J D's questions -server

J D

Asked: 2019-11-07 03:25:20 +0800 CST

KVM guests don't show correct source IP

0

I've got KVM hosted on CentOS 7. All of my networking configurations are done via NetworkManager. The problem I'm facing is that guests show KVM's IP, rather than my external IP, when connecting to them, i.e. via SSH, from external networks.

Guests networking is set to virbr1, routed to enp2s0, where they are then NAT'ed before going to external networks.

KVM LAN IP - 192.168.1.1/24

firewall-cmd list-all output:

external (active)                                                                                                                                                                            
  target: default                                                                                                                                                                            
  icmp-block-inversion: no                                                                                                                                                                   
  interfaces: enp2s0                                                                                                                                                                         
  sources:                                                                                                                                                                                   
  services: ssh                                                                                                                                                                              
  ports:                                                                                                                                                                                     
  protocols:                                                                                                                                                                                 
  masquerade: yes                                                                                                                                                                            
  forward-ports:                                                                                                                                                                             
  source-ports:                                                                                                                                                                              
  icmp-blocks:                                                                                                                                                                               
  rich rules:     
      rule family="ipv4" source ipset="whitelist" forward-port port="2222" protocol="tcp" to-port="22" to-addr="192.168.1.2"

..
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: virbr0 virbr1
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

systemctl status iptables output:

Unit iptables.service could not be found.

iptables -vnL output:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)                                                                                                                                               
 pkts bytes target     prot opt in     out     source               destination                                                                                                              
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53                                                                                          
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53                                                                                          
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67                                                                                          
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67                                                                                          
    0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53                                                                                          
    0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53                                                                                          
    0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67                                                                                          
    0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67                                                                                          
16402 2196K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED                                                                         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0                                                                                                                
 2478  130K INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                             
 2477  130K INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                       
 2477  130K INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                              
   17  1068 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID                                                                                     
 2298  112K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited                                                                    

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)                                                                                                                                             
 pkts bytes target     prot opt in     out     source               destination                                                                                                              
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED                                                                         
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0                                                                                                                
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0                                                                                                                
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable                                                                   
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable                                                                   
17830  153M ACCEPT     all  --  enp2s0 virbr1  0.0.0.0/0            192.168.1.0/24                                                                                                           
12801   18M ACCEPT     all  --  virbr1 enp2s0  192.168.1.0/24       0.0.0.0/0                                                                                                                
    0     0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/0            0.0.0.0/0                                                                                                                
    0     0 REJECT     all  --  *      virbr1  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable                                                                   
    0     0 REJECT     all  --  virbr1 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable                                                                   
    1    69 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED                                                                         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0                                                                                                                
 2319  114K FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                           
 2319  114K FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                  
 2319  114K FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                         
 2317  114K FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                 
 2317  114K FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                        
    5   204 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID                                                                                     
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited                                                                    

Chain OUTPUT (policy ACCEPT 20270 packets, 15M bytes)                                                                                                                                        
 pkts bytes target     prot opt in     out     source               destination                                                                                                              
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68                                                                                          
    0     0 ACCEPT     udp  --  *      virbr1  0.0.0.0/0            0.0.0.0/0            udp dpt:68                                                                                          
20272   15M OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                            

Chain FORWARD_IN_ZONES (1 references)                                                                                                                                                        
 pkts bytes target     prot opt in     out     source               destination                                                                                                              
 2319  114K FWDI_external  all  --  enp2s0 *       0.0.0.0/0            0.0.0.0/0           [goto]                                                                                           
    0     0 FWDI_trusted  all  --  virbr1 *       0.0.0.0/0            0.0.0.0/0                                                                                                             
    0     0 FWDI_trusted  all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0                                                                                                             
    0     0 FWDI_external  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto]                                                                                           

Chain FORWARD_IN_ZONES_SOURCE (1 references)                                                                                                                                                 
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain FORWARD_OUT_ZONES (1 references)                                                                                                                                                       
 pkts bytes target     prot opt in     out     source               destination                                                                                                              
 2317  114K FWDO_external  all  --  *      enp2s0  0.0.0.0/0            0.0.0.0/0           [goto]                                                                                           
    0     0 FWDO_trusted  all  --  *      virbr1  0.0.0.0/0            0.0.0.0/0                                                                                                             
    0     0 FWDO_trusted  all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0                                                                                                             
    0     0 FWDO_external  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto]                                                                                           

