TIPS Fail2Ban restart hangs on Vultr

[Robert.Thompson]

Hello:



I have followed tutorial http://nerdvittles.com/?p=23948 to install Incredible PBX 13-13 LEAN on a Vultr (Toronto) CentOS 6 x64 with 1vCore, 1024 MB RAM & 25 GB SSD.



I followed the instruction step-by-step including “./create-swapfile-DO”. I skipped “./Enchilada-upgrade.sh” & “./incrediblefax13.sh”. I did not do the following:
# remember to enable TUN/TAP if using VPS Control Panel
# reconfigure PortKnocker if installing on an OpenVZ platform
echo 'OPTIONS="-i venet0:0"' >> /etc/sysconfig/knockd
service knockd restart
# fix pbxstatus for NeoRouter VPN support, if desired
cd /usr/local/sbin
sed -i "s|cat /etc/hostip|cat /etc/hostip \| cut -f 3 -d ' ' |" pbxstatus
# set up NeoRouter client, if desired
nrclientcmd

When I ssh into the Pbx, the script that runs stops at “Stopping Failban” (see image attached) and just stalls there. Eventually I do a Ctrl-C and it continues to the usual status screen that normally appears.

Does anyone know what I need to do to make this installation work properly?

Thanks,

Rob.

 

[tbrummell]

Looks like Update733 is failing for some reason. Probably need Ward's help on that one.

 

[Robert.Thompson]

Well, I guess I'll try CentOS 7 and see if that works...

 

[wardmundy]

There are multiple ways to start, stop, and restart Fail2Ban. Try them manually until you find a combination that works. Sometimes separating out the stop and start commands seems to work more reliably although we haven't seen this problem with Vultr before.

/etc/init.d/fail2ban stop then start
service fail2ban stop then start
systemctl stop fail2ban then start

Then try the various combinations using restart instead of stop and start.

Once you find one that works well, copy the commands into /usr/local/sbin/iptables-restart

 

[Robert.Thompson]

Same setup as above except used CentOS 7 instead of CentOS 6 - same problem.

Here is the complete boot listing, if you are interested:

Last failed login: Fri Jun 28 17:12:35 UTC 2019 from 207.35.25.192 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Fri Jun 28 15:44:16 2019 from 207.35.25.192
This update utility goes to IncrediblePBX.com to retrieve the latest updates.
We test updates before release, but NO WARRANTY EXPRESS OR IMPLIED IS PROVIDED.
The first 10 updates are free. Voluntary calendar year update license is $20.
To sign up and make payment using a credit card, go to: http://nerd.bz/QwQkYO
To proceed solely at your own risk, press Enter. Otherwise, Ctrl-C to abort.
Retrieving... lastupdate7
Updates available as of Fri Jun 28 17:12:45 UTC 2019: 36
Checking for update71. INSTALLED: Firewall startup reconfigured
Checking for update72. INSTALLED: status update for SL7
Checking for update73. INSTALLED: IPtables boot sequence patch
Checking for update74. INSTALLED: BASH Vulnerability patch
Checking for update75. INSTALLED: BASH #2 Vulnerability patch
Checking for update76. INSTALLED: FreePBX ARI Vulnerability patch
Checking for update77. INSTALLED: FreePBX ARI #2 Vulnerability patch
Checking for update78. INSTALLED: Incredible PBX LAN Vulnerability Patches
Checking for update79. INSTALLED: FreePBX Web Access Patch
Checking for update710. INSTALLED: rc.local executable patch
Checking for update711. INSTALLED: Fixed Weaather by ZIP Code TTS script
Checking for update712. INSTALLED: Fixed Weaather by ZIP Code TTS script
Checking for update713. INSTALLED: IPtables security patch applied
Checking for update714. INSTALLED: IPtables security patch applied
Checking for update715. INSTALLED: ConfigEdit patch applied
Checking for update716. INSTALLED: Fail2Ban patch applied
Checking for update717. INSTALLED: Asterisk logroate patch applied
Checking for update718. INSTALLED:
Checking for update719. INSTALLED: Outbound calling security patch
Checking for update720. INSTALLED: Outbound calling security patch #2
Checking for update721. INSTALLED: Outbound calling security patch #3
Checking for update722. INSTALLED: rc.local startup file enabled.
Checking for update723. INSTALLED: CentOS/SL 7 iptables-restart fix
Checking for update724. INSTALLED: PBX status fix for Public IP address
Checking for update725. INSTALLED: Asterisk log rotate patch applied
Checking for update726. INSTALLED: ipchecker patch for TM3 applied
Checking for update727. NOT FOUND. Installing... update727
Check if Asterisk running as root user...
No root user patch required
Checking for update728. NOT FOUND. Installing... update728
Updating nv-weather-zip for NWS access...
--2019-06-28 17:12:51-- http://incrediblepbx.com/nv-weather-zip.tar.gz
Resolving incrediblepbx.com (incrediblepbx.com)... 104.206.96.21
Connecting to incrediblepbx.com (incrediblepbx.com)|104.206.96.21|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3440 (3.4K) [application/x-gzip]
Saving to: ‘nv-weather-zip.tar.gz’
100%[============================================================================================>] 3,440 --.-K/s in 0s
2019-06-28 17:12:51 (276 MB/s) - ‘nv-weather-zip.tar.gz’ saved [3440/3440]
nv-weather-zip.php
Checking for update729. NOT FOUND. Installing... update729
Updating hostname for SendMail on HiFormance...
No hostname update required on your server
Checking for update730. INSTALLED:
Checking for update731. INSTALLED:
Checking for update732. NOT FOUND. Installing... update732
Updating Incredible Backup and Restore...
sed: can't read /root/incrediblebackup: No such file or directory
sed: can't read /root/incrediblerestore: No such file or directory
Checking for update733. NOT FOUND. Installing... update733
Blocking Skinny port 2000 on firewall...
Redirecting to /bin/systemctl restart iptables.service
ln: failed to create symbolic link ‘/usr/sbin/iptables’: File exists
Redirecting to /bin/systemctl restart ip6tables.service
Redirecting to /bin/systemctl restart fail2ban.service
Taking too long? Customize the chown command, See http://wiki.freepbx.org/display/FOP/FreePBX+Chown+Conf
Setting Permissions...
Setting base permissions...Done
Setting specific permissions...
1366 [============================]
Finished setting permissions
Redirecting to /bin/systemctl restart fail2ban.service
Checking for update734. NOT FOUND. Installing... update734
Updating Incredible Backup...
sed: can't read /root/incrediblebackup: No such file or directory
Checking for update735. NOT FOUND. Installing... update735
CDR patch for missing CNAM...
Checking for update736. NOT FOUND. Installing... update736
Fail2Ban patch for multiport bug...
Redirecting to /bin/systemctl restart fail2ban.service
Updates and notifications completed.
To continue, press the Enter key...


