts a daemon and
# loads its with configuration
DAEMON=/usr/bin/$NAME-client
SCRIPTNAME=/etc/init.d/$NAME
...

... still there are obviously troubles during startup.

If you think it is an Ubuntu issue where exactly do you recommend me to report this?

binarykitchen picture binarykitchen on 10 Dec 2016

well i already have a relation between these two here

It could be additionally something other (I don't know what, but something managing iptables definitely).
Or this relations do not work...
BTW. You should decide: init.d or systemd-service, but not both :)

If you think it is an Ubuntu issue ...

I'm not sure about Ubuntu self (you can have something additionally, foreign packets from elsewhere installed, etc.).

where exactly do you recommend me to report this?

No idea - here is the place where fail2ban is developed (also not a common forum resp. community of some distribution).
@yarikoptic maintains fail2ban packages for debian resp. neurodebian, but I don't know whether it will be used for ubuntu...

sebres picture sebres on 10 Dec 2016

Can I figure out how fail2ban is started on my system? init.d or systemd-service? I might have a mess here and some commands would be great. Commands to test if fail2ban is installed, started and configured properly. Or is there a script handy out there that could do it?

@yarikoptic can you advise me re: Ubuntu packages? Where do you recommend me to report this for Ubuntu?

binarykitchen picture binarykitchen on 14 Dec 2016

sudo fail2ban-client status (will tell you if its up and running)

sudo fail2ban-client -vvv -x stop (manually stop the client - verbose)

sudo fail2ban-client -vvv -x start (manually start the client - verbose - if it starts up ok using this then run sudo fail2ban-client -vvv -x stop again)

and then

sudo service fail2ban restart

mitchellkrogza picture mitchellkrogza on 14 Dec 2016
🎉2

thanks - will check them out soon

... and are there any other commands to check if installation and start up sequence is configured correctly?

binarykitchen picture binarykitchen on 14 Dec 2016

systemctl list-unit-files (will tell you if its correctly enabled for system.d startup)

once system is booted run "top" to see if you see fail2ban-server in the running services

mitchellkrogza picture mitchellkrogza on 14 Dec 2016

ah, systemctl list-unit-files lists fail2ban service as enabled.
does this mean, the /etc/init.d/fail2ban entry is obsolete then?

sudo fail2ban-client -vvv -x start prints a hell lot of debug lines. hard to see if there were any errors in the middle. are there any parameters to fine tune for that command, so that only warnings and errors are seen?

binarykitchen picture binarykitchen on 15 Dec 2016

yes init.d has been replaced with system.d

If you run sudo fail2ban-client -vvv -x start and it gets to the end without any error reported then the client started successfully and it means your config files are all ok, if not it will give you an error and tell you in which .conf file your error is.

Once you get a successful start using sudo fail2ban-client -vvv -x start then run sudo fail2ban-client -vvv -x stop and then sudo service fail2ban restart

mitchellkrogza picture mitchellkrogza on 15 Dec 2016

yes, it does start sudo fail2ban-client -vvv -x start fine without any errors.

still, when it starts through system.d, then i am seeing the above mentioned errors. must be something else ...

binarykitchen picture binarykitchen on 17 Dec 2016

I have the same problem on Ubuntu 16.04 LTS

ArtLion74 picture ArtLion74 on 2 Aug 2017

@ArtLion74 What is the output of ?sudo? fail2ban-client -d | grep <error-jail>. Replace <error-jail> with name of jail that produces this error.

sebres picture sebres on 7 Aug 2017

I have the same issue:
Centos 7.
fail2ban 0.96

fail2ban.log

2018-03-23 12:54:52,074 fail2ban.action         [9756]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: ''
2018-03-23 12:54:52,075 fail2ban.action         [9756]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: ''
2018-03-23 12:54:52,075 fail2ban.action         [9756]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
2018-03-23 12:54:52,075 fail2ban.CommandAction  [9756]: ERROR   Invariant check failed. Trying to restore a sane environment
2018-03-23 12:54:52,180 fail2ban.action         [9756]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stdout: ''
2018-03-23 12:54:52,181 fail2ban.action         [9756]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stderr: "iptables v1.4.21: Couldn't load target `f2b-sshd':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2018-03-23 12:54:52,181 fail2ban.action         [9756]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- returned 1
2018-03-23 12:54:52,181 fail2ban.actions        [9756]: ERROR   Failed to execute unban jail 'sshd' action 'iptables-multiport' info '{'matches': '2018-03-23T11:53:46.707058149-210-194-176.colo.transip.net sshd[27676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip-213-127-22-4.ip.prioritytelecom.net  user=root2018-03-23T11:53:48.733188149-210-194-176.colo.transip.net sshd[27676]: Failed password for root from [my ip] port 31224 ssh22018-03-23T11:54:51.709842149-210-194-176.colo.transip.net sshd[27676]: Failed password for root from [my ip] port 31224 ssh2', 'ip': '[my ip]', 'time': 1521802491.930057, 'failures': 3}': Error stopping action

fail2ban-client -d | grep sshd:

