-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BR]: fail2ban does not start on some debian/ubuntu systems - backend should probably be set to systemd on all systemd-based distros #3292
Comments
It looks to me like a pretty maintainer issue. @fail2ban/maintainers, @sylvestre Any idea? From other point of view it is a configuration issue and can be surely simply fixed using: - echo -e "[sshd]\nenabled=true" | sudo tee /etc/fail2ban/jail.local
+ echo -e "[sshd]\nbackend=systemd\nenabled=true" | sudo tee /etc/fail2ban/jail.local With other words: $ sudo cat /etc/fail2ban/jail.local
[sshd]
+ backend=systemd
enabled = true Pretty simply, isn't?
Well, it may work for sshd jail but could fail for some other jail if it gets enabled, but much more important is vice versa situation...
... that the issue with such a configuration would be - the system having systemd installed doesn't guarantee that every service affected by that include for which the jail would use systemd backend by default will also log into systemd journal.
The former is unpleasant but safe against possible misconfiguration, whereas the later is pretty ugly and hardly noticeable. However I'm not against the suggestion to make |
I thought so at first ... but since the path-*.conf is part of the fail2ban git repository, I feel it should be handled here. As mentioned, this has also been flagged as a debian bug since 2014 ...
Well, for you and me ... sure, trivial ... but for anyone setting up fail2ban without any knowledge of the package, and just following the instructions (at least as they are at the top of jail.conf), I think it's a bad user experience when it doesn't work. Actually, it did take me quite some time digging to figure out that the trick is
You may have a point, I'm just not sure if it is significant. I strongly believe that:
I've been looking a bit around... unfortunately I have no Debian to test with, but I have plenty of Ubuntu flavors, plus some CentOS and RHEL.
I could certainly do more testing, like checking every service on the list (sshd, dropbear, proftpd, pureftpd, wuftpd, postfix, dovecot ... syslog is also on the list, perhaps that one should be taken out). Of course it could be all down to "confirmation bias", but what I've seen just makes me stronger in my belief that systemd is the more correct backend for all those services for all systems running systemd :-) |
I just came across this today on a fresh Debian 12 install. It seems a (packaging) bug to me that installing the fail2ban package results in a crashed service. It's taken a bit of searching to get here, and I still haven't got fail2ban running. I have installed in the usual way:
Then I created
And then tried to start the service again, but it crashes.
I note that there's
Finally I realised I also needed to install TL;DR: to install on debian 12:
|
Because we get so many requests related to this issue... @fail2ban/maintainers, @sylvestre would it make sense to add: sshd_backend = systemd to https://github.com/fail2ban/fail2ban/blob/master/config/paths-debian.conf Or would you rather want to add it to debian repository? From other side, I remember an idea, how we probably can "fix" this and similar issues once and for all - if one would extend |
On Debian 12 and Raspberry OS 12 |
Well, basically it must be jail.local what you should change (see wiki :: Proper fail2ban configuration), not the jail.conf. But OK.
This is only expecting if IPv6 address need to be banned too and that over some of iptables actions (otherwise one needs nftables instead).
What do you means with that? Neither I understand which logs that are, nor where they need to be saved, nor what does it have to do with fail2ban.
