@Peter,
I can see where you're coming from.

How about this for an idea:
All the configlets don't come from app-attack-detector but from the underlying apps e.g sshd. Therefore bring them in disabled so they don't mess with an f2b installation. However, in a post-installation script for app-attack-detector, enable all the clearos-*.conf files in /etc/fail2ban/jail.d.

Hi Nick,

Nick Howitt wrote:

@Peter
I've been doing a fresh installation of 7.2 and at the moment it looks like the configlets come in OK. I have five of them, but I don't run Attack Detector, I run a full fail2ban. Unfortunately the rules come in already enabled even without an f2b/attack detector installation so, as soon as I install f2b, the rules become active. Would it not be better to bring them in disabled? A vanilla f2b installation comes in with rules disabled.

Generally, we enable things at install time. If someone has gone through the trouble of installing an app via Marketplace, then it's more likely that the user wants the app/service running. There are exceptions to that rule of course, and this might be one of those exceptions! I'll bring it up in our next tech meeting.

@Peter
I've been doing a fresh installation of 7.2 and at the moment it looks like the configlets come in OK. I have five of them, but I don't run Attack Detector, I run a full fail2ban. Unfortunately the rules come in already enabled even without an f2b/attack detector installation so, as soon as I install f2b, the rules become active. Would it not be better to bring them in disabled? A vanilla f2b installation comes in with rules disabled.

missing c /etc/fail2ban/jail.d/clearos-sshd-ddos.conf
missing c /etc/fail2ban/jail.d/clearos-sshd.conf

It looks like the fail2ban configlets that were installed with the SSH server were moved out of the way or deleted. You can grab a copy from http://mirror1-toronto.egloo.ca/egloo/clearos/devel/7/

cd /etc/fail2ban/jail.d

wget http://mirror1-toronto.egloo.ca/egloo/clearos/devel/7/clearos-sshd-ddos.conf

wget http://mirror1-toronto.egloo.ca/egloo/clearos/devel/7/clearos-sshd.conf

Peter Baldwin wrote:

i did that and Attack Detector did install via the market place but it is still showing no rules

Do you see missing files when you run:

rpm -qV app-ssh-server-core

yes
missing c /etc/fail2ban/jail.d/clearos-sshd-ddos.conf
missing c /etc/fail2ban/jail.d/clearos-sshd.conf

i did that and Attack Detector did install via the market place but it is still showing no rules

Do you see missing files when you run:

rpm -qV app-ssh-server-core

i did notice this after i installed it via the market place.
Installed Version:
2.2.4-1
Current Version:
2.2.3-1

Peter Baldwin wrote:
Strange - you don't seem to have the clearos-epel repo enabled... that would cause a problem for the handful of apps (including Attack Detector) that pull in EPEL packages. To enable clearos-epel, run:

yum-config-manager --enable clearos-epel



You will then be able to install the app via Marketplace without the error.

Note: on ClearOS Home/Business, the verified EPEL repo handling is done automatically, so the above step is neither required nor recommended.

i did that and Attack Detector did install via the market place but it is still showing no rules

fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:

and status is saying Dead even after i try to start it.

loren hackley wrote:

i also tryed installing attack detector from the marketplace in the web gui and got error Exception: [u'ERROR with transaction check vs depsolve:', 'fail2ban-server is needed by app-attack-detector-core-1:2.2.4-1.v7.noarch']

Strange - you don't seem to have the clearos-epel repo enabled... that would cause a problem for the handful of apps (including Attack Detector) that pull in EPEL packages. To enable clearos-epel, run:

yum-config-manager --enable clearos-epel

You will then be able to install the app via Marketplace without the error.

Note: on ClearOS Home/Business, the verified EPEL repo handling is done automatically, so the above step is neither required nor recommended.

i also tryed installing attack detector from the marketplace in the web gui and got error Exception: [u'ERROR with transaction check vs depsolve:', 'fail2ban-server is needed by app-attack-detector-core-1:2.2.4-1.v7.noarch']

ok i ran
yum remove fail2ban fail2ban-server
Loaded plugins: clearcenter-marketplace, fastestmirror
ClearCenter Marketplace: fetching repositories...
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.9.3-1.el7 will be erased
---> Package fail2ban-server.noarch 0:0.9.3-1.el7 will be erased
--> Processing Dependency: fail2ban-server = 0.9.3-1.el7 for package: fail2ban-sendmail-0.9.3-1.el7.noarch
--> Processing Dependency: fail2ban-server = 0.9.3-1.el7 for package: fail2ban-firewalld-0.9.3-1.el7.noarch
--> Processing Dependency: fail2ban-server for package: 1:app-attack-detector-core-2.2.4-1.v7.noarch
--> Running transaction check
---> Package app-attack-detector-core.noarch 1:2.2.4-1.v7 will be erased
--> Processing Dependency: app-attack-detector-core = 1:2.2.4-1.v7 for package: 1:app-attack-detector-2.2.4-1.v7.noarch
---> Package fail2ban-firewalld.noarch 0:0.9.3-1.el7 will be erased
---> Package fail2ban-sendmail.noarch 0:0.9.3-1.el7 will be erased
--> Running transaction check
---> Package app-attack-detector.noarch 1:2.2.4-1.v7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================================================================================================================
Package Arch Version Repository Size
====================================================================================================================================================================================================
Removing:
fail2ban noarch 0.9.3-1.el7 @clearos-epel 0.0
fail2ban-server noarch 0.9.3-1.el7 @clearos-epel 1.3 M
Removing for dependencies:
app-attack-detector noarch 1:2.2.4-1.v7 @clearos-updates 18 k
app-attack-detector-core noarch 1:2.2.4-1.v7 @clearos-updates 13 k
fail2ban-firewalld noarch 0.9.3-1.el7 @clearos-epel 270
fail2ban-sendmail noarch 0.9.3-1.el7 @clearos-epel 11 k

