-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sshd jail fails on Ubuntu 20.04 (is this module maintained?) #56
Comments
This comment was marked as outdated.
This comment was marked as outdated.
Looking more into the fail2ban configuration, the Apparently the default backend is not touched by this fail2ban puppet module (and the default sshd configuration in the package is the same as what was rolled out by this fail2ban-module). Perhaps the problem is actually in the fail2ban package, and not in the puppet module. I will look a bit more into it. |
I purged the config, reinstalled the package, and enabled the sshd jail according to the instructions supplied in the jail.conf file from the package - and fail2ban fails to start. I conclude that the problem is in the fail2ban package for ubuntu, not in this puppet module as such. Probably it will work if installing a syslog package. I will leave this issue open - I think that with a good puppet module things should "just work" - even if that means adding workarounds for known bugs in the package. :-) |
Found some relevant issues: https://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/1696591 So in the default Setting the default backend to systemd may not be the correct approach, as it will break for services that uses log files without explicitly giving a backend. |
Hi and thanks for reporting the issues with ubuntu 20.04! and yes this module is still being maintained. I still use it in production, but on debian -- I don't tend to use Ubuntu so I can't easily spot those problems. So I need help with making the module work for ubuntu and I'd be happy to merge in changes to fix things up for it. aha, so there's no syslog log file in ubuntu 20.04? what we can do then since ubuntu, seems to require a different set of options, would be to create a new file in Do you know if the same problem would happen in 22.04 also? |
Syslog can be installed as a separate package. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171 hints that this may be an issue on Debian too ... all since 2014 indeed :-) The bug report I found for Ubuntu tells me it has been an issue also for ubuntu 16.04 (but we do have several ubuntu 16.04-instances with your puppet module running where it hasn't been an issue ... perhaps our 16.04 base image came with syslog installed, I should check that up). This will definitively continue being an issue in 22.04, unless the problem is fixed upstream. I'll think a bit more on this until tomorrow. |
I should add, this (log information from ssh and others only available in the systemd journal) is not specific for Ubuntu, this is the general directions things are going in most distributions using systemd. I'll check up a bit how things are working on centos and archlinux as soon as I get the time for it. |
I installed fail2ban "out of the box" on archlinux, enabled the sshd jail as suggested in jails.conf, and ... it works. The reason is the file
There is also a I think that for all modern systemd-based distros, the logging for those services will be available in the systemd journal, and the logging may also be available in legacy logs if the syslog or rsyslog package is installed and the service is running. This may be optional on some OS'es ... like, as referenced, someone already reported in 2014 that they had a Debian-system running without syslog. I have checked up some systems:
My suggestion is to roll out a file
... and make sure it's included in all modern systemd-based distros. |
I've raised an issue upstream: fail2ban/fail2ban#3292 |
@lelutin , could you check if my hypotheses are correct also for your Debian ...
I don't think it's a point to check all those services ... just do |
Hi again @tobixen and thanks for all of the analysis. So far the approach that I've used for this puppet module is to make sure that default configurations in distros/releases are supported out of the box by the module, and it should be possible to set options to make it configure things when a different setup is used. So.. if I understand the situation properly, do you mean that ubuntu's default configuration (e.g. a fresh vanilla install of ubuntu) replaced syslog with journald entirely starting with a certain version (maybe 20.04? or maybe before?). I know that debian has still not moved to replace syslog with journald, but it's quite possible that ubuntu made the move. One method is to override the default backend param. The module has a Do you think this method would work sufficiently well for you and other users? If you want to try it out, you can create a file ---
fail2ban::backend: 'systemd' This'll set the backend only for 20.04. If this works properly we can create the files in the module in the "reverse order" as described above (e.g. create the above content in Also, by looking at things for this issue, I saw that management of |
oh wait I think I got confused a bit (it's a bit hard for me to visualize what's happening without a local ubuntu VM -- I should just download an image to check things out). iiuc the current value within the default_backend = %(default/backend)s
sshd_backend = %(default_backend)s is this it? if that's the case then I believe it means that with Sorry if I sounded maybe a bit confused in my previous message. But as I said in the previous message, if ubuntu did change the default backend for logs from syslog to journald starting with 20.04 we should apply a fix with hiera as described previously. Cheers |
Unfortunately the fail2ban setup got pushed further down in my todo-stack, I'm not sure I will get time to revisit this one until the autumn. If I remember correct, the ubuntu image I had would only log things like sshd into the journal and not into log files. I do not know if this is specific for the ubuntu image I had access to or if it applies generally. As far as I can understand, Debian can also be configured that way, as I found an old bug report on this applying to Debian. |
Rolling out the module according to the README on Ubuntu 20.04 just for protecting sshd causes a broken fail2ban ... the service fails with the error message:
I can probably figure out of this and make a pull request, but first I'd like to know if this module is maintained, and if it is supposed to work with Ubuntu? The alternative seems to be the voxpupuli-module, but it seems like it's a lot more work to set up a simple sshd jail with the voxpupuli-module.
The text was updated successfully, but these errors were encountered: