Knowledge Base

Fail2Ban hangs on start: Action already exists or fail2ban.service start operation timed out

 
apachedomainsfail2banhostedplesk for linux

Symptoms

  • More than 300 domains are hosted on the server.

  • Fail2Ban fails to start with one of the following error messages in Plesk:

    PLESK_ERROR: Warning: Fail2Ban might not operate properly if there are many domains and Fail2Ban has to monitor too many log files.

    PLESK_ERROR: Unable to manage service by f2bmng: (‘start’, ‘fail2ban’). Error: Job for fail2ban.service failed because a timeout was exceeded. See “systemctl status fail2ban.service” and “journalctl -xe” for details. ERROR:f2bmng:Failed to start fail2ban service

    PLESK_ERROR: f2bmng failed: ERROR NOK: (‘ssh’,)
    ERROR NOK: (‘Action iptables already exists’,)
    ERROR NOK: (‘recidive’,)
    ERROR NOK: (‘Action iptables-multiport already exists’,)
    ERROR NOK: (‘plesk-roundcube’,)
    ERROR NOK: (‘Action iptables-multiport already exists’,)
    ERROR NOK: (‘plesk-apache’,)
    ERROR NOK: (‘Action iptables-multiport already exists’,)
    ERROR NOK: (‘plesk-apache-badbot’,)
    ERROR:f2bmng:Command ‘[‘/usr/bin/fail2ban-client’, ‘reload’]’ returned non-zero exit status 255

  • The following error messages appear in /var/log/fail2ban.log:

    fail2ban.filter [28401] : ERROR /var/www/vhosts/system/example.com/logs/access_ssl_log already exists
    fail2ban.filter [28401] : ERROR /var/www/vhosts/system/example2.com/logs/proxy_access_ssl_log already exists
    fail2ban.filter [28401] : ERROR /var/www/vhosts/system/example3.com/logs/proxy_access_log already exists
    fail2ban.filter [28401] : ERROR /var/www/vhosts/system/example4.com/logs/access_log already exists

Cause

Fail2Ban is trying to start too many logfiles because of a large number of domains. By default, the start time of the Fail2Ban service is 90 seconds. After 90 seconds, systemd gracefully kills the Fail2Ban service and tries to start it again making an infinite loop.

Resolution

  1. Connect to the Plesk server via SSH.

  2. Stop the Fail2Ban service:

    # service fail2ban stop

  3. Kill hanged Fail2Ban processes if they exist:

    3.1. List all Fail2Ban processes with the command:

    # ps aux | grep fail

    root 8815 0.0 0.0 107936 604 pts/0 S+ 10:17 0:00 tail -fn0 /var/log/fail2ban.log
    root 8981 0.6 0.1 959104 19304 ? Sl 10:18 0:45 /usr/bin/python /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
    root 32139 0.0 0.0 101672 10684 ? S 11:43 0:00 /usr/bin/python /usr/bin/fail2ban-client reload plesk-apache-badbot

    3.2. If processes like above are listed, kill them:

    # kill -9 8815 8981 32139

  4. Specify the timeout for the Fail2Ban service:

    4.1. Open the file /lib/systemd/system/fail2ban.service in a text editor. In this example, we are using the vi editor:

    # vi /lib/systemd/system/fail2ban.service

    4.2. Add the following line under the [Service] section:

    TimeoutStartSec=900

    4.3. Save the changes and close the file.

    Note: With this change, Fail2Ban will try to load jails within 15 minutes (900 seconds).

  5. Restart the Fail2Ban and system services:

    # systemctl daemon-reload
    # service fail2ban restart

Read the full article
Related Posts
Knowledge Base

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2021 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.

Managed with 💙  with Plesk WordPress Toolkit

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt