Errors encountered at setup on Debian 9 with Fail2ban and Firewalld

20 posts / 0 new
Last post
#1 Sun, 09/10/2017 - 14:23
R3vLibre

Errors encountered at setup on Debian 9 with Fail2ban and Firewalld

Hi,

I encountered several errors and/or did some mistakes during my installation+configuration of Virtualmin on Debian 9.
I will gather a few of those that might somehow be related. This is a Virtualmin installation although it relates more to Webmin services, so I didn't know where was the best place to post.

So, I decided to install the "minimal" version.
When I ran the install script for the first time, it stopped when installing "Fail2banFirewalld" module.

1) I tried to resume the installation with "virtuamin-config-system" using "--exclude" to avoid running again the installation for already installed components.

It failed. I found out it was in "/usr/share/perl5/Virtualmin/Config.pm", in subroutine "_gather_plugins".
I think it was related to the way "@include" and "@exclude" are (de)referenced when requesting modules "include" and "exclude" attributes.
I now guess it was working for "include", and maybe I could just use that, but I used "exclude".
I did a modification that must be compatible with both expressions.
I can send it if you tell me how and where.
It's been a long time I didn't do Perl, so it is more of a guess, but I could proceed the installation of the leftover modules.

2) Installation of "Fail2banFirewalld"
Then I came to the problem with "Fail2banFirewalld".
It was stopping when creating the startup scripts.
However, I saw that it created the "S99fail2ban" scripts under "rc.d" directories.

The check that was causing a stop was in file "/usr/share/webmin/init/init-lib.pl":

if ($init_mode eq "systemd" && (!-r "$config{'init_dir'}/$_[0]" ||
                                &is_systemd_service($unit))) {
        # Create systemd unit if missing, as long as this isn't an old-style
        # init script
        my $cfile = &get_systemd_root($_[0])."/".$unit;
        if (!-r $cfile) {
                # Need to create config
                $_[2] || &error("Systemd service $_[0] cannot be created ".
                                "unless a command is given");
                &create_systemd_service($unit, $_[1], $_[2], $_[3], undef,
                                        $_[5]->{'fork'}, $_[5]->{'pidfile'},
                                        $_[5]->{'exit'});
                }

It was saying "Systemd service fail2ban cannot be created unless a command is given".
There was indeed no parameter "$_[2]" passed by the caller.
But the conditional check was strange to me:
a) !-r "$config{'init_dir'}/$_[0]" was false because the S99fail2ban script indeed existed
b) &is_systemd_service($unit) was true, so that whatever init script existed, it when into the "if" branch

I am not sure of the purpose of the test, but I thought:
- either it is systemd, and it must enter the "if", for purposes I don't know
- either it is not systemd and it must enter the "if" if no "init.d" already exist

So, I added a "!" in front of &is_systemd_service($unit), like if the "!" was indeed applying to the whole parenthesis expression (-r "$config{'init_dir'}/$_[0]" || &is_systemd_service($unit))

But I am not sure of that, lacking of the intent of the test.

However, I could proceed to the installation that way.
Fail2ban got installed and its dependancy Firewalld reinstalled.
After some tweaking seen elsewhere on this forum ("imap3" being removed as a service in Debian), I could make it start manually.

3) Fail2ban runs but does not start by itself at reboot, eventhough the rc.d script are there.
When activating the service in Webmin, "Start/Stop" works.
However, if I activate "Start at boot", it toggles back from "Yes" to "No" by itself when pressing the button.
Besides that, it creates a new set of "S99fail2ban_1" files in rc.d directories.

I can imagine it is related to the error encountered in (2), above.

4) Fail2ban indeed took action for banning my own trial, I could see it in the log.
However:
a) I didn't see a new iptables rule banning this IP, and I could still connect myself to the service
b) I don't see any banning happening daily, although I was used to have several bans a day before because of ports scanning (on another server)
I can think of the firewall doing a better job, but there are still classic ports that are open, I am just surprised not to see any scanning

5) The Firewalld webmin service is in error on the service page

Error - Perl execution failed

Can't locate firewalld-lib.pl in @INC (@INC contains: /usr/share/webmin /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.24.1 /usr/local/share/perl/5.24.1 /usr/lib/x86_64-linux-gnu/perl5/5.24 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.24 /usr/share/perl/5.24 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/webmin/firewalld/index.cgi line 6.

I think it's a core module, so I don't know how to reinstall.
I reran "virtualmin-config-system" far later, which was not a very good idea, anyway it didn't help.

