Open jlerbsc opened 7 years ago
drybjed
commented
7 years ago Not sure... Do you run the debops.fail2ban role with DebOps playbooks or as standalone? If you use a custom playbook, did you enable the become: True option on the playbook level so that the role will be run with root privileges?
jlerbsc
commented
7 years ago It's a custom playbook, I'm going to try become: True. Thanks
jhilden
commented
7 years ago @jlerbsc did you find a solution for this error? We are seeing the same thing. /proc/net/xt_recent/ is just empty on the servers.
@drybjed I'm not sure how to add become: true "on the playbook level", since we have the role directly in our site.yml like this:
--
- hosts: all
remote_user: root
roles:
- debops.fail2banAdding become: true here did not help.
Any help would be appreciated.
drybjed
commented
7 years ago @jhilden What happens when you install fail2ban package by hand on that host, does it work correctly?
jhilden
commented
7 years ago @drybjed yes, wehen I install it manually on that host (sudo apt-get install fail2ban) it works just fine.
drybjed
commented
7 years ago @jhilden In that case I suppose it might be some configuration applied by the role. You could try commenting out the sections that the role adds and see if you find out which one is the culprit.
jlerbsc
commented
6 years ago @Hi drybjec, I always have this log when using debops.fail2ban role with a custom playbooks and become: yes option on the playbook level like this. Do you have an idea?
hosts : tag_managed_ansible:&tag_role_nginx_front:&tagtarget{{target}} become : yes user: xxx tags:
roles:
ERROR test -e /proc/net/xt_recent/fail2ban-ssh returned 100 ERROR Invariant check failed. Trying to restore a sane environment ERROR echo / > /proc/net/xt_recent/fail2ban-ssh iptables -D INPUT -m recent --update --seconds 604800 --name fail2ban-ssh --jump REJECT --reject-with icmp-admin-prohibited returned 100
drybjed
commented
6 years ago This seems to be an error from the fail2ban service itself, perhaps an issue with the configuration. What happens when you try to restart the service by hand?
drybjed
commented
6 years ago @jlerbsc Is that the same error that you started this issue thread with?
jlerbsc
commented
6 years ago Yes it's the same error. I think the origi of the error is related to the fact that the file fail2ban-ssh in /proc/net/xt_recent directory is not found and the command sudo echo / > /proc/net/xt_recent/fail2ban-ssh throws /proc/net/xt_recent/fail2ban-ssh: No such file or directory
drybjed
commented
6 years ago Do you have the xt_recent module loaded in the kernel? Check with:
lsmod | grep recentWhat kind of host is this, is is a container, a VM?
jlerbsc
commented
6 years ago When i restart fail2ban by hand, i have the same errors (Fail2ban v0.8.13).
jlerbsc
commented
6 years ago lsmod | grep recent xt_recent 17246 0 x_tables 27111 3 xt_recent,ip_tables,iptable_filter
jlerbsc
commented
6 years ago The host is an AWS/EC2 server
drybjed
commented
6 years ago @jlerbsc Well, I have the same suggestion as last time - try installing a fail2ban package manually on a clean host to see if it works at all. If it does, configure it with debops.fail2ban and try commenting out or moving away parts of the configuration until it works again. That way you can find out what caused the issue.
jlerbsc
commented
6 years ago When i re install fail2ban from scratch it works perfectly with default configuration. sudo apt-get purge fail2ban sudo apt-get install fail2ban
What's the meaning of this errors in fail2ban log? and why /proc/net/xt_recent is not created with debops fail2ban installation?
ERROR test -e /proc/net/xt_recent/fail2ban-ssh returned 100 ERROR Invariant check failed. Trying to restore a sane environment ERROR echo / > /proc/net/xt_recent/fail2ban-ssh iptables -D INPUT -m recent --update --seconds 604800 --name fail2ban-ssh --jump REJECT --reject-with icmp-admin-prohibited returned 100