[Python-modules-team] Bug#960646: fail2ban: nftables fails with Error: Could not process rule: No such file or directory

Fri May 15 04:35:46 BST 2020

Package: fail2ban
Version: 0.10.2-2.1
Severity: normal

Dear Maintainer,

I have been using fail2ban for a long time with iptables-allports:

banaction = iptables-allports
banaction = iptables-allports

With over 50k+ IPs being banned I figured that I might benefit from the
perceived lower overhead of nftables so changed it to:

banaction = nftables-allports
banaction_allports = nftables-allports

fail2ban was immediately reporting errors when I started it:

2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils          [21504]: Level 39 7f227a456760 -- exec: nft add 
set inet filter f2b-sshd \{ type ipv4_addr\; \}
nft insert rule inet filter INPUT meta l4proto tcp ip saddr @f2b-sshd 
reject
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils          [21504]: ERROR   7f227a456760 -- stderr: 'Error: 
Could not process rule: No such file or directory'
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils          [21504]: ERROR   7f227a456760 -- stderr: 'add 
set inet filter f2b-sshd { type ipv4_addr; }'
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils          [21504]: ERROR   7f227a456760 -- stderr: '             
^^^^^^'
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils          [21504]: ERROR   7f227a456760 -- stderr: 'Error: 
Could not process rule: No such file or directory'
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils          [21504]: ERROR   7f227a456760 -- stderr: 'insert 
rule inet filter INPUT meta l4proto tcp ip saddr @f2b-sshd reject'
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils          [21504]: ERROR   7f227a456760 -- stderr: '                 
^^^^^^'
2020-05-15T02:08:51.213+00:00 pawan fail2ban-server[21504]: 
fail2ban.utils          [21504]: ERROR   7f227a456760 -- returned 1

I found, through trial and error, that the issue appears to be
nftables_family = inet so I added action.d/nftables-common.local
file with:

[Init]
nftables_family = ip

Which seem to work.

Looked at the current upstream version and it's configuration file
is significantly different to the one that ships it buster to easily 
compare.  It does appear though, that they set to inet so not sure
what the deal is.

Happy to help,

/Allan

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (990, 'stable-updates'), (990, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/24 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fail2ban depends on:
ii  lsb-base  10.2019051400
ii  python3   3.7.3-1

Versions of packages fail2ban recommends:
ii  iptables           1.8.2-4
ii  nftables           0.9.0-2
ii  python             2.7.16-1
ii  python3-pyinotify  0.9.6-1
ii  python3-systemd    234-2+b1
ii  whois              5.4.3

Versions of packages fail2ban suggests:
ii  mailutils [mailx]                   1:3.5-3
pn  monit                               <none>
ii  sqlite3                             3.27.2-3
ii  syslog-ng-core [system-log-daemon]  3.19.1-5

-- Configuration Files:
/etc/fail2ban/fail2ban.conf changed:
[Definition]
loglevel = INFO
logtarget = SYSLOG
syslogsocket = auto
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 1d

/etc/fail2ban/filter.d/apache-common.conf changed:
[INCLUDES]
after = apache-common.local
[DEFAULT]

/etc/fail2ban/filter.d/postfix.conf changed:
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/(submission/)?smtpd
failregex =
	^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
	^%(__prefix_line)slost connection after (AUTH|CONNECT) from .+\[<HOST>\]$
	^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
	^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
	^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
	^%(__prefix_line)sSSL_accept error from .+\[<HOST>\]: (-1|0)
	^%(__prefix_line)swarning: .*\[<HOST>\]: SASL LOGIN authentication failed: Invalid authentication mechanism
	^%(__prefix_line)swarning: .+\[<HOST>\]: SASL PLAIN authentication failed: Connection lost to authentication server
	^%(__prefix_line)swarning: Connection concurrency limit exceeded: [0-9]+ from .+\[<HOST>\] for service smtp$
	^%(__prefix_line)swarning: non-SMTP command from.+\[<HOST>\]:
	^%(__prefix_line)swarning: numeric hostname: <HOST>$
ignoreregex = 
	 ^%(__prefix_line)slost connection after CONNECT from unknown\[unknown\]

