fix: use systemd backend for fail2ban for Debian 12 and higher #122
Conversation
templates/jail.local.j2
Outdated
| {% if ansible_distribution_major_version | int >= 12 %} | ||
| [DEFAULT] | ||
| backend = systemd | ||
| logtarget = SYSTEMD-JOURNAL |
There was a problem hiding this comment.
logtarget = SYSTEMD-JOURNAL belongs to fail2ban.conf not to jail config
There was a problem hiding this comment.
I moved logtarget = SYSTEMD-JOURNAL configuration to /etc/fail2ban/fail2ban.local, see 0b9a774 templates/fail2ban.local.j2
templates/jail.local.j2
Outdated
| @@ -1,3 +1,9 @@ | |||
| {% if ansible_distribution_major_version | int >= 12 %} | |||
There was a problem hiding this comment.
I guess it'd check only the version but not the distribution (whether it is debian 12)
There was a problem hiding this comment.
I've added also debian distribution check, see 0b9a774 tasks/fail2ban.yml
templates/jail.local.j2
Outdated
| @@ -1,3 +1,9 @@ | |||
| {% if ansible_distribution_major_version | int >= 12 %} | |||
| [DEFAULT] | |||
| backend = systemd | |||
There was a problem hiding this comment.
It would probably not work for everything, since for example sshd jail has its own definition that overwrites the default:
https://github.com/fail2ban/fail2ban/blob/44fa2959e7c8ee010138250b3dafcfebc57dbce8/config/jail.conf#L282
So paths-debian.conf may be adjusted instead (or together).
From other point of view for other jails which remains file-related that may be too much (because the user would even not notice that some jails doesn't match anymore at all.
There was a problem hiding this comment.
My suggestion would also be that we only set the backend for SSH in jail.local if Debian is recognized and version >= 12 is running.
I created my own patch that is now running successfully on my machines, based on this PR and the comments in the review: maveonair@376a84f
There was a problem hiding this comment.
Now is the backend = systemd configuration in jail.local under [sshd], see 0b9a774 templates/jail.local.j2
I did tests, looks good for me
pi@kube2:~ $ sudo journalctl -u fail2ban.service -f
Dec 18 18:53:48 kube2 fail2ban[339242]: maxLines: 1
Dec 18 18:53:48 kube2 fail2ban[339242]: [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
Dec 18 18:53:48 kube2 fail2ban[339242]: maxRetry: 5
Dec 18 18:53:48 kube2 fail2ban[339242]: findtime: 600
Dec 18 18:53:48 kube2 fail2ban[339242]: banTime: 600
Dec 18 18:53:48 kube2 fail2ban[339242]: encoding: UTF-8
Dec 18 18:53:48 kube2 fail2ban[339242]: Jail 'sshd' reloaded
Dec 18 18:53:48 kube2 fail2ban[339242]: Reload finished.
Dec 18 18:53:48 kube2 fail2ban-client[3785923]: OK
Dec 18 18:53:48 kube2 systemd[1]: Reloaded fail2ban.service - Fail2Ban Service.
Dec 18 18:59:04 kube2 fail2ban[339242]: [sshd] Found 192.168.1.3 - 2023-12-18 18:59:03
Dec 18 18:59:04 kube2 fail2ban[339242]: [sshd] Found 192.168.1.3 - 2023-12-18 18:59:04
|
From my side, i added these task to workaround with this issue : as the default file |
Fail2ban does not start on some debian/ubuntu systems because of /var/log/auth.log file does not exists.
Since Debian 12, the sylog, auth.log has been replaced by Journalctl. This change is the end of a change from traditional log files to Systemd-Journald-Daemons, which started with Debian 8 (Jessie).
References
#fail2ban/fail2ban#3292
Issue ##121