1 (edited by jmsk 2021-11-22 13:32:04)

Topic: iRedMail-1.4.2 OpenBSD fail2ban failed

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.4.2 MARIADB edition
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: OpenBSD 6.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): none
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

# /etc/rc.d/fail2ban check
fail2ban(failed)

# /etc/rc.d/fail2ban start
fail2ban(failed)

# /etc/rc.d/fail2ban -d start
doing _rc_parse_conf
doing _rc_quirks
fail2ban_flags empty, using default ><
doing rc_check
fail2ban
doing rc_pre
doing rc_start
doing _rc_wait start
doing rc_check
Traceback (most recent call last):
  File "/usr/local/bin/fail2ban-client", line 34, in <module>
    from fail2ban.client.fail2banclient import exec_command_line, sys
  File "/usr/local/lib/python3.8/site-packages/fail2ban/client/fail2banclient.py", line 39, in <module>
    from ..server.utils import Utils
  File "/usr/local/lib/python3.8/site-packages/fail2ban/server/utils.py", line 60, in <module>
    for name, num in signal.__dict__.iteritems() if name.startswith("SIG"))
AttributeError: 'dict' object has no attribute 'iteritems'
doing _rc_rm_runfile
(failed)

Any help appreciated thanks!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team.

2

Re: iRedMail-1.4.2 OpenBSD fail2ban failed

On 1.3.2 with OpenBSD, the failure of fail2ban was a known issue, as I recall.

3

Re: iRedMail-1.4.2 OpenBSD fail2ban failed

goodcoffee wrote:

On 1.3.2 with OpenBSD, the failure of fail2ban was a known issue, as I recall.

Thanks for the info

Some more digging below ...

# /usr/local/bin/fail2ban-server -v -v -v
ERROR: No module named 'ConfigParser'
+  112 F6E1B3ADD30 fail2ban                  ERROR No module named 'ConfigParser'
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/fail2ban/client/fail2bancmdline.py", line 228, in initCmdLine
    self.configurator.readEarly()
  File "/usr/local/lib/python3.8/site-packages/fail2ban/client/fail2bancmdline.py", line 70, in configurator
    from .configurator import Configurator
  File "/usr/local/lib/python3.8/site-packages/fail2ban/client/configurator.py", line 27, in <module>
    from .fail2banreader import Fail2banReader
  File "/usr/local/lib/python3.8/site-packages/fail2ban/client/fail2banreader.py", line 27, in <module>
    from .configreader import ConfigReader
  File "/usr/local/lib/python3.8/site-packages/fail2ban/client/configreader.py", line 29, in <module>
    from ConfigParser import NoOptionError, NoSectionError
ModuleNotFoundError: No module named 'ConfigParser'
+  115 F6E1B3ADD30 fail2ban                  DEBUG Exit with code 255

# /usr/local/bin/fail2ban-python -V 
Python 3.8.12

mx# python3 -V
Python 3.8.12

# cat /usr/local/bin/fail2ban-server | head -n 1
#!/usr/local/bin/python3.8

# cat /usr/local/bin/fail2ban-client | head -n 1
#!/usr/local/bin/python3.8

4

Re: iRedMail-1.4.2 OpenBSD fail2ban failed

The module name "ConfigParser" was renamed to "configparser".
Which Fail2ban release are you running?

5

Re: iRedMail-1.4.2 OpenBSD fail2ban failed

ZhangHuangbin wrote:

The module name "ConfigParser" was renamed to "configparser".
Which Fail2ban release are you running?

Hi ZhangHuangbin,  this was a clean install on 2021-11-22 and fail2ban-client|server -V|--version fails but looking at the install log I see ...

runtime/fail2ban_install.log:Successfully installed fail2ban-0.11.1

Many thanks for the support

6

Re: iRedMail-1.4.2 OpenBSD fail2ban failed

Does it work if you run "rcctl start fail2ban"?

7

Re: iRedMail-1.4.2 OpenBSD fail2ban failed

Same as before

# rcctl start fail2ban 
fail2ban(failed)

8

Re: iRedMail-1.4.2 OpenBSD fail2ban failed

Could you download fail2ban-0.11.2 and install it manually? Let's see how it works.

9

Re: iRedMail-1.4.2 OpenBSD fail2ban failed

Initially I tried a manual install of fail2ban-0.11.2 which seemed to help a little as in fail2ban starts after a reboot but fail2ban stop / restart were still failing

So I tried a clean install with following modifications before running 'bash iRedMail.sh'

# vi /root/iRedMail-1.4.2/pkgs/pkgs.openbsd.sha256
delete SHA256 (misc/fail2ban-0.11.1.tar.gz) = ...
add    SHA256 (misc/fail2ban-0.11.2.tar.gz) = 383108e5f8644cefb288537950923b7520f642e7e114efb843f6e7ea9268b1e0
Download fail2ban-0.11.2.tar.gz to /root/iRedMail-1.4.2/pkgs/misc/
# bash iRedMail.sh

But now back to square 1 with same errors as above

I have also installed iredmail on freebsd and notice the installer gave me no option to install fail2ban so at least that is a clean slate and I will look at manually installing fail2ban or sshguard

10

Re: iRedMail-1.4.2 OpenBSD fail2ban failed

Ok back to the FreeBSD server, using same server details as first post except
- Linux/BSD distribution name and version: FreeBSD 13.0

I have lost faith with fail2ban so thought I would try sshguard using pf firewall

# vi /etc/rc.conf
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

# cp /usr/share/examples/pf/pf.conf /etc/
# chmod 644 /etc/pf.conf
# vi /etc/pf.conf
ext_if="vtnet0"
services = "{ ssh, smtp, imap }"
set skip on lo
scrub in
block in
pass out
pass in on $ext_if proto tcp to ($ext_if) port $services
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { echoreq }
table <sshguard> persist
block in proto tcp from <sshguard>

# service pf start
# service pflog start

# cd /usr/ports/security/sshguard/
# make install clean
# vi /etc/rc.conf
sshguard_enable="YES"

# vi /usr/local/etc/sshguard.conf
BACKEND="/usr/local/libexec/sshg-fw-pf"
WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
# vi /usr/local/etc/sshguard.whitelist
192.168.35.0/24
# service sshguard start

Seems to be working well