Error messages in firewalld log file Set fail2ban-ssh doesn't exist

Question

I have got the following error messages repeating in firewalld log file.

2019-07-19 14:18:20 ERROR: COMMAND_FAILED: Direct: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set fail2ban-ssh doesn't exist.

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

I searched here and there to fix this error with no luck. I am using Centos7 with firewalld and fail2ban.

I don't know where is the issue exactly. Is this related to fail2ban or firewalld?

Running systemctl status firewalld -l shows the following error messages:

firewalld[703]: WARNING: '/usr/sbin/iptables-restore --wait=2 -n' failed: iptables-restore v1.4.21: Set fail2ban-sshd doesn't exist.

                Error occurred at line: 2
                Try 'iptables-restore -h' or 'iptables-restore --help' for more information.
firewalld[703]: ERROR: COMMAND_FAILED

I have the following content of jail.local for fail2ban:

[DEFAULT]
ignoreip = 127.0.0.0/8
bantime  = 86400
findtime = 86400
maxretry = 5

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = firewallcmd-ipset

[sshd]
enabled = true

[ssh]
enabled  = true
filter   = sshd
action   = %(action_)s
logpath  = /var/log/secure
maxretry = 5

All other configurations are per the system defaults.

I installed firewalld as per the following:

sudo yum install firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --remove-service=smtp
sudo systemctl enable firewalld

Finally, performing the following command:

# firewall-cmd --direct --get-all-rules

I get these results:

ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter INPUT 0 -p tcp -m multiport --dports 0:65535 -m set --match-set fail2ban-ssh src -j REJECT --reject-with icmp-port-unreachable

I appreciate your assistance as I am more to development than to servers.

I am really in need to fix this as soon as possible. It is for my production server.

Thank you!

Answer 1

if you would have checked your /var/log/fail2ban.log or wherever you placed it, and you would see something like this probably

2019-08-01 08:16:14,509 fail2ban.utils [11727]: #39-Lev. 3ef3cd40 -- exec: ipset create f2b-apache-myadmin hash:ip timeout 2160000 firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports http,https -m set --match-set f2b-apache-myadmin src -j REJECT --reject-with icmp-port-unreachable 2019-08-01 08:16:14,510 fail2ban.utils [11727]: ERROR 3ef3cd40 -- stderr: "ipset v7.2: Syntax error: '2160000' is out of range 0-2147483" 2019-08-01 08:16:14,510 fail2ban.utils [11727]: ERROR 3ef3cd40 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy): Set f2b-apache-myadmin doesn't exist." 2019-08-01 08:16:14,510 fail2ban.utils [11727]: ERROR 3ef3cd40 -- stderr: '' 2019-08-01 08:16:14,510 fail2ban.utils [11727]: ERROR 3ef3cd40 -- stderr: 'Error occurred at line: 2' 2019-08-01 08:16:14,510 fail2ban.utils [11727]: ERROR 3ef3cd40 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information." 2019-08-01 08:16:14,510 fail2ban.utils [11727]: ERROR 3ef3cd40 -- stderr: '' 2019-08-01 08:16:14,510 fail2ban.utils [11727]: ERROR 3ef3cd40 -- returned 13 2019-08-01 08:16:14,510 fail2ban.actions [11727]: ERROR Failed to execute ban jail 'apache-catchall' action 'firewallcmd-ipset' info 'ActionInfo({'ip': '128.14.209.154', 'family': 'inet4', 'fid': at 0x3f24b200>, 'raw-ticket': at 0x3f24b7a0>})': Error starting action Jail('apache-myadmin')/firewallcmd-ipset 2019-08-01 08:16:14,510 fail2ban.actions [11727]: NOTICE [apache-myadmin]

ipset can only have a maximum timeout of 2147483 see http://ipset.netfilter.org/ipset.man.html

timeout All set types supports the optional timeout parameter when creating a set and adding entries. The value of the timeout parameter for the create command means the default timeout value (in seconds) for new entries. If a set is created with timeout support, then the same timeout option can be used to specify non-default timeout values when adding entries. Zero timeout value means the entry is added permanent to the set. The timeout value of already added elements can be changed by re-adding the element using the -exist option. The largest possible timeout value is 2147483 (in seconds).

since you are using ipset through firewalld you need to shrink your ban time in the jail.local file for each jail and the default to maximum 2147483 seconds, or whatever that is in days. and then you will be good!

Answer 2

I know this question is a few years old, but I just ran into this problem with an old server running Centos7. Eventually I narrowed the problem down to an incorrect ipset prefix stuck in /etc/firewalld/direct.xml:

... --match-set fail2ban-sshd ...

... instead of ...

... --match-set f2b-sshd

Fixing this incorrect prefix in direct.xml solved the error for me.