/etc/fail2ban/filter.d/sshd.conf changed:
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex =
	^%(__prefix_line)serror: maximum authentication attempts exceeded for invalid user .+: from <HOST> port .+ ssh2 \[preauth\]
	^%(__prefix_line)serror: Received disconnect from <HOST> port .+: Auth fail \[preauth\]$
	^%(__prefix_line)serror: Received disconnect from <HOST> port .+: No authentication methods available \[preauth\]$
	^%(__prefix_line)serror: Received disconnect from <HOST> port .+: No more user authentication methods available\. \[preauth\]
	^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$
        ^%(__prefix_line)sBad protocol version identification .+ from <HOST> port [0-9]+$
        ^%(__prefix_line)sConnection closed by <HOST> port .+ \[preauth\]$
        ^%(__prefix_line)sConnection reset by <HOST> port .+ \[preauth\]$
        ^%(__prefix_line)sDid not receive identification string from <HOST> port [0-9]+$
        ^%(__prefix_line)sDisconnected from <HOST> port .+ \[preauth\]$
        ^%(__prefix_line)sInvalid user .+ from <HOST> port [0-9]+$
        ^%(__prefix_line)sReceived disconnect from <HOST> port .+ \[preauth\]$
        ^%(__prefix_line)sUnable to negotiate with <HOST> port .+: no matching host key type found\. Their offer: .+ \[preauth\]$
        ^%(__prefix_line)sUnable to negotiate with <HOST> port .+: no matching key exchange method found\. Their offer: .+ \[preauth\]$
ignoreregex = 

