How to jail a Kineticist

I am running a Pathfinder game in which a L5 Kineticist (fire and aether elements) decided he wanted to go kill an angel more or less on his own. He got his ass kicked, but the Angel does not want to kill him, but rather incarcerate him somehow. If it was a wizard, a gag in the mouth and restraints on his fingers would do it, but how would one go about keeping a Kineticist locked up?

The kineticist is level 12, the specific angel is an Astral Deva.

My paypal horror, what i did , can I go to jail?

So am not going to lie or hide anything, judge me if you want.

am just here looking to hear from someone who knows a bit more then me on the subject.

I was for the longest time a honest seller, then guess what? over 1000$ total in back charges….
I ended up -500, said F it, closed my bank account.
then i decided to F them back. so I sold on ebay up to my max limit (5k)
used the money for other things, am expecting everyone on ebay to do back charges (in this case rightfully so) that would…

My paypal horror, what i did , can I go to jail?

Can’t access internet or ping default gateway from a FreeBSD 12 jail

I am new to FreeBSD jails, everything (such as ssh to jail from any host in network) works find except I can’t access internet or ping default gateway from a FreeBSD 12 jail, please help me to resolve this

my setup as follows

  • a laptop running on Ubuntu 16.04.4/ Kernel 4.15.0-29-generic (172.20.0.2) is connector to 4G router (172.20.0.1) via wlan0

  • VirtualBox ver 5.2.16 r123759 installed on the system

  • FreeBSD 12 is running on VirtualBox with Bridged adapter to wlan0
  • a Jail running on FreeBSD 12

diagram:

+-------------------------------+ |   E5172Bs-925 4G router       | |                               | +-------------------------------+               |172.20.0.1               |               |               |               |               |  wlan0        |172.20.0.2 gw: 172.20.0.1      Ubuntu 16.04.4/ Kernel 4.15.0-29-generic +---------------------------------------------------------------+ |             |                                                 | |             |                                                 | |             |                                                 | | FreeBSD 12  |172.20.0.41 (Attached to Bridged adapter)        | | +-----------+gw: 172.20.0.1---+---------------+               | | |                             |               |               | | |                             |               |               | | |                             |               |               | | | +---------------------------+--------+      |               | | | | jail : 172.20.0.110                |      |               | | | | gw: 172.20.0.1                     |      |               | | | |                                    |      |               | | | |                                    |      |               | | | |                                    |      |               | | | |                                    |      |               | | | +------------------------------------+      |               | | |                                             |               | | +---------------------------------------------+               | +---------------------------------------------------------------+ 

my jail.conf file (got from /usr/share/examples/jails/jail.xxx.conf)

rsnapshot {     host.hostname = "rsnapshot";    # hostname     path = "/jails/rsnapshot";              # root directory      exec.clean;     exec.system_user = "root";     exec.jail_user = "root";      #     # NB: Below 4-lines required     #     vnet;     # netgraph     #vnet.interface = "ng0_rsnapshot";               # vnet interface(s)     #exec.prestart += "jng bridge rsnapshot em0";    # bridge interface(s)     #exec.poststop += "jng shutdown rsnapshot";      # destroy interface(s)     # if_bridge     vnet.interface = "e0b_rsnapshot";              # vnet interface(s)     exec.prestart += "jib addm rsnapshot em0";     # bridge interface(s)     exec.poststop += "jib destroy rsnapshot";      # destroy interface(s)      # Standard recipe     exec.start += "/bin/sh /etc/rc";     exec.stop = "/bin/sh /etc/rc.shutdown";     exec.consolelog = "/var/log/jail_rsnapshot_console.log";     mount.devfs;    # mount devfs      # Optional (default off)     #devfs_ruleset = "11";          # rule to unhide bpf for DHCP     #allow.mount;                   # mount /etc/fstab.rsnapshot     #allow.set_hostname = 1;        # Allow hostname to change     #allow.sysvipc = 1;             # Allow SysV Interprocess Comm. 

}

host ifconfig

    em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500     options=810099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>     ether 08:00:27:9b:b8:c4     inet 172.20.0.41 netmask 0xffffff00 broadcast 172.20.0.255      media: Ethernet autoselect (1000baseT <full-duplex>)     status: active     nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384     options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>     inet6 ::1 prefixlen 128      inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2      inet 127.0.0.1 netmask 0xff000000      groups: lo      nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> em0bridge: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500     ether 02:d7:f0:96:d8:00     id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15     maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200     root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0     member: e0a_rsnapshot flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>             ifmaxaddr 0 port 4 priority 128 path cost 2000     member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>             ifmaxaddr 0 port 1 priority 128 path cost 20000     groups: bridge      nd6 options=1<PERFORMNUD> e0a_rsnapshot: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500     options=8<VLAN_MTU>     ether 02:f8:e0:9b:b8:c4     hwaddr 02:70:c5:28:c6:0a     groups: epair      media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)     status: active     nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> 

jail’s ifconfig

    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384     options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>     inet6 ::1 prefixlen 128      inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1      inet 127.0.0.1 netmask 0xff000000      groups: lo      nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> e0b_rsnapshot: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500     options=8<VLAN_MTU>     ether 0e:f8:e0:9b:b8:c4     hwaddr 02:70:c5:28:c6:0b     inet 172.20.0.110 netmask 0xffffff00 broadcast 172.20.0.255      groups: epair      media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)     status: active     nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> 