Chain FORWARD_OUT_ZONES_SOURCE (1 references)                                                                                                                                                
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain FORWARD_direct (1 references)                                                                                                                                                          
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain FWDI_external (2 references)                                                                                                                                                           
 pkts bytes target     prot opt in     out     source               destination                                                                                                              
 2319  114K FWDI_external_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                        
 2319  114K FWDI_external_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                       
 2319  114K FWDI_external_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                      
    2    62 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                

Chain FWDI_external_allow (1 references)                                                                                                                                                     
 pkts bytes target     prot opt in     out     source               destination                                                                                                              
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW mark match 0x64                                                                         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW mark match 0x65                                                                         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW mark match 0x66                                                                         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW mark match 0x67                                                                         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW mark match 0x68                                                                         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW mark match 0x69                                                                         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW mark match 0x6a                                                                         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW mark match 0x6b                                                                         

Chain FWDI_external_deny (1 references)                                                                                                                                                      
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain FWDI_external_log (1 references)                                                                                                                                                       
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain FWDI_trusted (2 references)                                                                                                                                                            
 pkts bytes target     prot opt in     out     source               destination                                                                                                              
    0     0 FWDI_trusted_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                         
    0     0 FWDI_trusted_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                        
    0     0 FWDI_trusted_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                       
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                

Chain FWDI_trusted_allow (1 references)                                                                                                                                                      
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain FWDI_trusted_deny (1 references)                                                                                                                                                       
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain FWDI_trusted_log (1 references)                                                                                                                                                        
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain FWDO_external (2 references)                                                                                                                                                           
 pkts bytes target     prot opt in     out     source               destination                                                                                                              
 2317  114K FWDO_external_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                        
 2317  114K FWDO_external_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                       
 2317  114K FWDO_external_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                      

Chain FWDO_external_allow (1 references)                                                                                                                                                     
 pkts bytes target     prot opt in     out     source               destination                                                                                                              
 2312  113K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW                                                                                         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW                                                                                         

Chain FWDO_external_deny (1 references)                                                                                                                                                      
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain FWDO_external_log (1 references)                                                                                                                                                       
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain FWDO_trusted (2 references)                                                                                                                                                            
 pkts bytes target     prot opt in     out     source               destination                                                                                                              
    0     0 FWDO_trusted_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                         
    0     0 FWDO_trusted_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                        
    0     0 FWDO_trusted_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                       
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                

Chain FWDO_trusted_allow (1 references)                                                                                                                                                      
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain FWDO_trusted_deny (1 references)                                                                                                                                                       
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain FWDO_trusted_log (1 references)                                                                                                                                                        
 pkts bytes target     prot opt in     out     source               destination                                                                                                              

Chain INPUT_ZONES (1 references)                                                                                                                                                             
 pkts bytes target     prot opt in     out     source               destination                                                                                                              
 2415  119K IN_external  all  --  enp2s0 *       0.0.0.0/0            0.0.0.0/0           [goto]                                                                                             
   62 11515 IN_trusted  all  --  virbr1 *       0.0.0.0/0            0.0.0.0/0
    0     0 IN_trusted  all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0
    0     0 IN_external  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto]

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    60 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22 match-set fail2ban-sshd src reject-with icmp-port-unreachable

Chain IN_external (2 references)
 pkts bytes target     prot opt in     out     source               destination
 2415  119K IN_external_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2415  119K IN_external_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2415  119K IN_external_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   40  2682 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Chain IN_external_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination
   60  3056 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

Chain IN_external_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IN_external_log (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IN_trusted (2 references)
 pkts bytes target     prot opt in     out     source               destination
   62 11515 IN_trusted_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   62 11515 IN_trusted_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   62 11515 IN_trusted_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   62 11515 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain IN_trusted_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IN_trusted_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IN_trusted_log (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination

nmcli con show virbr1 output (cropped):

connection.id:                          virbr1                                                                                                                                               
connection.uuid:                        42f97b7c-40f0-4c3a-9a39-cf8d6af8bb12
connection.stable-id:                   --
connection.type:                        bridge
connection.interface-name:              virbr1
connection.zone:                        --
connection.master:                      --
ipv4.method:                            manual
ipv4.addresses:                         192.168.1.1/24
ipv4.gateway:                           --
ipv4.route-table:                       0 (unspec)
GENERAL.STATE:                          activated
GENERAL.ZONE:                           --
IP4.ADDRESS[1]:                         192.168.1.1/24
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 192.168.1.0/24, nh = 0.0.0.0, mt = 0

J D

Asked: 2019-07-31 07:22:18 +0800 CST

VMWare to KVM migration using virt-v2v

1

I have 2 files that need converting -

vmdk to qcow2, done with qemu-img convert -f vmdk foo.vmdk -O qcow2 foo.qcow2

vmx to xml, trying to do with virt-v2v -i vmx foo.vmx -o disk -os /tmp/test and get the xml from there, however the following error is thrown:

virt-v2v: error: output format should be ‘raw’ or ‘qcow2’.

