I've recently setup a new VPS running Gentoo (My first time using the distro so please forgive me is this is a really easy one) and as I've done with other servers installed fail2ban. Setting it up to block the host via iptables, on too many unsuccessful logins with ssh. However I'm getting a strange error that I can't quite solve.
When I start fail2ban I get these lines in the error log
2009-11-13 18:02:01,290 fail2ban.jail : INFO Jail 'ssh-iptables' started
2009-11-13 18:02:01,480 fail2ban.actions.action: ERROR iptables -N fail2ban-SSH
iptables -A fail2ban-SSH -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100
If I try and force a ban these errors show up in the log and the host is not banned
2009-11-13 11:23:26,905 fail2ban.actions: WARNING [ssh-iptables] Ban XXX.XXX.XXX.XXX
2009-11-13 11:23:26,929 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-SSH returned 100
2009-11-13 11:23:26,930 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2009-11-13 11:23:27,007 fail2ban.actions.action: ERROR iptables -N fail2ban-SSH
iptables -A fail2ban-SSH -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100
2009-11-13 11:23:27,016 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-SSH returned 100
2009-11-13 11:23:27,016 fail2ban.actions.action: CRITICAL Unable to restore environment
My versions are as follows
Linux masked 2.6.18-xen-r12 #2 SMP Wed Mar 4 11:45:03 GMT 2009 x86_64 Intel(R) Xeon(R) CPU E5504 @ 2.00GHz GenuineIntel GNU/Linux
net-analyzer/fail2ban-0.8.4
net-firewall/iptables-1.4.3.2
If anyone could shead some light on these errors that would be great, I did wonder if it was a problem with iptables or some kernel modules but I can block an IP if I do.
iptables -I INPUT -s 25.55.55.55 -j DROP
so makes me think its something a bit more unusual.
Thanks a lot in advance
On Ubuntu 10.04 I had a similar problem randomly across all the jails. Some would start some wouldn't. I solved this by editing the fail2ban-client file in /usr/bin and added a delay. It now works flawlessly every time I restart. Added line is time.sleep(0.1)
The problem is due to the version of fail2ban having a fault where it sends multiple simultaneous commands to iptables. It also affects Ubuntu 10.04LTS. The problem is described in Debian bug report 554162.
I eventually solved this issue by upgrading my kernel to 2.6.30
For this I followed this guide http://vps.net/forum/forums/tutorials-how-tos/1081-how-upgrade-gentoo-use-latest-pvops-kernel.
Fail2ban now works perfectly.