Do you mean fail2ban stats? Then it is normal, see #2123 (comment) Line 70 in c6244a8
Firstly we need to understand what exactly do you want to "repair"? |
I'm sorry, the file is jail.local :) backend = systemd Also [DEFAULT] [SSHD] Without specifying nftables,, sshd doesn't block the IP address even if it's in the banned list. Also, this is how I'm tracking the sshd ban status in real time: Also, you can monitor sshd with the new Journalctl: Hope this helps. I really liked the out-of-the-box functionality in Debian 11. Fail2ban is great software! |
I just ran into the same problem with Debian 12 and was glad to see the solution (or workaround?) mentioned here. All I had to do was changing Maybe some further explanation for non-experts in the following guidance text of
Especially the final "Note" needs further attention, I guess, but I am a noob to provide more ideas about this, I'm afraid. I rather came here after searching for a solution. So the most I can provide here is this: Thanks a lot, guys, for all your time and work you spend on this! ❤️ |
Folks, don't hesitate to contribute to https://salsa.debian.org/python-team/packages/fail2ban/ if you feel that things could be improved in the package :) |
This note means that if someone overwrites |
Ciao Tommaso. Create a jail.local copying the file in /etc/fail2ban/jail.conf backend = systemd Also [DEFAULT] [SSHD] SSHD is set on default, i only changed backend=systemd and nftables. |
You've been too fast :D I posted by accident, I actually solved the issue, the problem was with ufw (I do not use nftables). Thanks anyway! |
On debian12 or above,there should change backend = auto to backend = systemd in /etc/fail2ban/jail.local fail2ban/fail2ban#3292
Hi, what problem was ufw creating? |
It was a botched configuration option that I did for testing but I forgot to remove in ufw, nothing related to fail2ban |
Hello, The Debian 12 original packages are still misconfigurated out of the box? In this case is there a clear reference jail.conf that actually works? |
See the first answer in this topic - #3292 (comment) |
It is simply not possible... Also source code show that related to fail2ban/fail2ban/client/jailreader.py Line 262 in b59fd2e
it'd never reach line fail2ban/fail2ban/client/jailreader.py Line 276 in b59fd2e
|
@germebl, your jail is calling - [ssh]
+ [sshd]
backend = systemd
... |
correct, you where faster in responding than me in deleting my post. ^^ Got it a second later. Sry for the inconvenience. |
人们,让我们知道您需要多少时间泡茶、遛狗等... The facts are:
I'll remove all similar comments now and in the future. |
@sapphirecat Moreover, I don't understand how it'd work, because our stock Lines 274 to 282 in 7b528a6
So normally it doesn't matter what you'd set in default section, because it is overwritten in jail. |
In the newest release of 1.1.0-1~upstream1 deb-package here I made sshd by default systemd backend (in oppossite to original deb-package in I tend to cherry-pick this into master branch (which also doesn't have any No idea whether the maintainers of debian would take it on in his repo. |
Thanks. I followed your advice :) |
Like many others, I came here because I installed So the short story, as far as the current versions of the Debian packages are concerned:
|
Environment:
The issue:
On modern systemd-based distros, like newer releases of Ubuntu, Debian, Archlinux, RHEL, Fedora, etc, services like sshd logs to the systemd journal. Optionally rsyslog or syslog can be installed and run, and logs will also be available i.e. in
/var/log/auth.log
or/var/log/secure.log
.In the files
/etc/fail2ban/paths-{arch|fedora|opensuse}
there is a section like this:... and because of this, fail2ban works on arch, fedora (with derivatives) and opensuse. However, it fails on debian and ubuntu, unless the syslog package is installed and the service is running. Apparently this was reported as early as 2014 at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171 and it's also reported for Ubuntu 16.04 at https://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/1696591 ... we're running Ubuntu and EL. On our baseimages with Ubuntu 16.04, fail2ban installs and runs because we have syslog running there, on Ubuntu 20.04 we've had to hand-tune configuration to get fail2ban run on the services above. On EL it also works due to the
paths-fedora.conf
-file.Steps to reproduce
sudo apt-get install fail2ban
)echo -e "[sshd]\nenabled=true" | sudo tee /etc/fail2ban/jail.local
sudo systemctl start fail2ban
sudo systemctl status fail2ban
- the error message looks likeERROR Failed during configuration: Have not found any log file for sshd jail
.Suggestion
I suggest creating a
/etc/fail2ban/paths-systemd
containing only the lines*_backend = systemd
, and make sure it's run from any operating system having systemd installed.Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
The text was updated successfully, but these errors were encountered: