-
-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: use systemd backend for fail2ban for Debian 12 and higher #122
fix: use systemd backend for fail2ban for Debian 12 and higher #122
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just my few cents.
templates/jail.local.j2
Outdated
{% if ansible_distribution_major_version | int >= 12 %} | ||
[DEFAULT] | ||
backend = systemd | ||
logtarget = SYSTEMD-JOURNAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
logtarget = SYSTEMD-JOURNAL
belongs to fail2ban.conf
not to jail config
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved logtarget = SYSTEMD-JOURNAL
configuration to /etc/fail2ban/fail2ban.local
, see 0b9a774 templates/fail2ban.local.j2
templates/jail.local.j2
Outdated
@@ -1,3 +1,9 @@ | |||
{% if ansible_distribution_major_version | int >= 12 %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it'd check only the version but not the distribution (whether it is debian 12)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added also debian distribution check, see 0b9a774 tasks/fail2ban.yml
templates/jail.local.j2
Outdated
@@ -1,3 +1,9 @@ | |||
{% if ansible_distribution_major_version | int >= 12 %} | |||
[DEFAULT] | |||
backend = systemd |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would probably not work for everything, since for example sshd jail has its own definition that overwrites the default:
https://github.com/fail2ban/fail2ban/blob/44fa2959e7c8ee010138250b3dafcfebc57dbce8/config/jail.conf#L282
So paths-debian.conf
may be adjusted instead (or together).
From other point of view for other jails which remains file-related that may be too much (because the user would even not notice that some jails doesn't match anymore at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My suggestion would also be that we only set the backend for SSH in jail.local
if Debian is recognized and version >= 12 is running.
I created my own patch that is now running successfully on my machines, based on this PR and the comments in the review: maveonair@376a84f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now is the backend = systemd
configuration in jail.local
under [sshd], see 0b9a774 templates/jail.local.j2
I did tests, looks good for me
pi@kube2:~ $ sudo journalctl -u fail2ban.service -f
Dec 18 18:53:48 kube2 fail2ban[339242]: maxLines: 1
Dec 18 18:53:48 kube2 fail2ban[339242]: [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
Dec 18 18:53:48 kube2 fail2ban[339242]: maxRetry: 5
Dec 18 18:53:48 kube2 fail2ban[339242]: findtime: 600
Dec 18 18:53:48 kube2 fail2ban[339242]: banTime: 600
Dec 18 18:53:48 kube2 fail2ban[339242]: encoding: UTF-8
Dec 18 18:53:48 kube2 fail2ban[339242]: Jail 'sshd' reloaded
Dec 18 18:53:48 kube2 fail2ban[339242]: Reload finished.
Dec 18 18:53:48 kube2 fail2ban-client[3785923]: OK
Dec 18 18:53:48 kube2 systemd[1]: Reloaded fail2ban.service - Fail2Ban Service.
Dec 18 18:59:04 kube2 fail2ban[339242]: [sshd] Found 192.168.1.3 - 2023-12-18 18:59:03
Dec 18 18:59:04 kube2 fail2ban[339242]: [sshd] Found 192.168.1.3 - 2023-12-18 18:59:04
From my side, i added these task to workaround with this issue :
as the default file
|
Fail2ban does not start on some debian/ubuntu systems because of /var/log/auth.log file does not exists.
Since Debian 12, the sylog, auth.log has been replaced by Journalctl. This change is the end of a change from traditional log files to Systemd-Journald-Daemons, which started with Debian 8 (Jessie).
References
#fail2ban/fail2ban#3292
Issue ##121