I can ping to to any host in my network from jail but not default getaway or outside

tcpdump of wlan0 of my laptop shows as below, I can see ICMP echo request but no replies

    11:03:40.748008 IP (tos 0x0, ttl 64, id 52840, offset 0, flags [none], proto ICMP (1), length 84)     172.20.0.110 > 172.20.0.1: ICMP echo request, id 45323, seq 0, length 64 11:03:40.775639 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.20.0.110 tell 172.20.0.1, length 28 11:03:40.776034 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.20.0.110 is-at 0e:f8:e0:9b:b8:c4, length 28 

If i ping my laptop from jail, it shows

 11:31:15.625571 IP (tos 0x0, ttl 64, id 52842, offset 0, flags [none], proto ICMP (1), length 84)     172.20.0.110 > 172.20.0.2: ICMP echo request, id 6668, seq 0, length 64 11:31:15.625629 IP (tos 0x0, ttl 64, id 2336, offset 0, flags [none], proto ICMP (1), length 84)     172.20.0.2 > 172.20.0.110: ICMP echo reply, id 6668, seq 0, length 64 

netstat -rn on jail

root@freebsdjail1:/ # netstat -rn Routing tables  Internet: Destination        Gateway            Flags     Netif Expire default            172.20.0.1         UGS    e0b_rsna 127.0.0.1          link#1             UH          lo0 172.20.0.0/24      link#2             U      e0b_rsna 172.20.0.110       link#2             UHS         lo0  Internet6: Destination                       Gateway                       Flags     Netif Expire ::/96                             ::1                           UGRS        lo0 ::1                               link#1                        UH          lo0 ::ffff:0.0.0.0/96                 ::1                           UGRS        lo0 fe80::/10                         ::1                           UGRS        lo0 fe80::%lo0/64                     link#1                        U           lo0 fe80::1%lo0                       link#1                        UHS         lo0 ff02::/16                         ::1                           UGRS        lo0 

fail2ban logs full of “Failed to execute ban jail ‘recidive’ action ‘iptables-multiport'”

I’ve a ton of errors like this in my fail2ban.log

fail2ban.actions        [13370]: ERROR   Failed to execute ban jail 'recidive' action 'iptables-multiport' info 'CallingMap({'ip': '164.132.49.140', 'matches': '2019-04-01 08:30:14,100 fail2ban.actions        [1415]: NOTICE  [sshd] Ban 164.132.49.140\n2019-04-01 23:08:43,345 fail2ban.actions        [26861]: NOTICE  [sshd] Ban 164.132.49.140\n2019-04-01 08:30:14,100 fail2ban.actions        [1415]: NOTICE  [sshd] Ban 164.132.49.140\n2019-04-01 23:08:43,345 fail2ban.actions        [26861]: NOTICE  [sshd] Ban 164.132.49.140', 'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7fa4a8366598>, 'time': 1554154478.985568, 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7fa4a8366510>, 'ipfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7fa4a8366488>, 'failures': 4, 'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7fa4a8366400>})': Error starting action 

I see that this is a single-line error, but it looks to me like there is an error with the pattern matching or something else in the log has caused a loop because pattern now matches even the error rows.

EDIT I found these rows, in the log, probably related to the error

2019-04-01 23:44:35,895 fail2ban.action         [19570]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-recidive[ \t]' -- stdout: b'' 2019-04-01 23:44:35,896 fail2ban.action         [19570]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-recidive[ \t]' -- stderr: b'' 2019-04-01 23:44:35,897 fail2ban.action         [19570]: ERROR   iptables -w -n -L INPUT | grep -q 'f2b-recidive[ \t]' -- returned 1 2019-04-01 23:44:35,898 fail2ban.CommandAction  [19570]: ERROR   Invariant check failed. Trying to restore a sane environment 2019-04-01 23:44:36,114 fail2ban.action         [19570]: ERROR   iptables -w -N f2b-recidive iptables -w -A f2b-recidive -j RETURN iptables -w -I INPUT -p all -m multiport --dports 0:65535 -j f2b-recidive -- stdout: b'' 

This is my recidive definition in jail.local

[recidive]  enabled  = true logpath  = /var/log/fail2ban.log filter   = recidive findtime = 86400 maxretry = 2 bantime  = 648000 protocol = all 

My filter.d/recidive.conf has this line

failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$   

And this is all for my knowledge.