I wonder if the fact that the ban are not effective is not related to this.
I don't know by which mechanisms the rule update is triggered.
What I know is that the startup proceeds well, the initial rules are set.
Since I am not familiar with expressions like

REJECT     tcp  --  anywhere             anywhere             multiport dports ssh match-set fail2ban-sshd src reject-with icmp-port-unreachable

I am not sure whether individual banned IPs must appear there, or it the rule is supposed to handle them as a whole.
However, the fact I was still able to establish a connection after banning myself is a clue that the setup is not fully operational.

6) Thank you for having read this all long, I expect to find some answers, and I hope to bring stuff that might help consolidate this good piece of software !!

Mon, 09/11/2017 - 01:04
Joe
Joe's picture

Hey thanks for poking around in the new virtualmin config-system command! You're right there are still some quirks in places.

I thought we'd fixed the systemd issue you're seeing in Webmin upstream (and I think it was rolled out with 1.852, but I might be wrong). I'll have to take a deeper look tomorrow (it's after 1AM here).

This (and almost everything else we do) is developed in the open on github. You can find the Virtualmin-Config repo here: https://github.com/virtualmin/Virtualmin-Config

Pull requests and issue reports are welcome (and we can talk about it here, too). I'll go through this tomorrow with more specifics. I think there are still some known issues with the configuration that config-system produces when not using firewalld with fail2ban on systems that have firewalld as an option. I fixed a few a couple weeks ago, but then got distracted by more pressing matters.

--

Check out the forum guidelines!

Sat, 09/30/2017 - 03:11
Broxi

I've just fresh-installed debian 9.1 and gpl virtualmin. The Installation went well, but I'm not able to configure the FirewallD, because I get an error in Webmin:

Error - Perl execution failed Can't locate firewalld-lib.pl in @INC (@INC contains: /usr/share/webmin /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.24.1 /usr/local/share/perl/5.24.1 /usr/lib/x86_64-linux-gnu/perl5/5.24 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.24 /usr/share/perl/5.24 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/webmin/firewalld/index.cgi line 6.

Edit: the library exists /usr/share/webmin/firewalld/firewalld-lib.pl

Sat, 09/30/2017 - 03:49
Broxi

as a quick solution, I've modified /usr/share/webmin/firewalld/index.cgi by adding ./ for the library:

replace:

require 'firewalld-lib.pl';

with:

require './firewalld-lib.pl';

That helped out in the first instance that webmin presents the firewalld config page, but clicking on an item results again in similar error (this time in edit_serv.cgi). Therefore I've added ./ on any .cgi in this directory where it was not in place. This works now.

Sat, 09/30/2017 - 13:53 (Reply to #4)
Joe
Joe's picture

What version of Webmin do you have? That was supposed to be fixed in Webmin 1.852.

--

Check out the forum guidelines!

Sun, 10/01/2017 - 03:25 (Reply to #5)
Broxi

Hi Joe, I've expected that the fresh downloaded install-script will install the latest Version. So I would guess I had 1.852. There was an Update to 1.853 tonight, so I don't know if I had 1.852 before :-) But I just notice, that with Update to 1.853 the Error came back !!!!

I can simply cover that with

sed -i "s/require 'firewalld-lib/require '\.\/firewalld-lib/g" /usr/share/webmin/firewalld/*.cgi
Sun, 10/01/2017 - 14:02 (Reply to #6)
Joe
Joe's picture

OK, I've made a pull request for that change. There's something odd going on, as it shouldn't be necessary for files loaded by Webmin, as it already adds . to the path for libraries within Webmin. But, changing the path explicitly definitely works, so that's what I've done.

--

Check out the forum guidelines!

Sun, 10/01/2017 - 22:36
noisemarine

FWIW, I've had to use this same fix to make the virtualmin-nginx module work, too, otherwise I just see perl errors.

Mon, 10/02/2017 - 15:20 (Reply to #8)
Joe
Joe's picture

I don't understand this behavior. I wonder if there's been a perl update that breaks adding . to the path. This was definitely fixed sometime around Webmin 1.850, so I'm surprised we're seeing errors now.

The problem is that very new versions of Perl don't have . in the library search path, and the way Webmin modules have historically worked, relied on it being in the path. We added it back to the path for Webmin-loaded code (since it isn't subject to the security concerns of having . in the path for command line apps, and the like). But, now that seems to not be working any more...I'll talk to Jamie to see what he thinks we ought to do here. I guess we'll either need to roll out a bunch of new modules, or a new Webmin version.

