Fail2ban ERROR Invariant check failed

I bumped into the following cryptic Fail2ban error:

fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q ‘fail2ban-NoScript[ \t]’ returned 100
fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment

Cause: a race condition in fail2ban-client.
Solution: add a small amount of sleep.

Open /usr/bin/fail2ban-client and around line 144 add the line “time.sleep(0.1)” right before “beautifier.setInputCmd(c)”. Make sure you use tabs and not spaces! Here is what it should look like:

Enjoy all those bans automagically handed out to the bad guys.

18 thoughts on “Fail2ban ERROR Invariant check failed”

  1. Perfect!
    Nice to see this ‘sleep’ slowing down and fixing errors in fail2ban.
    Thank you very much, hopefully it’ll get picked up by fail2ban devs!

    Regards,
    SmarTeY

  2. Yes, fix worked, but now having slightly different error:
    2016-03-01 09:42:46,886 fail2ban.actions: WARNING [exim-auth] Unban 185.125.4.191
    2016-03-01 09:42:46,904 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q ‘fail2ban-SMTP[ \t]’ returned 100
    2016-03-01 09:42:46,908 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
    2016-03-01 09:42:46,957 fail2ban.actions.action: ERROR iptables -D fail2ban-SMTP -s 185.125.4.191 -j REJECT –reject-with icmp-port-unreachable returned 100

    1. Hi Ed,

      IIRC that happens when iptables is restarted or modified when fail2ban is running. Try to stop fail2ban then stop iptables. Next start iptables and then start fail2ban again.

      HTH,
      Patrick

        1. Hi Ed,

          Try disabling the mod and see if the problem goes away. If you enable the recidive filter in Fail2ban (just google “fail2ban recidive”) and set a very long ban time then you don’t need that mod.

          HTH,
          Patrick

  3. When trying to restart this is what I get:
    # service fail2ban restart
    * Restarting authentication failure monitor fail2ban File “/usr/bin/fail2ban-client”, line 150
    time.sleep(0.1)
    ^
    IndentationError: unindent does not match any outer indentation level

    1. Hi Ed,

      You need to use tabs instead of spaces. If you did a copy & paste of the extra lines of code then that probably messed it up. Remove what you did, use tabs for the indentation and type the lines manually.

      HTH,
      Patrick

      1. Hey Patrick,

        Thank you for help. Yes my “Nano” was changing tabs into 4 spaces.
        I will see if this helps with my error in Fail2Ban.

  4. For some reason did not fix it for me still getting:

    2016-02-26 06:56:00,977 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q ‘fail2ban-repeatoffender[ \t$
    2016-02-26 06:56:00,977 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
    2016-02-26 06:56:00,988 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -j fail2ban-repeatoffender

  5. For those who have all kinds of errors such as:
    – IndentationError: ….
    – SyntaxError: … outside function

    Make sure your ~/.vimrc doesn’t contain such row:
    set expandtab

    But does contain:
    set tabstop=4
    set shiftwidth=4
    set softtabstop=4

    This is because the fail2ban-client script was written with real tabs instead of extended tabs ( tabs that are converted to spaces ) so it mess up the entire script …

  6. I added it and when I try to restart I get the following. Weird thing is when I remove it and try I still get the following so not sure what I did as it was restarting fine before.

    ubuntu@server1:~$ sudo service fail2ban restart
    * Restarting authentication failure monitor fail2ban File “/usr/bin/fail2ban-client”, line 153
    if ret[0] == 0
    ^
    SyntaxError: invalid syntax
    File “/usr/bin/fail2ban-client”, line 153
    if ret[0] == 0
    ^
    SyntaxError: invalid syntax
    File “/usr/bin/fail2ban-client”, line 153
    if ret[0] == 0
    ^
    SyntaxError: invalid syntax
    [fail]
    ubuntu@server1:~$

    1. Nevermind, looks like I accidentally deleted the : after the 0 when I edited the file. Thanks for posting the fix, working fine.

  7. Does not work in Debian 7.5 as written:

    service fail2ban restart
    [….] Restarting authentication failure monitor: fail2ban File “/usr/bin/fail2ban-client”, line 148
    time.sleep(0.1)
    ^
    IndentationError: expected an indented block
    File “/usr/bin/fail2ban-client”, line 148
    time.sleep(0.1)
    ^
    IndentationError: expected an indented block
    [FAIL] Socket file /var/run/fail2ban/fail2ban.sock is present … failed!

  8. Thanks for posting that Patrick (I see this solution also previously posted elsewhere – eg: http://www.fail2ban.org/wiki/index.php/Fail2ban_talk%3aCommunity_Portal ).

    It worked for me.

    My particular case (under Ubuntu 10.04) was caused by using Plesk firewall in conjunction with fail2ban – attempting to block a persistent bad ip permanently via Plesk firewall confused faile2ban (which was stull running with a block against that ip). Even when i tried ‘/etc/init.d/fail2ban force-reload’ the /var/log/fail2ban.log would still contain errors – either 100 or 400 from iptables.

    hardly suprising really.

    anyway, your solution sorted it and i now get a clean fail2ban restart in log. so many thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.