I am on a ubuntu 16.04 if usefull.

Question is: how to debug the config error and even how to restore default working configuration. I have only another custom filter (pihole) and I know how to restore it but I have no idea if there is something like a reset for fail2ban config

How do I keep spellcasters from casting while in jail?

Interesting situation came up in my session. The players captured a wizard NPC and put him in jail. Then came a long discussion about what measures needed to be taken in order to prevent said wizard from using spells to force his way out.

Basic measures like removing a spell book, holy/arcane focus, and spell components would prevent use of any spells with a material component. A gag would stop verbal spells and being bound would stop somatic spells. However this is an unsustainable level of treatment for a jail for more than a day or so since it would have to be applied to ALL prisoners since there is no easy way to tell who can cast and who can’t.

Preventing a long rest would severely handicap most casters in that it would prevent recovery of spell slots/sorcery points, although a warlock wouldn’t be affected. Seems like a basic precaution to not allow prisoners long periods of rest. But this doesn’t affect unused spell slots and no character class, from what I can tell, “loses” spells if they don’t perform some sort of ritual each day (they just can’t change their prepared spells if applicable), even the wizard. So unless a caster is tapped out on spell slots/sorcery points before being jailed, they would always retain what they have left even if denied a long rest (and would still have cantrips).

So, apart from being tightly bound, gagged, and stripped, are there any ways to prevent casting that I’m missing?

There are plenty of verbal only spells that would be useful in a jail environment (Command, Knock, Misty Step) so really, how are casters supposed to be locked up other than some sort of dedicated magicked prison (assuming you could even transport them there)? Just taking out the gag to feed them opens up the possibility of a spell being cast. I don’t want my characters to have to be treated like this if they get jailed, but it seems like in a world of scarse magic items but numerous magic wielding people, anyone not KNOWN to be non-magic using would be treated like Hannibal Lecter or put in an Arkham Asylum type specialty prison (bad example, folks escape from there all the time! Maybe the one from Harry Potter).

My homebrew solution is to have the higher levels of exhaustion stop casting. This way someone who has been in a jail for more than a few days can’t cast due to poor conditions, poor food, etc. But they can still move around a bit and talk, so there are role playing possibilities (barter for more food, become prison kingpin to get better treatment, bribe a guard, etc). When captured maybe casters could be bound and gagged, but it wouldn’t be necessary for long term imprisonment.

I’m using the basic vanilla forgotten realms setting with the suggested “low magic item availability” from the 5e PHB and DMG. Judging from the published campaigns I’ve read (Phandelin and Horde) there does not seem to be common availability of magical effects and devices. Party level is 5-9th level.

The answers to the previous setting-free question How could towns restrain a magic user? has plenty of useful “soft” suggestions like archers on the roof. But I would like some 5e and Forgotten Realms-specific techniques.

[27759]: ERROR Failed to execute ban jail ‘sshd’ action in fail2ban log

On my Debian 8 server, I see lots of this error in fail2ban log.

 [27759]: ERROR   Failed to execute ban jail 'sshd' action 'iptables-multiport' info 'ActionInfo({'ip': '1.1.2.2', 'fam ily': 'inet4', 'ip-rev': '2.2.1.1.', 'ip-host': '210994.cloudwaysapps.com', 'fid': '1.1.2.2', 'failures': 3, 'time': 1547974803.0, 'matches': 'Jan 20 04:00:01  chat sshd[1326]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.1.2.2 \nJan 20 04:00:03 chat sshd[1326]: Failed password f or invalid user guest from 1.1.2.2 port 40633 ssh2', 'restored': 0, 'F-*': {'matches': ['Jan 20 04:00:01 chat sshd[1326]: pam_unix(sshd:auth): authentication failure;  logname= uid=0 euid=0 tty=ssh ruser= rhost=1.1.2.2 ', 'Jan 20 04:00:03 chat sshd[1326]: Failed password for invalid user guest from 1.1.2.2 port 40633 ssh2'] , 'failures': 3, 'mlfid': ' chat sshd[1326]: ', 'user': 'guest', 'ip4': '1.1.2.2'}, 'ipmatches': 'Jan 20 04:00:01 chat sshd[1326]: pam_unix(sshd:auth): authentication  failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.1.2.2 \nJan 20 04:00:03 chat sshd[1326]: Failed password for invalid user guest from 1.1.2.2 port 40633  ssh2', 'ipjailmatches': 'Jan 20 04:00:01 chat sshd[1326]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.1.2.2 \nJan 20 04 :00:03 chat sshd[1326]: Failed password for invalid user guest from 1.1.2.2 port 40633 ssh2', 'ipfailures': 3, 'ipjailfailures': 3})': Error banning 1.1.2.2 2019-01-20 04:01:24,018 fail2ban.actions   

I’m wondering what this error mean and how to fix it?