--

Check out the forum guidelines!

Mon, 10/02/2017 - 16:05
Broxi

The latest update on Perl on Version 5.26 was in May '17, where the DOT was removed from INC. As far as I can see, Debian stretch was released with perl 5.24. Maybe Debian has backported 5.26 without changing the Version number in one of the last updates ? My perl on Debian 9.1 shows as 5.24.1 with compilation date Sep 12 2017

Mon, 10/02/2017 - 19:17 (Reply to #10)
Joe
Joe's picture

Yes, it's a backport of the change from 5.26, and we knew about it. The weird thing is that we thought we'd fixed it back when we were working on Debian 9 support! But, it seems like some modules end up getting loaded in such a way that our fix doesn't actually fix it.

Anyway, I'm rolling a new virtualmin-nginx package tonight or in the morning to sort this particular issue out, and will poke around on a test Debian 9 system to make sure this issue isn't biting us anywhere else.

--

Check out the forum guidelines!

Fri, 04/27/2018 - 09:45
brad100

Hi All

I just received this error on Debian 9 Virtualmin 6.0.3 -two steps from completing setup

[21/23] Configuring Fail2banFirewalld Error: Systemd service fail2ban cannot be created unless a command is given

Error

Systemd service fail2ban cannot be created unless a command is given.

Would anyone have a suggestion on how to complete install?

I can login but a lot of the final configuration is missing

Kind Regards Brad

Mon, 09/03/2018 - 06:11
kjcsg

Hello,

I too am having the issue "Systemd service fail2ban cannot be created unless a command is given." on step 21/23 for the virtualmin install script that I just downloaded which installed webmin 1.891 and virtualmin 6.03. I'm on Ubuntu 18.04.1 LTS. Thank you for any help in advanced!

-Kyle

Mon, 09/03/2018 - 08:40
brad100

Hi Kyle My error was caused by the setup of my vps provider (they run SolusVM 2016 offering KVM ) - you can continue with the install after the errors but a lot of the final configuration has been missed and needs to be completed manually. After two days of faffing around I moved my project to a more up to date provided and install was faultless.

Hope this helps Brad

Tue, 01/29/2019 - 14:19
ADDISON74

This issue Fail2Ban/Firewalld is still persistent. It was never been fixed at all. Virtualmin won't install on Debian 9.7 because of .... Firewalld!!! Please remove Firewalld and Fail2Ban from default installation in Debian. If someone would like to use these packages to install them later. I never used Firewalld and don't want it in my systems.

Once I get the installation error nothing can do. If I am blocking the installation for Firewalld and Fail2Ban packages setting a priority in apt configuration, Virtualmin won't install. In this moment Virtualmin installation is not transparent. I am a big fun for years of Virtualmin. Over the years I reported a lot of issues they were fixed. But today Virtualmin disappointed me. I am pressed to install Debian 9/Virtualmin and I cannot go further because of the installation script.

Nice job!

▣□□ Phase 1 of 3: Setup
Downloading RPM-GPG-KEY-virtualmin-6                                    [ OK! ]
Downloading RPM-GPG-KEY-webmin                                          [ OK! ]
Installing Virtualmin 6 key                                             [ OK! ]
Installing Webmin key                                                   [ OK! ]
Updating apt metadata                                                   [ OK! ]
Downloading repository metadata                                         [ OK! ]
Disabling cdrom: repositories                                           [ OK! ]
Cleaning out old metadata                                               [ OK! ]

▣▣□ Phase 2 of 3: Installation
Installing Webmin                                                       [ OK! ]
Installing Usermin                                                      [ OK! ]
Installing fail2ban                                                     [ OK! ]
Removing nginx (if installed) before LAMP installation.                 [ OK! ]
Removing unneeded packages that could confict with LAMP stack.          [ OK! ]
Installing postfix                                                      [ OK! ]
Installing virtualmin-lamp-stack                                        [ OK! ]
Installing Virtualmin and plugins                                       [ OK! ]
29 Jan 22:15:07 ntpdate[20878]: the NTP socket is in use, exiting
Installing updates to Virtualmin-related packages                       [ OK! ]