Use the ‘-of <format>’ option to select a different output format for
the converted guest.

Other output formats are not supported at the moment, although might be
considered in future.

If reporting bugs, run virt-v2v with debugging enabled and include the
complete output:

  virt-v2v -v -x [...]

any pointers?

J D

Asked: 2018-11-26 12:17:32 +0800 CST

Why isn't NFS over SSH transparent to NFS?

3

NFS over LAN seems to work as expected - one downloads nfs-utils rpm, makes a share, modifies ownership and SEL, allows nfs in firewalld, launches nfs-server daemon, and everything is good to go.
Wanting to access files over the internet, I setup an SSH tunnel, as a quick alternative to implementing and maintaining kerberos, however nothing is working as exptected.

Given the following topology:
NFS-server (192.168.1.2) - Gateway (LAN 192.168.1.1, WAN 1.2.3.4) - Internet - Home

I've tried setting up SSH tunnel directly to NFS server:
home: ssh -fNv -L 2049:localhost:2049 NFS-server

and via Gateway:
home: ssh -fNv -L 2049:192.168.2:2049 Gateway

Ultimately, when mounting either option on home pc,
home: mount -o port=2049 -t nfs localhost:/var/nfsshare /mnt
I get the same response - requested NFS version or transport protocol is not supported

I've been reading up peoples experience with NFS over SSH and it seems to range greatly, from people just getting it to work , to having to configure services never mentioned with plain NFS - i.e. rpcbind, nfs-lock, nfs-idmap.

So my question is, should NFS with SSH 'just work', or does SSH forwarding introduce something that NFS can't handle natively?

J D

Asked: 2018-11-24 04:40:28 +0800 CST

Django 2.1 deployment on centos 7 with apache, mod_wsgi, python3 venv

1

I've stumbled with this seemingly most relevant deployment option because guides seem to either reference mod_wsgi with python2, or deployment on deb based systems where expected paths are different.
So I'm following these steps:

#repos for python3.6, wsgi for python3.6
yum install epel-release centos-release-scl

#base packages
yum install python36 python36-devel httpd httpd-devel rh-python36-mod_wsgi

#python3.6 venv
cd /var/www; 
python36 -m venv django-venv
source django-venv/bin/activate
pip3 install django

#apache config to support wsgi
edit /etc/httpd/conf/httpd.conf to include
LoadModule wsgi_module modules/mod_wsgi.so

apache config to serve django content located at /var/www/mysite

<VirtualHost *:80>
 ServerAdmin [email protected]
 ServerName mysite.com
 ServerAlias www.mysite.com

 WSGIDaemonProcess mysite python-home=/var/www/django-venv/ python-path=/var/www/django-venv/lib/python3.6/site-packages
 WSGIProcessGroup mysite
 WSGIScriptAlias / /var/www/mysite/mysite/wsgi.py

 Alias /static /var/www/mysite/static
 <Directory /var/www/mysite/mysite/static>
  Require all granted
 </Directory>

 <Directory /var/www/mysite/mysite>
  <Files wsgi.py>
  Require all granted
  </Files>
 </Directory>

</VirtualHost>

SEL changes:
chown apache:apache -R /var/www/mysite chown apache:apache -R /var/www/django-venv

httpd starts successfully but I keep getting the following in the error log:

Current thread 0x00007f5b5a486880 (most recent call first):
[Fri Nov 23 14:29:02.019635 2018] [core:notice] [pid 4837] AH00052: child pid 5159 exit signal Aborted (6)
Fatal Python error: Py_Initialize: Unable to get the locale encoding
ModuleNotFoundError: No module named 'encodings'

Could you guys confirm what am I missing in the steps so far for this setup?

