Forwarded to devs Strict plausibility test prevents adding additional jails to fail2ban

[Bitpalast]

TITLE:

Strict plausibility test prevents adding additional jails to fail2ban​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

Onyx 17.8
CentOS 7.5​

PROBLEM DESCRIPTION:

Splitting Fail2Ban jails into different letter jails fails, because Plesk in 17.8 does not allow re-using the "action" name in different jails. However, using the same action name in different jails is a proper method that is allowed by and works with Fail2Ban.

This was previously possible and is an important thing to do. The reason why it is needed is that on systems with many domains, a single jail cannot handle all domains. So we create jails for each alphabet letter like
plesk-apache-a
plesk-apache-b
plesk-apache-c
...
to handle the corresponding domains that start with that letter.​

STEPS TO REPRODUCE:

On the console run this command to try to create a new jail "plesk-apache-a":

echo "[[\"usedns\",\"no\"],[\"logpath\",\"\\/var\\/www\\/vhosts\\/system\\/$i*\\/logs\\/error_log\"],[\"enabled\",\"true\"],[\"filter\",\"apache-auth\"],[\"maxretry\",\"6\"],[\"__source__\",\"jail.d\\/plesk.conf\"],[\"action\",\"iptables-multiport[name=apache, port=\\\"http,https,7080,7081\\\"]\"],[\"ignoreip\",\"127.0.0.1\/8 123.123.123.123\"],[\"bantime\",\"600\"],[\"destemail\",\"$admin_email\"],[\"findtime\",\"600\"],[\"backend\",\"auto\"]]"|/usr/local/psa/admin/bin/f2bmng --set-jail plesk-apache-a​

ACTUAL RESULT:

ERROR:__main__:Iptables action with name="apache" already exists in jail plesk-apache​

EXPECTED RESULT:

Jail "plesk-apache-a" should be added without error message.​

ANY ADDITIONAL INFORMATION:

​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[Bitpalast]

Here is another test you can use to validate the issue:

This script should create a separate BadBots jail for each existing domain with the start letter of the domain. But it reports the ERROR:__main__:Iptables action with name="apache" already exists in jail plesk-apache-badbot" on each attempt:

for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 1 2 3 4 5 6 7 8 9 0;do find /var/www/vhosts/system/$i*/logs/access_log 2>/dev/null 1>/dev/null; found=`echo $?`;if [ $found == "0" ];then echo "[[\"usedns\",\"no\"],[\"logpath\",\"\\/var\\/www\\/vhosts\\/system\\/$i*\\/logs\\/access_log\"],[\"enabled\",\"true\"],[\"filter\",\"apache-badbots\"],[\"maxretry\",\"5\"],[\"__source__\",\"jail.d\\/plesk.conf\"],[\"action\",\"iptables-multiport[name=BadBots, port=\\\"http,https,7080,7081\\\"]\"],[\"ignoreip\",\"127.0.0.1\/8 123.123.123.123\"],[\"bantime\",\"600\"],[\"destemail\",\"$admin_email\"],[\"findtime\",\"600\"],[\"backend\",\"auto\"]]"|/usr/local/psa/admin/bin/f2bmng --set-jail plesk-apache-badbots-$i ;fi;done

 

[IgorG]

You cannot use the same action name for multiple jails. Although f2b allow creating such jails it leads to problems with iptables. We have related request PPPM-5571 about this.
So workaround is in using the unique action names for every new jail.

 

[Bitpalast]

As I understand, the Fail2Ban jail "action" name is used in iptables as a "Chain" name, like "f2b-apache" for the Apache jail. I do not see however, why the same action should not be used in different jails. As a matter of fact, many more chains (e.g. 54 more chains in iptables for a split into alphabet letters for bad bot and Wordpress) would slow down iptables processing. And my most important argument: It has been working for years on many servers perfectly reliably.

It would be great if I could understand better, what exactly the problem with duplication action names is for iptables. Can I read content of PPPM-5571 anywhere?

 

[IgorG]

Can I read content of PPPM-5571 anywhere?

