Fail2ban service gets stuck and unable to remove subscription with 504 Gateway Timeout error

Created:

2016-11-16 13:14:52 UTC

Modified:

2017-07-08 19:11:00 UTC

3

Was this article helpful?


Have more questions?

Submit a request

Fail2ban service gets stuck and unable to remove subscription with 504 Gateway Timeout error

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk 12.0 for Linux

Symptoms

  1. Plesk hangs when trying to access Tools & Settings > IP Address Banning (Fail2Ban) .

  2. Attempt to remove a subscription shows 504 Gateway Time-out after a long delay.

  3. The following error is displayed while trying to create or remove a subscription and to stop or start services in Plesk > Tools & Settings > Services Management :

    This operation is taking too long. Check the result in few minutes.
  4. It is not possible to enable jails with one of the following errors:

    Error: f2bmng failed: Traceback (most recent call last):
    File "/usr/bin/fail2ban-client", line 470, in
    if client.start(sys.argv):
    File "/usr/bin/fail2ban-client", line 440, in start
    return self.__processCommand(args)
    File "/usr/bin/fail2ban-client", line 256, in __processCommand
    if self.__ping():
    File "/usr/bin/fail2ban-client", line 153, in __ping
    return self.__processCmd([["ping"]], False)
    File "/usr/bin/fail2ban-client", line 185, in __processCmd
    client.close()
    AttributeError: CSocket instance has no attribute 'close'
    ERROR:f2bmng:Command '['/usr/bin/fail2ban-client', 'reload']' returned non-zero exit status 1

    OR

    ERROR   ipset create fail2ban-apache-badbots hash:ip timeout 172800
    firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports http,https -m set --match-set fail2ban-apache-badbots src -j REJECT --reject-with icmp-port-unreachable -- stderr: ''
  5. It is not possible to install Fail2Ban using Plesk autoinstaller:

    Fatal error during packages installation: Test Transaction Errors:   file /etc/fail2ban/action.d/iptables-allports.conf from install of fail2ban-0.8.13-centos7.14071718.noarch conflicts with file from package fail2ban-server-0.9.1-2.el7.noarch
  6. The following error can be found at /var/log/plesk/sw-cp-server/error_log :

    2241#0: *603 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 192.0.2.2, server: , request: "GET /admin/server-protection/ban-list HTTP/1.1", upstream: "fastcgi://unix:/var/run/sw-engine.sock", host: "192.0.2.2:8443", referrer: "https://203.0.113.2:8443/admin/server/tools?context=tools"

    The process hangs after the following message in /var/log/plesk/panel.log with debug mode enabled:

    DEBUG [util_exec] [63762328da92388cff356a50532a3ead][0] Starting: f2bmng --get-banned-ips, stdin:

Cause

Unsupported Fail2Ban package version is installed.

Probably, EPEL repository (or any other 3rd party repository) is enabled on the server which is responsible for the incorrect version of Fail2ban is installed. You can find supported Fail2Ban versions below:

Plesk version Supported Fail2Ban version
12.5 0.9.2
12.0 0.8.13

Resolution

Check the version of the installed Fail2Ban package using the command:

# rpm -qa | grep fail2ban

If the version differs from the supported one, perform the following steps:

  1. Create a backup of /etc/fail2ban directory as /usr/local/src/fail2ban/

  2. Exclude Fail2ban from epel repository at /etc/yum.repos.d/epel.repo :

    cat /etc/yum.repos.d/epel.repo
    exclude=fail2ban

    If newest version is still downloading, exclude it from main yum repository at /etc/yum.conf

     cat /etc/yum.conf 
    [main]
    ...
    exclude=fail2ban*.el6*
  3. Reinstall fail2ban:

  4. Via CLI:

        # plesk installer --select-product-id plesk --select-release-current --remove-component fail2ban

    # plesk installer --select-product-id plesk --select-release-current --install-component fail2ban
  5. Via GUI:

    Home > Tools & Settings > Updates and Upgrades > Add/Remove Components

Or

Reinstall Fail2ban package manually:

  1. Find the Fail2ban package version:

    # rpm -qa | grep fail2ban
    fail2ban-0.9.3-1.el6.1.noarch
    plesk-fail2ban-configurator-12.0.18-cos6.build1200140526.11.noarch
  2. Delete the package manually:

    # rpm -e fail2ban-0.9.3-1.el6.1.noarch --nodeps --noscripts
  3. Download the correct Fail2ban package from Plesk repository .

  4. Install the correct package:

    # rpm -i fail2ban-version_number.rpm

NOTE: For both cases, after the fail2ban package has been removed, it is necessary to verify that there are no any hanged fail2ban processes:

# ps auxxffww | grep fail2ban
root 4567 0.0 0.0 103252 824 pts/0 S+ 20:30 0:00 | \\_ grep fail2ban
root 2087 0.3 0.3 1353768 11256 ? S 2015 488:55 /usr/bin/python -Es /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

# ps auxxffww | grep f2bmng

root 15868 0.0 0.2 82752 7860 ? SN 12:55 0:00 | \\_ /usr/bin/python -Estt /usr/local/psa/admin/sbin/f2bmng --set-options
root 16595 0.0 0.2 82756 7864 ? SN 13:07 0:00 | \\_ /usr/bin/python -Estt /usr/local/psa/admin/sbin/f2bmng --set-options
root 17052 0.0 0.2 82752 7860 ? SN 13:12 0:00 | \\_ /usr/bin/python -Estt /usr/local/psa/admin/sbin/f2bmng --set-options
root 477 0.0 0.2 179476 7684 pts/1 S 19:22 0:00 /usr/bin/python -Estt /usr/local/psa/admin/sbin/f2bmng --add-log plesk-apache /var/www/vhosts/system/example.com/logs/error_log

In case they were found, manually kill them using the kill command:

# kill -9 4567 2087 15868 16595 17052 477

Replace the id's with id's in question.

Have more questions? Submit a request
Please sign in to leave a comment.