/etc/fail2ban/jail.conf changed:
[INCLUDES]
before = paths-debian.conf
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/24
ignorecommand =
bantime  = -1
findtime  = 10m
maxretry = 1
backend = auto
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(__name__)s[mode=%(mode)s]
destemail = root at localhost
sender = root at localhost
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = nftables-allports
banaction_allports = nftables-allports
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action_abuseipdb = abuseipdb
action = %(action_)s
[sshd]
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[dropbear]
port     = ssh
logpath  = %(dropbear_log)s
backend  = %(dropbear_backend)s
[selinux-ssh]
port     = ssh
logpath  = %(auditd_log)s
[apache-auth]
port     = http,https
logpath  = %(apache_error_log)s
[apache-badbots]
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1
[apache-noscript]
port     = http,https
logpath  = %(apache_error_log)s
[apache-overflows]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2
[apache-nohome]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2
[apache-botsearch]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2
[apache-fakegooglebot]
port     = http,https
logpath  = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
[apache-modsecurity]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2
[apache-shellshock]
port    = http,https
logpath = %(apache_error_log)s
maxretry = 1
[openhab-auth]
filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log
[nginx-http-auth]
port    = http,https
logpath = %(nginx_error_log)s
[nginx-limit-req]
port    = http,https
logpath = %(nginx_error_log)s
[nginx-botsearch]
port     = http,https
logpath  = %(nginx_error_log)s
maxretry = 2
[php-url-fopen]
port    = http,https
logpath = %(nginx_access_log)s
          %(apache_access_log)s
[suhosin]
port    = http,https
logpath = %(suhosin_log)s
[lighttpd-auth]
port    = http,https
logpath = %(lighttpd_error_log)s
[roundcube-auth]
port     = http,https
logpath  = %(roundcube_errors_log)s
[openwebmail]
port     = http,https
logpath  = /var/log/openwebmail.log
[horde]
port     = http,https
logpath  = /var/log/horde/horde.log
[groupoffice]
port     = http,https
logpath  = /home/groupoffice/log/info.log
[sogo-auth]
port     = http,https
logpath  = /var/log/sogo/sogo.log
[tine20]
logpath  = /var/log/tine20/tine20.log
port     = http,https
[drupal-auth]
port     = http,https
logpath  = %(syslog_daemon)s
backend  = %(syslog_backend)s
[guacamole]
port     = http,https
logpath  = /var/log/tomcat*/catalina.out
[monit]
port = 2812
logpath  = /var/log/monit
[webmin-auth]
port    = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[froxlor-auth]
port    = http,https
logpath  = %(syslog_authpriv)s
backend  = %(syslog_backend)s
[squid]
port     =  80,443,3128,8080
logpath = /var/log/squid/access.log
[3proxy]
port    = 3128
logpath = /var/log/3proxy.log
[proftpd]
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s
[pure-ftpd]
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(pureftpd_log)s
backend  = %(pureftpd_backend)s
[gssftpd]
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(syslog_daemon)s
backend  = %(syslog_backend)s
[wuftpd]
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(wuftpd_log)s
backend  = %(wuftpd_backend)s
[vsftpd]
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(vsftpd_log)s
[assp]
port     = smtp,465,submission
logpath  = /root/path/to/assp/logs/maillog.txt
[courier-smtp]
port     = smtp,465,submission
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s
[postfix]
backend  = %(postfix_backend)s
port     = smtp,465,submission
logpath  = %(postfix_log)s
mode    = more
[postfix-rbl]
filter   = postfix[mode=rbl]
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
maxretry = 1
[sendmail-auth]
port    = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[sendmail-reject]
port     = smtp,465,submission
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s
[qmail-rbl]
filter  = qmail
port    = smtp,465,submission
logpath = /service/qmail/log/main/current
[dovecot]
port    = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[sieve]
port   = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[solid-pop3d]
port    = pop3,pop3s
logpath = %(solidpop3d_log)s
[exim]
port   = smtp,465,submission
logpath = %(exim_main_log)s
[exim-spam]
port   = smtp,465,submission
logpath = %(exim_main_log)s
[kerio]
port    = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log
[courier-auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s
[postfix-sasl]
filter   = postfix[mode=auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
[perdition]
port   = imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[squirrelmail]
port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
[cyrus-imap]
port   = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[uwimap-auth]
port   = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[named-refused]
port     = domain,953
logpath  = /var/log/named/security.log
[nsd]
port     = 53
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log
[asterisk]
port     = 5060,5061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /var/log/asterisk/messages
maxretry = 10
[freeswitch]
port     = 5060,5061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /var/log/freeswitch.log
maxretry = 10
[mysqld-auth]
port     = 3306
logpath  = %(mysql_log)s
backend  = %(mysql_backend)s
[mongodb-auth]
port     = 27017
logpath  = /var/log/mongodb/mongodb.log
[recidive]
logpath  = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime  = 1w
findtime = 1d
[pam-generic]
banaction = %(banaction_allports)s
logpath  = %(syslog_authpriv)s
backend  = %(syslog_backend)s
[xinetd-fail]
banaction = iptables-multiport-log
logpath   = %(syslog_daemon)s
backend   = %(syslog_backend)s
maxretry  = 2
[stunnel]
logpath = /var/log/stunnel4/stunnel.log
[ejabberd-auth]
port    = 5222
logpath = /var/log/ejabberd/ejabberd.log
[counter-strike]
logpath = /opt/cstrike/logs/L[0-9]*.log
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
[nagios]
logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
backend  = %(syslog_backend)s
maxretry = 1
[oracleims]
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s
[directadmin]
logpath = /var/log/directadmin/login.log
port = 2222
[portsentry]
logpath  = /var/lib/portsentry/portsentry.history
maxretry = 1
[pass2allow-ftp]
port         = ftp,ftp-data,ftps,ftps-data
knocking_url = /knocking/
filter       = apache-pass[knocking_url="%(knocking_url)s"]
logpath      = %(apache_access_log)s
blocktype    = RETURN
returntype   = DROP
action       = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s]
bantime      = 1h
maxretry     = 1
findtime     = 1
[murmur]
port     = 64738
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
logpath  = /var/log/mumble-server/mumble-server.log
[screensharingd]
logpath  = /var/log/system.log
logencoding = utf-8
[haproxy-http-auth]
logpath  = /var/log/haproxy.log
[slapd]
port    = ldap,ldaps
logpath = /var/log/slapd.log
[domino-smtp]
port    = smtp,ssmtp
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
[phpmyadmin-syslog]
port    = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[zoneminder]
port    = http,https
logpath = %(apache_error_log)s

/etc/fail2ban/jail.d/defaults-debian.conf [Errno 2] No such file or directory: '/etc/fail2ban/jail.d/defaults-debian.conf'
/etc/logrotate.d/fail2ban changed:

-- no debconf information