Bugs in Debian 9 installation (Firewalld)

6 posts / 0 new
Last post
#1 Thu, 06/13/2019 - 22:32
Zyraj

Bugs in Debian 9 installation (Firewalld)

Hi, been searching for a while and I have found some other people with these same problems but no fix yet:

First problem I have is that the disable feature has no documentation, so when I try to use it this is what I get:

# sh install.sh --disable fail2ban
Unknown feature fail2ban: exiting

Couldn't find a working list of features to be disabled either so this doesn't seem to solve the problem with fail2ban nor Firewalld, which is why I'm posting.

Fresh install and it looks like there's a bug with Debian installation and Firewalld, probably because this package seems to be from fedora repos (If so this install script shouldn't say the distro is supported)

Found this useful: https://www.virtualmin.com/node/64425

No solution (since 2017) and it seems there's no one paying attention to this.

This could be easily fixed by disabling the plugin at the installation but again, disable is not working or I'm doing it wrong, so the only option left is to manually edit the script.

Are you not even concerned that the installation is failing on one of the most used distros?

Also firewalld is useless.

Any ideas?

Sat, 06/15/2019 - 08:15
adamjedgar

My default vps debian 9 virtualmin install runs fail2ban and firewalld straight out of the box without any tinkering.

What is the problem exactly?

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Sun, 06/16/2019 - 12:00
Zyraj

Hey Adam, I used to do a full install with no trouble in Debian 8, but now problems are the following:

  1. Not enough documentation.
  2. Apparently there's no way to setup which packages NOT to install (--disable returns "Unknown feature fail2ban: exiting")
  3. Installation fails at fail2ban/firewalld packages (error: fail2ban cannot be created unless a command is given)

About docs, It would be really useful a list of dependencies. This could actually be the origin of my problem...

Sun, 06/16/2019 - 13:37
adamjedgar

I have always installed on a standard new debian O/S from providers such as Google Cloud Compute and Vultr using automated installer.

I wonder if a manual install might work for you? I havent needed too but perhaps this might provide a workaround.

I did read about the fail2ban issue, I haven't experienced it yet (perhaps I was lucky with my timing).

I also don't see why people don't like fail2ban...I find it's a great program. I used firewalld alongside it and don't seem to have any major dramas other than usual quirks one has with most firewalls.

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Tue, 08/06/2019 - 05:44
petecook

Yes indeed, after checking things I can confirm that firewalld as installed by virtualmin does not work properly on debian.

I tried it on meanwhile over 5 installations of Virtualmin 6.07 on fresh setups of latest Debian 9.

And yes, nobody seems to care, because most people think it is working without checkin their logs at all. If they would, the would recognize tons of such lines in /var/log/firewalld

2019-08-06 11:23:30 ERROR ALREADY_ENABLED 'ssh' already in 'public'

2019-08-06 11:23:30 ERROR ALREADY_ENABLED ssh

2019-08-06 11:23:46 ERROR ZONE_ALREADY_SET public

2019-08-06 11:24:37 WARNING '/sbin/iptables-restore -n' failed

2019-08-06 11:24:37 ERROR COMMAND_FAILED

2019-08-06 11:44:06 ERROR NOT_ENABLED rule '('-p', 'tcp', '-m', 'multiport', '--dports', 'smtp,465,submission,imap3,imaps,pop3,pop3s', '-m', 'set', '--match-set', 'fail2ban-postfix-sasl', 'src', '-j', 'REJECT', '--reject-with', 'icmp-port-unreachable')' is not in 'ipv4:filter:INPUT'

And sure enough such errors in var/log/fail2ban.log

2019-08-06 11:49:58,705 fail2ban.action [1273] ERROR ipset create fail2ban-postfix-sasl hash:ip timeout 3600 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -m set --match-set fail2ban-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable -- stdout: b''

2019-08-06 11:49:58,705 fail2ban.action [1273] ERROR ipset create fail2ban-postfix-sasl hash:ip timeout 3600 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -m set --match-set fail2ban-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable -- stderr: b'\x1b[91mError: COMMAND_FAILED\x1b[00m\n'

2019-08-06 11:49:58,705 fail2ban.action [1273] ERROR ipset create fail2ban-postfix-sasl hash:ip timeout 3600 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -m set --match-set fail2ban-postfix-sasl src -j REJECT --reject-with icmp-port-unreachable -- returned 13

2019-08-06 11:49:58,705 fail2ban.actions [1273] ERROR Failed to start jail 'postfix-sasl' action 'firewallcmd-ipset' Error starting action

My solution?

Give up on debian and migrate all servers to centos, where firewalld and fail2ban work out of the box.

Sun, 11/03/2019 - 13:00
andresp

@petecook I had the same issue and found the problem after reading https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881449

virtualmin on Debian 9 is using an old fail2ban version (v0.9.6), which tries to use imap3 port for postfix-sasl. This port was apparently dropped by netbase 5.4, which is the one that comes with Debian 9.

I removed imap3 from /etc/fail2ban/jail.local (probably also makes sense to remove it form jail.conf), restarted fail2ban and I didn't get the error again.

I think virtualmin should either try to get a new fail2ban version or add this action to the installation script.