# fail2ban not working [SOLVED]

## im lost

After noticing lots of attempted ssh logins on my system recently (in /var/log/messages), I decided to look for a way to prevent it, and I ended up deciding on fail2ban.  After installing it, I still see a bunch of login attempts from a one IP address at a time.  I decided to check the fail2ban logs, and I got

From /var/log/fail2ban.log

```
2007-07-07 09:35:23,109 fail2ban.actions: WARNING [ssh-iptables] Ban 202.39.224.102 

2007-07-07 09:35:23,229 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-SSH returned 100

2007-07-07 09:35:23,229 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment

2007-07-07 09:35:23,304 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH

iptables -F fail2ban-SSH

iptables -X fail2ban-SSH returned 300

2007-07-07 09:35:23,353 fail2ban.actions.action: ERROR  iptables -N fail2ban-SSH

iptables -A fail2ban-SSH -j RETURN

iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 300

2007-07-07 09:35:23,372 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-SSH returned 100

2007-07-07 09:35:23,373 fail2ban.actions.action: CRITICAL Unable to restore environment

2007-07-07 09:35:34,388 fail2ban.actions: WARNING [ssh-iptables] 202.39.224.102 already banned

2007-07-07 09:35:46,389 fail2ban.actions: WARNING [ssh-iptables] 202.39.224.102 already banned

... repeat the above line a hundred times or so

```

In /etc/fail2ban/jail.conf, the only relevant lines are 

```
[DEFAULT]

ignoreip = 127.0.0.1

bantime  = 900

findtime  = 600

maxretry = 5

backend = auto

[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

logpath  = /var/log/messages

maxretry = 5

```

I don't think I've changed anything else.  Any advice on why this is happening?  I know that iptables wasn't installed when I installed fail2ban, but it is now.  If that's the problem, I'm not sure what the solution would be (uninstalling and reinstalling fail2ban?).Last edited by im lost on Tue Jul 10, 2007 10:47 pm; edited 1 time in total

----------

## c4

Is iptables supported/activated in your kernel and is iptables running?

```
/etc/init.d/iptables start
```

If iptables is running, look at your current settings with the command

```
iptables -n -L
```

You should see something like this:

```
 # iptables -n -L

Chain INPUT (policy DROP)

target     prot opt source               destination         

fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain fail2ban-SSH (1 references)

target     prot opt source               destination         

DROP       all  --  130.89.230.57        0.0.0.0/0

DROP       all  --  77.104.253.187       0.0.0.0/0

DROP       all  --  81.223.126.96        0.0.0.0/0

DROP       all  --  71.130.68.102        0.0.0.0/0

DROP       all  --  220.67.128.5         0.0.0.0/0

DROP       all  --  200.183.137.2        0.0.0.0/0
```

What versions of fail2ban and iptables are you using?

----------

## im lost

Versions: net-analyzer/fail2ban-0.8.0-r1 and net-firewall/iptables-1.3.5-r4

iptables is not running.  I tried starting it and got 

 * Not starting iptables.  First create some rules then run:

 * /etc/init.d/iptables save

I don't know where I would create these rules at, but I tried running /etc/init.d/iptables save" anyway, and then I was able to start it.  Then I did "iptables -n -L" and got

FATAL: Module ip_tables not found.

iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

I'm guessing that means it isn't supported in the kernel, but I don't know how to actually check, and if that's the problem then I would need to learn how to make it part of the kernel (since a friend did all of that setup when I decided to use gentoo).

----------

## c4

OK, well you will need to have the ipfiltering supported in your kernel, so let's have a look at that first.

You could either build the support as a direct part of your kernel or make a lot of modules, and load them manually later, for instance at boot. For convenience, I suggest adding the support directly to your kernel.

I'll try to show how this is done as a little step by step guide, perform these commands as root:

If you have boot as a separate partition, mount this before getting started

```
mount /dev/hda1 /boot
```

Go to your kernel source folder

```
cd /usr/src/linux
```

Open up the configuration

```
make menuconfig
```

Find your way down to the part where iptables and netfilter are found

```
Networking---> Networking options ----> Network packet filtering (replaces ipchains)
```

mark this option by pressing space so that you get an asterix in between the brackets [*] Network packet...  and press enter

Open the options underneath, 

```
Core Netfilter Configuration --->

IP: Netfilter Configuration --->
```

and select all options in these menus.  Set all options to [*]

You do not have to do this for IPv6: Netfilter Configuration (EXPERIMENTAL) if you aren't planning on using IPv6

When you have set all options here, select exit several times and when asked to, save your kernel configuration and you will be back at the command line again.

Next step is to compile your kernel and include the support for iptables

```
make && make modules_install
```

Wait a while for the kernel to finish, and once it is done copy it to your boot partition

```
cp arch/i386/boot/bzImage /boot/kernel-2.6.21-r2
```

Note that if you have a 64-bit setup your kernel will be located in arch/x86_64/boot/bzImage, the example above with i386 is for all 32-bit architectures. Also note that I just guessed a name for the kernel in the command above, you should name it to whatever kernel you are using, try the command

```
uname -a
```

 to see the name of your current running kernel. 

Once you have copied your kernel to your boot partition, it may be smart to copy your current kernel configuration to your boot partition as well.

```
cp .config /boot/config-2.6.21-r2
```

 Use the same numbers here as your kernel.

If you are overwriting your current kernel I suppose grub will not need updating, but if you give your kernel a new name, this name will have to be added to your grub menu as well.

Have a look in your grub.conf

```
nano -w /boot/grub/grub.conf
```

 and make sure that your new kernel is listed here as the first entry, or that you can select it after reboot to start your box.

Once the kernel is in place you will need to reboot the box to use the updated kernel. 

I think that this should be whats missing for your fail2ban to start working, but see if you can add the iptables part to your kernel, recompile your kernel and get it working. Once this is done I can try to help some more if things are still not working. Good luck!

----------

## im lost

It appears that adding it to the kernel fixed the problem (at least, iptables starts without any problems, and iptables -n -L gives something similar to what you posted).  Thank you for the help.

----------

## pvincent

I think I've emerged first fail2ban before ip-tables was fully operational.

thus it results in a non-working fail2ban.

I had to remove manually rm /tmp/fail2ban.sock before fail2ban succeeds to start.

Hope it helps other users...

----------