At this point it displayed the "status screen" but it took 15 minutes to get to this point.

 

[Robert.Thompson]

NOTE! NOTE! NOTE!
The second time is ssh'd in, it worked perfectly.

 

[wardmundy]

Did you try what I suggested above??

It only worked perfectly because Fail2Ban wasn't restarted.

 

[Robert.Thompson]

Did you try what I suggested above??

It only worked perfectly because Fail2Ban wasn't restarted.

None of the combinations seem to work:

root@c7pbx:~ $ /etc/init.d/fail2ban stop
-bash: /etc/init.d/fail2ban: No such file or directory
WARNING: Always run Incredible PBX behind a secure hardware-based firewall.
root@c7pbx:~ $ service fail2ban stop
Redirecting to /bin/systemctl stop fail2ban.service

^C
WARNING: Always run Incredible PBX behind a secure hardware-based firewall.
root@c7pbx:~ $ systemctl stop fail2ban
^C
WARNING: Always run Incredible PBX behind a secure hardware-based firewall.

root@c7pbx:~ $ /etc/init.d/fail2ban restart
-bash: /etc/init.d/fail2ban: No such file or directory
WARNING: Always run Incredible PBX behind a secure hardware-based firewall.
root@c7pbx:~ $ service fail2ban restart
Redirecting to /bin/systemctl restart fail2ban.service
^C
WARNING: Always run Incredible PBX behind a secure hardware-based firewall.
root@c7pbx:~ $ systemctl restart fail2ban
^C
WARNING: Always run Incredible PBX behind a secure hardware-based firewall.
root@c7pbx:~ $

The status screen shows Fail2Ban as "Up"

So, I don't understand...

Do you want access to my server to see what is happening?

 

[wardmundy]

@Robert.Thompson: Not sure what Vultr is doing. Try replacing BOTH fail2ban restart lines in /usr/local/sbin/iptables-restart with the following:

killall /usr/bin/python
service fail2ban start

 

[Robert.Thompson]

@Robert.Thompson: Not sure what Vultr is doing. Try replacing BOTH fail2ban restart lines in /usr/local/sbin/iptables-restart with the following:

killall /usr/bin/python
service fail2ban start

Thanks Ward.

I did what you suggested and this is what happened:

WARNING: Always run Incredible PBX behind a secure hardware-based firewall.
root@c7pbx:~ $ killall /usr/bin/python
WARNING: Always run Incredible PBX behind a secure hardware-based firewall.
root@c7pbx:~ $ service fail2ban start
Redirecting to /bin/systemctl start fail2ban.service
WARNING: Always run Incredible PBX behind a secure hardware-based firewall.
root@c7pbx:~ $

Where does this leave me? Is my PBX ok or do I need to do something at this point?

Thanks.

 

[wardmundy]

Read my post again. You were supposed to make the modifications to iptables-restart which then will let you restart your firewall without having it hang with Fail2Ban.

 

[Robert.Thompson]

Read my post again. You were supposed to make the modifications to iptables-restart which then will let you restart your firewall without having it hang with Fail2Ban.

But I told you that none of the combinations worked???

I am totally lost.

When I ssh in now, it seems to work but you are saying that is because fail2ban is not working but the status shows that it is.

I am very confused now.

Sorry.

 

[wardmundy]

Try this combination instead. Vultr has a problem!

kill -KILL `ps ax|grep fail2ban-server|grep -v grep|awk '{print $1}'`
/etc/init.d/fail2ban start

Your /usr/local/sbin/iptables-restart file should look like this:

service iptables restart
/usr/local/sbin/iptables-custom
service ip6tables restart
kill -KILL `ps ax|grep fail2ban-server|grep -v grep|awk '{print $1}'`
/etc/init.d/fail2ban start
/usr/sbin/fwconsole chown
if [ -d "/var/www/html/avantfax" ]; then
chmod -R 777 /var/www/html/avantfax
chown -R asterisk:asterisk /var/www/html/avantfax
chmod -R 0770 /var/www/html/avantfax/tmp /var/www/html/avantfax/faxes
chown -R asterisk:uucp /var/www/html/avantfax/tmp /var/www/html/avantfax/faxes
fi
kill -KILL `ps ax|grep fail2ban-server|grep -v grep|awk '{print $1}'`
service fail2ban start

 

[Robert.Thompson]

Thank you.