▣▣▣ Phase 3 of 3: Configuration
[1/23] Configuring AWStats                                              [  ✔  ]
[2/23] Configuring Apache                                               [  ✔  ]
[3/23] Configuring Bind                                                 [  ✔  ]
[4/23] Configuring ClamAV                                               [  ✔  ]
[5/23] Configuring Dovecot                                              [  ✔  ]
[6/23] Configuring Firewalld                                            [  ✔  ]
[7/23] Configuring MySQL                                                [  ✔  ]
[8/23] Configuring NTP                                                  [  ✔  ]
[9/23] Configuring Net                                                  [  ✔  ]
[10/23] Configuring ProFTPd                                             [  ✔  ]
[11/23] Configuring Procmail                                            [  ✔  ]
[12/23] Configuring Quotas                                              [  ✔  ]
[13/23] Configuring SASL                                                [  ✔  ]
[14/23] Configuring Shells                                              [  ✔  ]
[15/23] Configuring SpamAssassin                                        [  ✔  ]
[16/23] Configuring Status                                              [  ✔  ]
[17/23] Configuring Upgrade                                             [  ✔  ]
[18/23] Configuring Usermin                                             [  ✔  ]
[19/23] Configuring Webalizer                                           [  ✔  ]
[20/23] Configuring Webmin                                              [  ✔  ]
[21/23] Configuring Fail2banFirewalld                                   ████▒▒▒Error: Systemd service fail2ban cannot be created unless a command is given
Error
-----
Systemd service fail2ban cannot be created unless a command is given
-----
▣▣▣ Cleaning up

[WARNING] The following errors occurred during installation:

  ◉ Postinstall configuration returned an error.
[WARNING] The last few lines of the log file were:
[2019/01/29 22:15:34] [INFO] - Succeeded
[2019/01/29 22:15:34] [INFO] - Configuring Status
[2019/01/29 22:15:36] [INFO] - Succeeded
[2019/01/29 22:15:36] [INFO] - Configuring Upgrade
[2019/01/29 22:15:37] [INFO] - Succeeded
[2019/01/29 22:15:37] [INFO] - Configuring Usermin
[2019/01/29 22:15:37] [INFO] - Succeeded
[2019/01/29 22:15:37] [INFO] - Configuring Webalizer
[2019/01/29 22:15:37] [INFO] - Succeeded
[2019/01/29 22:15:38] [INFO] - Configuring Webmin
[2019/01/29 22:15:50] [INFO] - Succeeded
[2019/01/29 22:15:50] [INFO] - Configuring Fail2banFirewalld
[2019-01-29 22:15:51 EET] [DEBUG] Cleaning up temporary files in /tmp/.virtualmin-9083.
Wed, 01/30/2019 - 08:02
ADDISON74

Doing a research fail2ban-firewalld is not a package in Debian. Only Fedora/CentOS/RHEL have this package. Under this circumstances I am wondering why there is a Virtualmin package named Fail2banFirewall?

For those like me who don't use Firewalld after a succeed installation disable firewalld service. Do not remove it from system.

Tue, 02/19/2019 - 18:23
rpandassociates

the only way i got around this was to use the minimal install I am also using a fresh install ubuntu 16 on a kvm vps following the tutorial at https://www.digitalocean.com/community/tutorials/how-to-install-virtualm...

it would do the same as everyone else is stating my question are what does it need to configure for the last steps , i have yet to get this up and running and have a email send from a contact form on wordpress tried all the postfix tutorials and even sendmail everything gets stuck in que permanently, so hopefully this minimal install will send the mail :)

Cant wait till this is fixed or as others suggested just be able to have a command to exclude fail2ban and firewalld

Wed, 02/20/2019 - 01:54
ADDISON74

I managed to install Virtualmin. It is a bug in installation. Read these issues: https://www.virtualmin.com/node/64584 and https://www.virtualmin.com/node/64425. You have to open a Terminal along with installation process and run some commands. It is related to Fail2Ban service.

Fri, 02/22/2019 - 01:07
3k

Hi,

I tried now to install Virtualmin+Webmin on a fresh Debian 9.5 and a fresh Debian 9.8 and the installation still fails at:

[21/23] Configuring Fail2banFirewalld ████▒▒▒Error: Systemd service fail2ban cannot be created unless a command is given

Error

Systemd service fail2ban cannot be created unless a command is given

I installed Virtualmin+Webmin at least on 3 Debian 9 distros within last 5 months and there were no problems at all.

Were there some changes meanwhile in the installation script? Does someone has any clue how to solve this?

Sat, 02/23/2019 - 02:24
3k

I get it finally working using the procedure that R3vLibre mentioned above – I added a "!" in front of &is_systemd_service($unit) in /usr/share/webmin/init/init-lib.pl immediately after the running of script installer.