Some other info:
ll /etc/httpd/modules/*wsgi* -rwxr-xr-x. 1 root root 966K Nov 23 09:13 /etc/httpd/modules/mod_wsgi.so

systemctl status -l httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2018-11-23 14:26:16 EET; 13min ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 4837 (httpd)
Status: "Total requests: 3; Current requests/sec: 0; Current traffic:   0 B/sec"
CGroup: /system.slice/httpd.service
├─4837 /usr/sbin/httpd -DFOREGROUND
├─4839 /usr/sbin/httpd -DFOREGROUND
├─4840 /usr/sbin/httpd -DFOREGROUND
├─4841 /usr/sbin/httpd -DFOREGROUND
├─4842 /usr/sbin/httpd -DFOREGROUND
├─4843 /usr/sbin/httpd -DFOREGROUND
└─4850 /usr/sbin/httpd -DFOREGROUND
Nov 23 14:26:16 www1 systemd[1]: Starting The Apache HTTP Server...
Nov 23 14:26:16 www1 httpd[4837]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::a7a7:b61c:5ffc:b91a. Set the 'ServerName' directive globally to suppress this message
Nov 23 14:26:16 www1 systemd[1]: Started The Apache HTTP Server.

J D

Asked: 2018-11-22 23:12:27 +0800 CST

different firewalld rich rule behavior in kvm host compared to kvm guests

0

I have a CentOS 7 KVM host with a single public IPv4, which is housing multiple guest OS's and acting as a firewall / gateway for guest network 192.168.1.0/24 / nat.

I want to run a webserver of 1 of the guests on port 80, so the following firewalld rule is needed:

rule family="ipv4" forward-port port="80" protocol="tcp" to-port="80" to-addr="192.168.1.3"

Once that is done though, all guests except 192.168.1.3 loose connectivity to worlds port 80 (i.e. when doing yum makecache), except KVM host, which is unaffected.

The question is - does having this rule override the default connection tracking policies of firewalld and if so, why isn't the host affected?

Additional info: guests are using KVM routed mode networking; relevant host firewalld config:

external (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0
sources: 
services: ssh
ports: 
protocols: 
masquerade: yes
forward-ports:
source-ports: 
icmp-blocks: 
rich rules: 
   rule family="ipv4" forward-port port="80" protocol="tcp" to-port="80" to-addr="192.168.1.3"

the following didn't exist before but virbr0 got picked up by NetworkManager, so I added blind trust until a better strategy is devised

trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0
sources: 192.168.1.0/24
services: 
ports: 
protocols: 
masquerade: no
forward-ports: 
source-ports: 
icmp-blocks: 
rich rules:

J D

Asked: 2018-09-07 22:40:10 +0800 CST

Strange behavior with fail2ban when permanently banning IPs

0

As per documentation, setting jail bantime to a negative value should result in a permanent ban. However once that is done, the following behavior changes, compared to when setting bantime to a positive integer:

1) ipset list doesn't show fail2ban-sshd hash table

2) firewall-cmd --direct --get-all-rules is empty

3) /var/log/fail2ban.log becomes a single line. interesting entry

sshd[25772]: Invalid user ubuntu from 93.174.89.88 port 37477', 'ip': '93.174.89.88', 'ipmatches': at 0x7f4588f9dc08>, 'ipfailures': at 0x7f4588f9daa0>, 'time': 1536301842.088076, 'failures': 1443, 'ipjailfailures': at 0x7f4588f9dd70>})': Error banning 93.174.89.88

4) /var/log/messages has the following

firewalld[916]: WARNING: '/usr/sbin/iptables-restore --wait=2 -n' failed: iptables-restore v1.4.21: Set fail2ban-sshd doesn't exist.#012#012Error occurred at line: 2#012Try 'iptables-restore -h' or 'iptables-restore --help' for more information. firewalld[916]: ERROR: COMMAND_FAILED

The only command working as expected is fail2ban-client status sshd, however the IPs that are shown to be banned still try to connect. I think the root of all problems is that ipset isn't created for whatever reason once the integer is negative.

Any ideas? Also, does the command fail2ban-client reload has the same affect as systemctl restart fail2ban.service when applying new configuration?

In my case, /etc/fail2ban/jail.d/local.conf

[sshd]
enabled = true
bantime = -1
findtime = 3600
maxretry = 5
action = %(action_)s

KVM guests don't show correct source IP

VMWare to KVM migration using virt-v2v

Why isn't NFS over SSH transparent to NFS?

Django 2.1 deployment on centos 7 with apache, mod_wsgi, python3 venv

different firewalld rich rule behavior in kvm host compared to kvm guests

Strange behavior with fail2ban when permanently banning IPs

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?