Transaction Summary
====================================================================================================================================================================================================
Remove 2 Packages (+4 Dependent packages)

Installed size: 1.4 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : fail2ban-0.9.3-1.el7.noarch 1/6
Erasing : fail2ban-firewalld-0.9.3-1.el7.noarch 2/6
Erasing : fail2ban-sendmail-0.9.3-1.el7.noarch 3/6
Erasing : 1:app-attack-detector-2.2.4-1.v7.noarch 4/6
Erasing : 1:app-attack-detector-core-2.2.4-1.v7.noarch 5/6
Erasing : fail2ban-server-0.9.3-1.el7.noarch 6/6
warning: /etc/fail2ban/jail.conf saved as /etc/fail2ban/jail.conf.rpmsave
Verifying : fail2ban-firewalld-0.9.3-1.el7.noarch 1/6
Verifying : 1:app-attack-detector-2.2.4-1.v7.noarch 2/6
Verifying : fail2ban-0.9.3-1.el7.noarch 3/6
Verifying : fail2ban-server-0.9.3-1.el7.noarch 4/6
Verifying : fail2ban-sendmail-0.9.3-1.el7.noarch 5/6
Verifying : 1:app-attack-detector-core-2.2.4-1.v7.noarch 6/6

Removed:
fail2ban.noarch 0:0.9.3-1.el7 fail2ban-server.noarch 0:0.9.3-1.el7

Dependency Removed:
app-attack-detector.noarch 1:2.2.4-1.v7 app-attack-detector-core.noarch 1:2.2.4-1.v7 fail2ban-firewalld.noarch 0:0.9.3-1.el7 fail2ban-sendmail.noarch 0:0.9.3-1.el7

Complete!

then i rmdir fail2ban/

yum install app-attack-detector
Loaded plugins: clearcenter-marketplace, fastestmirror
ClearCenter Marketplace: fetching repositories...
clearos | 3.6 kB 00:00:00
clearos-centos | 3.6 kB 00:00:00
clearos-centos-updates | 2.9 kB 00:00:00
clearos-contribs | 3.0 kB 00:00:00
clearos-fast-updates | 2.9 kB 00:00:00
clearos-infra | 3.0 kB 00:00:00
clearos-updates | 3.0 kB 00:00:00
Loading mirror speeds from cached hostfile
* clearos: clearos.bhs.mirrors.ovh.net
* clearos-centos: download3.clearsdn.com
* clearos-centos-updates: download3.clearsdn.com
* clearos-contribs: clearos.bhs.mirrors.ovh.net
* clearos-fast-updates: download3.clearsdn.com
* clearos-infra: clearos.bhs.mirrors.ovh.net
* clearos-updates: clearos.bhs.mirrors.ovh.net
* private-clearcenter-dyndns: download2.clearsdn.com:80
private-clearcenter-dyndns | 1.9 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package app-attack-detector.noarch 1:2.2.4-1.v7 will be installed
--> Processing Dependency: app-attack-detector-core = 1:2.2.4-1.v7 for package: 1:app-attack-detector-2.2.4-1.v7.noarch
--> Running transaction check
---> Package app-attack-detector-core.noarch 1:2.2.4-1.v7 will be installed
--> Processing Dependency: fail2ban-server for package: 1:app-attack-detector-core-2.2.4-1.v7.noarch
--> Finished Dependency Resolution
Error: Package: 1:app-attack-detector-core-2.2.4-1.v7.noarch (clearos-updates)
Requires: fail2ban-server
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest

this is why i installed it with
yum install fail2ban --enablerepo=clearos-centos,clearos-epel,clearos-centos-updates
then
yum --enablerepo=clearos-centos,clearos-epel,clearos-centos-updates,clearos-updates-testing install app-attack-detector
but that lead to the original problem of jail not showing anything in it other then 00-firewalld.conf

Hi Loren,

Strange but true: the fail2ban RPM is not the package that you want. Instead, it's the fail2ban-server package. I would re-install the Attack Detector app with:

yum remove fail2ban fail2ban-server

It's okay if you see app-attack-detector and app-attack-detector-core getting removed with that command. Next, re-install the app:

yum install app-attack-detector