Hi.
I have a problem with Zimbra 8.8.15+Selinux+Fail2ban.
Current versions are:
https://blog.zimbra.com/2022/08/configu ... on-zimbra/
https://wiki.zimbra.com/wiki/Configure_ ... _block_IPs
The problem is that it only works if in Permissive (and most likely in Disabled) Selinux mode, but I wouldn't like to change Enforcing mode.
If Sestatus=Enforcing, first I have:
2024-04-12 14:07:56,995 fail2ban.actions [16653]: NOTICE [zimbra-web] Restore Ban XXX.XXX.XXX.XXX
2024-04-12 14:07:57,005 fail2ban.utils [16653]: ERROR 7fd9b056f1c0 -- exec: ip route add unreachable XXX.XXX.XXX.XXX
2024-04-12 14:07:57,006 fail2ban.utils [16653]: ERROR 7fd9b056f1c0 -- stderr: '/bin/sh: ip: command not found'
2024-04-12 14:07:57,006 fail2ban.utils [16653]: ERROR 7fd9b056f1c0 -- returned 127
2024-04-12 14:07:57,006 fail2ban.utils [16653]: INFO HINT on 127: "Command not found". Make sure that all commands in 'ip route add unreachable XXX.XXX.XXX.XXX' are in the PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ). You may want to start "fail2ban-server -f" separately, initiate it with "fail2ban-client reload" in another shell session and observe if additional informative error messages appear in the terminals.
2024-04-12 14:07:57,007 fail2ban.actions [16653]: ERROR Failed to execute ban jail 'zimbra-web' action 'route' info 'ActionInfo({'ip': 'XXX.XXX.XXX.XXX', 'fid': <function <lambda> at 0x7fd9b0cf60c8>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7fd9b0cf6668>})': Error banning XXX.XXX.XXX.XXX
I write a custom SELinux policy and apply it:
grep fail2ban_t /var/log/audit/audit.log | audit2allow -M fail2ban_rt
semodule -i fail2ban_rt.pp
and then I see another message, but still error:
2024-04-12 14:17:01,157 fail2ban.actions [16653]: NOTICE [zimbra-web] Ban XXX.XXX.XXX.XXX
2024-04-12 14:17:01,174 fail2ban.utils [16653]: ERROR 7fd9b056fc10 -- exec: ip route add unreachable XXX.XXX.XXX.XXX
2024-04-12 14:17:01,175 fail2ban.utils [16653]: ERROR 7fd9b056fc10 -- stderr: 'Cannot talk to rtnetlink: Permission denied'
2024-04-12 14:17:01,176 fail2ban.utils [16653]: ERROR 7fd9b056fc10 -- returned 2
2024-04-12 14:17:01,177 fail2ban.actions [16653]: ERROR Failed to execute ban jail 'zimbra-web' action 'route' info 'ActionInfo({'ip': 'XXX.XXX.XXX.XXX', 'fid': <function <lambda> at 0x7fd9b0cf60c8>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7fd9b0cf6668>})': Error banning XXX.XXX.XXX.XXX
Now I can't see any error in audit.log, so I can't write another custom SELinux policy.
I found some explanation here:
https://github.com/fail2ban/fail2ban/discussions/3416
but the idea is that it seems the problem only depends on Selinux status in my case, besides, the problem occurs even if I only set one rule [zimbra-web], without [zimbra-smtp].
If I use IPTABLES instead of blackhole route, it works well, but blackhole route is preferable choise.
I know 8.8.15 is EOL and Centos 7 will also soon, but we still use it at the moment.
Thank you for your interest.
I have a problem with Zimbra 8.8.15+Selinux+Fail2ban.
Current versions are:
- CentOS Linux release 7.9.2009 (Core)
3.10.0-1160.114.2.el7.x86_64
Release 8.8.15_GA_3869.RHEL7_64_20190917004220 RHEL7_64 FOSS edition, Patch 8.8.15_P45.
Fail2ban v0.11.2
https://blog.zimbra.com/2022/08/configu ... on-zimbra/
https://wiki.zimbra.com/wiki/Configure_ ... _block_IPs
The problem is that it only works if in Permissive (and most likely in Disabled) Selinux mode, but I wouldn't like to change Enforcing mode.
If Sestatus=Enforcing, first I have:
2024-04-12 14:07:56,995 fail2ban.actions [16653]: NOTICE [zimbra-web] Restore Ban XXX.XXX.XXX.XXX
2024-04-12 14:07:57,005 fail2ban.utils [16653]: ERROR 7fd9b056f1c0 -- exec: ip route add unreachable XXX.XXX.XXX.XXX
2024-04-12 14:07:57,006 fail2ban.utils [16653]: ERROR 7fd9b056f1c0 -- stderr: '/bin/sh: ip: command not found'
2024-04-12 14:07:57,006 fail2ban.utils [16653]: ERROR 7fd9b056f1c0 -- returned 127
2024-04-12 14:07:57,006 fail2ban.utils [16653]: INFO HINT on 127: "Command not found". Make sure that all commands in 'ip route add unreachable XXX.XXX.XXX.XXX' are in the PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ). You may want to start "fail2ban-server -f" separately, initiate it with "fail2ban-client reload" in another shell session and observe if additional informative error messages appear in the terminals.
2024-04-12 14:07:57,007 fail2ban.actions [16653]: ERROR Failed to execute ban jail 'zimbra-web' action 'route' info 'ActionInfo({'ip': 'XXX.XXX.XXX.XXX', 'fid': <function <lambda> at 0x7fd9b0cf60c8>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7fd9b0cf6668>})': Error banning XXX.XXX.XXX.XXX
I write a custom SELinux policy and apply it:
grep fail2ban_t /var/log/audit/audit.log | audit2allow -M fail2ban_rt
semodule -i fail2ban_rt.pp
and then I see another message, but still error:
2024-04-12 14:17:01,157 fail2ban.actions [16653]: NOTICE [zimbra-web] Ban XXX.XXX.XXX.XXX
2024-04-12 14:17:01,174 fail2ban.utils [16653]: ERROR 7fd9b056fc10 -- exec: ip route add unreachable XXX.XXX.XXX.XXX
2024-04-12 14:17:01,175 fail2ban.utils [16653]: ERROR 7fd9b056fc10 -- stderr: 'Cannot talk to rtnetlink: Permission denied'
2024-04-12 14:17:01,176 fail2ban.utils [16653]: ERROR 7fd9b056fc10 -- returned 2
2024-04-12 14:17:01,177 fail2ban.actions [16653]: ERROR Failed to execute ban jail 'zimbra-web' action 'route' info 'ActionInfo({'ip': 'XXX.XXX.XXX.XXX', 'fid': <function <lambda> at 0x7fd9b0cf60c8>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7fd9b0cf6668>})': Error banning XXX.XXX.XXX.XXX
Now I can't see any error in audit.log, so I can't write another custom SELinux policy.
I found some explanation here:
https://github.com/fail2ban/fail2ban/discussions/3416
but the idea is that it seems the problem only depends on Selinux status in my case, besides, the problem occurs even if I only set one rule [zimbra-web], without [zimbra-smtp].
If I use IPTABLES instead of blackhole route, it works well, but blackhole route is preferable choise.
I know 8.8.15 is EOL and Centos 7 will also soon, but we still use it at the moment.
Thank you for your interest.
Statistics: Posted by serg81no — Fri Apr 12, 2024 11:59 am