['add', 'sshd', 'systemd']
['set', 'sshd', 'usedns', 'warn']
['set', 'sshd', 'maxretry', 3]
['set', 'sshd', 'addignoreip', '127.0.0.1/8']
['set', 'sshd', 'logencoding', 'auto']
['set', 'sshd', 'bantime', 3600]
['set', 'sshd', 'ignorecommand', '']
['set', 'sshd', 'findtime', 600]
['set', 'sshd', 'maxlines', '10']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?User not known to the underlying authentication module for .* from <HOST>\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?Failed \\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?ROOT LOGIN REFUSED.* FROM <HOST>\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?refused connect from \\S+ \\(<HOST>\\)\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?Received disconnect from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', "^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"]
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=\\S*\\s*rhost=<HOST>\\s.*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)? \\[preauth\\]$']
['set', 'sshd', 'addfailregex', '^(?P<__prefix>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?User .+ not allowed because account is locked(?: \\[preauth\\])?\\s*$<SKIPLINES>^(?P=__prefix)(?:(?:error|fatal): (?:PAM: )?)?Received disconnect from <HOST>: 11: .+(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?P<__prefix>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?Disconnecting: Too many authentication failures for .+?(?: \\[preauth\\])?\\s*$<SKIPLINES>^(?P=__prefix)(?:(?:error|fatal): (?:PAM: )?)?Connection closed by <HOST>(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?P<__prefix>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?Connection from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: \\[preauth\\])?\\s*$<SKIPLINES>^(?P=__prefix)(?:(?:error|fatal): (?:PAM: )?)?Disconnecting: Too many authentication failures for .+(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd']
['set', 'sshd', 'addaction', 'iptables-multiport']
['set', 'sshd', 'action', 'iptables-multiport', 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'sshd', 'action', 'iptables-multiport', 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X f2b-<name>']
['set', 'sshd', 'action', 'iptables-multiport', 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'sshd', 'action', 'iptables-multiport', 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'sshd', 'action', 'iptables-multiport', 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'sshd', 'action', 'iptables-multiport', 'protocol', 'tcp']
['set', 'sshd', 'action', 'iptables-multiport', 'chain', 'INPUT']
['set', 'sshd', 'action', 'iptables-multiport', 'lockingopt', '-w']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/name', 'default']
['set', 'sshd', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd', 'action', 'iptables-multiport', 'known/lockingopt', '-w']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/port', 'ssh']
['set', 'sshd', 'action', 'iptables-multiport', 'known/protocol', 'tcp']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/lockingopt', '-w']
['set', 'sshd', 'action', 'iptables-multiport', 'port', 'ssh']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/chain', 'INPUT']
['set', 'sshd', 'action', 'iptables-multiport', 'known/name', 'default']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/protocol', 'tcp']
['set', 'sshd', 'action', 'iptables-multiport', 'bantime', '3600']
['set', 'sshd', 'action', 'iptables-multiport', 'iptables', 'iptables <lockingopt>']
['set', 'sshd', 'action', 'iptables-multiport', 'known/__name__', 'Init']
['set', 'sshd', 'action', 'iptables-multiport', 'returntype', 'RETURN']
['set', 'sshd', 'action', 'iptables-multiport', 'known/returntype', 'RETURN']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/__name__', 'Init']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/returntype', 'RETURN']
['set', 'sshd', 'action', 'iptables-multiport', 'name', 'sshd']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd', 'action', 'iptables-multiport', 'known/port', 'ssh']
['set', 'sshd', 'action', 'iptables-multiport', 'known/iptables', 'iptables <lockingopt>']
['set', 'sshd', 'action', 'iptables-multiport', 'known/chain', 'INPUT']
['set', 'sshd', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/iptables', 'iptables <lockingopt>']
['start', 'sshd']



Anything I can do to fix this?

merijndk picture merijndk on 23 Mar 2018
👍1

Anything I can do to fix this?

Unfortunately nothing. What you see is an after-effect...
It's occurred because you (or some program) flushed the iptables (so deleted fail2ban chains and rules in iptables).

This consequential "error" (I mean the impossibility to restore a sane environment by "Invariant check failed") was already fixed in newest version in 7516cd025d22dd82a700a2690455973bc33ca2aa (but still not in your version).

So unfortunately ATM, you can "repair" it only using restart of fail2ban.

And just try to avoid the flush of iptables in the future.

sebres picture sebres on 23 Mar 2018
👍1

Ok thanks for thanking the time to take a look at it. ill use that for now!

merijndk picture merijndk on 23 Mar 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

enoch85 picture enoch85  ·  23Comments
davidfavor picture davidfavor  ·  29Comments
joe-average-user picture joe-average-user  ·  32Comments
szepeviktor picture szepeviktor  ·  52Comments
Geraden07 picture Geraden07  ·  47Comments