HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Tell ISPConfig to stop trying to initialize iptables (http://www.howtoforge.com/forums/showthread.php?t=59551)

Quasdunk 14th November 2012 00:59

Tell ISPConfig to stop trying to initialize iptables
 
I've installed ISPConfig 3 on a vServer on which I'm not able to use iptables.

I believe I was able to get fail2ban running via a php-scrip accessing the server's web-interface and adding/deleting the firewall-rules there (the script is working fine, but I haven't seen any ban-events triggered yet, which is very unusual, because we could observe break-in attempts permanently on the old server).

The ISPConfig-log, however, keeps telling me the same thing over and over again:

/var/log/ispconfig/cron.log:
Quote:

iptables v1.4.12: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
ip6tables v1.4.12: can't initialize ip6tables table `filter': Permission denied (you must be root)
Perhaps ip6tables or your kernel needs to be upgraded.
How can I make it stop - or maybe even fix it?

falko 14th November 2012 14:58

I think you can configure fail2ban to not use iptables.

Quasdunk 14th November 2012 19:02

Quote:

Originally Posted by falko (Post 288286)
I think you can configure fail2ban to not use iptables.

I think fail2ban should actually be working fine.
As a workaround, I made the following changes in /etc/fail2ban/action.d/iptables-multiport.conf:

Quote:

[Definition]
actionstart =
#actionstart = iptables -N fail2ban-<name>
# iptables -A fail2ban-<name> -j RETURN
# iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

actionstop =
#actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# iptables -F fail2ban-<name>
# iptables -X fail2ban-<name>

actioncheck =
#actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>

actionban = php -f /etc/fail2ban/firewallapi.php add INPUT "<ip>" DROP
#actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

actionunban = php -f /etc/fail2ban/firewallapi.php delete INPUT "<ip>" DROP
#actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
So basically, everything is commented out and the actionban and actionunban are handled by a PHP-script which queries against the vServer-API. These changes were recommended by my hosting provider.
After changing it as shown above, fail2ban was able to start again (I was getting a 300 error before). Here's what /var/log/fail2ban.log says:
Quote:

fail2ban.jail : INFO Creating new jail 'ssh'
fail2ban.filter : INFO Added logfile = /var/log/auth.log
...
fail2ban.jail : INFO Creating new jail 'pureftpd'
fail2ban.filter : INFO Added logfile = /var/log/syslog
...
fail2ban.jail : INFO Creating new jail 'dovecot-pop3imap'
fail2ban.filter : INFO Added logfile = /var/log/mail.log
...
fail2ban.jail : INFO Jail 'ssh' started
fail2ban.jail : INFO Jail 'pureftpd' started
fail2ban.jail : INFO Jail 'dovecot-pop3imap' started
So fail2ban seems to be running correctly, BUT: It doesn't seem to care about the filters, because nothing happens (and nothing is logged) even when I try to provoke a ban on purpose. And I suppose it has something to do with ISPConfig endlessly reporting that one error over and over again in /var/log/ispconfig/cron.log:
Quote:

iptables v1.4.12: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
ip6tables v1.4.12: can't initialize ip6tables table `filter': Permission denied (you must be root)
Perhaps ip6tables or your kernel needs to be upgraded.
But if fail2ban is running, what else could be causing that error?

till 15th November 2012 10:17

The errors are most likely caused by the ispconfig monitor which checks your server every 5 minutes.

Search for iptables in the file /usr/local/ispconfig/server/lib/classes/monitor_tools.inc.php


All times are GMT +2. The time now is 18:26.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.