**PRODUCT/VERSION, OS/ARCHITECTURE**
Product version: Plesk Onyx 17.0.17 Update #12
Update date: 2016/12/27 03:21
Build date: 2016/11/17 16:00
OS version: CentOS 7.3.1611
Revision: ab6766191d3ba26e7b21255ab007fc7fc56d84c6
Architecture: 64-bit
Wrapper version: 1.2

Report ID:

**PROBLEM DESCRIPTION**
When restart Fail2ban jail the following error occurs:
---------------------
iptables -X f2b-apache – stderr: 'iptables: Too many links.\n'
---------------------

Provided in KB https://support.plesk.com/hc/en-us/articles/213413309-Fail2ban-extension-hangs-Failed-to-stop-jail-action workaround did not help to workaround the issue

**STEPS TO REPRODUCE**
1. Go to tools&Settings -> Fail2ban -> jails
2. Stop any jail

**ACTUAL RESULT**
Stopping failed with:

2017-01-16 14:51:30,788 fail2ban.action [3941]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-apache
iptables -F f2b-apache
iptables -X f2b-apache – stdout: ''
2017-01-16 14:51:30,791 fail2ban.action [3941]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-apache
iptables -F f2b-apache
iptables -X f2b-apache – stderr: 'iptables: Too many links.\n'

**EXPECTED RESULT**
Jail stops

**LOGS AND ANY ADDITIONAL INFORMATION**
2017-01-16 14:51:30,788 fail2ban.action [3941]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-apache
iptables -F f2b-apache
iptables -X f2b-apache – stdout: ''
2017-01-16 14:51:30,791 fail2ban.action [3941]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-apache
iptables -F f2b-apache
iptables -X f2b-apache – stderr: 'iptables: Too many links.\n'
2017-01-16 14:51:30,792 fail2ban.action [3941]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-apache
iptables -F f2b-apache
iptables -X f2b-apache – returned 1
2017-01-16 14:51:30,793 fail2ban.actions [3941]: ERROR Failed to stop jail 'plesk-apache' action 'iptables-multiport': Error stopping action
2017-01-16 14:51:30,794 fail2ban.jail [3941]: INFO Jail 'plesk-apache' stopped
2017-01-16 14:51:30,813 fail2ban.server [3941]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.2
2017-01-16 14:51:31,906 fail2ban.action [3941]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-apache
iptables -F f2b-apache
iptables -X f2b-apache – stdout: ''
2017-01-16 14:51:31,908 fail2ban.action [3941]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-apache
iptables -F f2b-apache
iptables -X f2b-apache – stderr: 'iptables: Too many links.\n'
2017-01-16 14:51:31,915 fail2ban.action [3941]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-apache
iptables -F f2b-apache
iptables -X f2b-apache – returned 1
2017-01-16 14:51:31,916 fail2ban.actions [3941]: ERROR Failed to stop jail 'plesk-apache-1' action 'iptables-multiport': Error stopping action
2017-01-16 14:51:31,918 fail2ban.jail [3941]: INFO Jail 'plesk-apache-1' stopped
2017-01-16 14:51:31,942 fail2ban.server [3941]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.2
2017-01-16 14:51:33,041 fail2ban.action [3941]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-apache
iptables -F f2b-apache
iptables -X f2b-apache – stdout: ''
2017-01-16 14:51:33,046 fail2ban.action [3941]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-apache
iptables -F f2b-apache
iptables -X f2b-apache – stderr: 'iptables: Too many links.\n'
2017-01-16 14:51:33,053 fail2ban.action [3941]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https,7080,7081 -j f2b-apache
iptables -F f2b-apache
iptables -X f2b-apache – returned 1
2017-01-16 14:51:33,055 fail2ban.actions [3941]: ERROR Failed to stop jail 'plesk-apache-3' action 'iptables-multiport': Error stopping action
2017-01-16 14:51:33,058 fail2ban.jail [3941]: INFO Jail 'plesk-apache-3' stopped
2017-01-16 14:51:33,080 fail2ban.server [3941]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.2

**ROOT CAUSE**
If configuration of fail2ban contains jails with the same values in the `name` (the directive 'action') - then iptables will create several rules with reference to the same chain (instead of a separate chain for each rule), and when you try stop such jails - iptables will not allow to delete the corresponding chain (because iptables system will contain active links to the chain). Therefore, the 'name' field names must be unique.

 

[Bitpalast]

OK, you win ;-)

Thank you! I now understand what the problem is. So for the time being we can actually continue using the current setting with the same "action" name (by manual edit) when we accept the issue on a restart, because it does not affect operations while the rules are active. We will then have a fully correct solution once Plesk provides the function to split jails or when we create such a split and new chains by an own script.

 

[IgorG]

Yes, we worked like this before. Stacked everything in one chain while iptables did not say "Oh, that's enough!":

iptables -X f2b-apache-stderr: 'iptables: Too many links. \ n' (edited)

BTW, it was during the removal. As long as you add, some of the chains work fine. But you can not delete the chain.