Your message dated Tue, 02 Jan 2024 19:34:24 +0000 with message-id <[email protected]> and subject line Bug#770171: fixed in fail2ban 1.0.2-3 has caused the Debian Bug report #770171, regarding sshd jail fails when system solely relies on systemd journal for logging to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 770171: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: fail2ban Version: 0.9.1-1 Severity: important Dear Maintainer, when a system is configured to use the systemd journal as the sole logging system, i.e. when none of the packages provided by system-log-daemon are installed, the default sshd jail does not work. When logging in the system is done by using the systemd journal, the file /var/log/auth.log is not used anymore. While fail2ban 0.9 can use the systemd journal for matching offending log entries, the Debian package comes with a "backend = auto" statement that effectively disables matching against entries in the journal. As the log files in /var/log are not updated anymore, fail2ban becomes useless. In order to have the sshd jail to work correctly I had to: 1. install python3-systemd, which is right now only suggested by fail2ban, but given that systemd is going to be default in jessy it should probably become a Depends 2. activate the systemd backend by adding [DEFAULT] backend = systemd to the jail.d/defaults-debian.conf file 3. modify filter.d/sshd.conf to use the correct name of the sshd systemd unit in Debian, which is ssh.service and not sshd.service: [Init] journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd I did not find a way to perform 3 in a way that is robust against future upgrades of the fail2ban package... With the above mentioned modifications in place fail2ban correctly bans abusive hosts. I am not sure if syslog-ng or rsyslog are still going to be installed by default in jessy (probably yes?), but I would assume that a number of people would want to solely rely on the systemd journal, as otherwise logging gets duplicated and would be unhappy to discover that fail2ban has not been working for months (like it happened to me ;). I don't know if fail2ban should use the systemd backend by default, but the steps needed to make it work that way should be at least mentioned in NEWS.Debian or README.Debian *and* the sshd filter should use the correct name of the systemd unit [maybe all filters should be checked for wrong systemd unit names?]. As a side note, do you think that package systemd should Provide system-log-daemon? Is this worth filing a bug against systemd? Ciao, Tiziano -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.17-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages fail2ban depends on: ii init-system-helpers 1.21 ii lsb-base 4.1+Debian13+nmu1 ii python3 3.4.2-1 pn python3:any <none> Versions of packages fail2ban recommends: ii iptables 1.4.21-2+b1 pn python3-pyinotify <none> ii whois 5.2.2 Versions of packages fail2ban suggests: pn mailx <none> ii python3-systemd 215-6 pn system-log-daemon <none> -- Configuration Files: /etc/fail2ban/filter.d/sshd.conf changed: [INCLUDES] before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ ignoreregex = [Init] maxlines = 10 journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd /etc/fail2ban/jail.d/defaults-debian.conf changed: [DEFAULT] backend = systemd [sshd] enabled = true -- no debconf information
--- End Message ---
--- Begin Message ---Source: fail2ban Source-Version: 1.0.2-3 Done: Sylvestre Ledru <[email protected]> We believe that the bug you reported is fixed in the latest version of fail2ban, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sylvestre Ledru <[email protected]> (supplier of updated fail2ban package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 19 Sep 2023 13:55:20 +0200 Source: fail2ban Architecture: source Version: 1.0.2-3 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <[email protected]> Changed-By: Sylvestre Ledru <[email protected]> Closes: 770171 1037437 Changes: fail2ban (1.0.2-3) unstable; urgency=medium . * Add banaction = nftables in the defaults-debian.conf default see https://github.com/fail2ban/fail2ban/discussions/3575#discussioncomment-7045315 * Move python3-systemd as depend (Closes: #770171, #1037437) * Add backend = systemd to jail.d/defaults-debian.conf Checksums-Sha1: a221158a81ce3906b05263c58fdaece56c57f8b0 2059 fail2ban_1.0.2-3.dsc d829392cc6f53fb56b982bb3ba7ab41803221ef0 29616 fail2ban_1.0.2-3.debian.tar.xz 28f80e77797db56e03b1b4efc6e35301fe07bfe3 6938 fail2ban_1.0.2-3_amd64.buildinfo Checksums-Sha256: 7c7c70e55b8d0ddeb9e860053a4db66acd9a75e133d62e3f58e6be012c1bb9d7 2059 fail2ban_1.0.2-3.dsc 720d8c6fd124031f7c2488af6a6f86f4be0d407c45cd94b7220209e7cf4f93c0 29616 fail2ban_1.0.2-3.debian.tar.xz ee98ac04f491e5ca921bd8f1742a917a72da11653229fd056acff92229fb92fc 6938 fail2ban_1.0.2-3_amd64.buildinfo Files: 59fbaf232d2f678777e538b75286fe7c 2059 net optional fail2ban_1.0.2-3.dsc 4e233c00e21527de7ae02c9b889e6fc5 29616 net optional fail2ban_1.0.2-3.debian.tar.xz 0c83648e5ef62309e42a04768d375a28 6938 net optional fail2ban_1.0.2-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtg21mU05vsTRqVzPfmUo2nUvG+EFAmWUX4kACgkQfmUo2nUv G+FPSA//Qev+iTo3047na6J3er9NbuLg1k3IUoPfRE4VNlApapA7mEZsfQmmfqTg 1gUfBpeFN6qINdVVby7kB2zTel0z1dsyDkra+17WgoQJv8nTLiUEUdGq8JFuzYoq a+gljp6HbYSry7bS3RnZMZD11wW+1JzkxJ2OtbKopfEcVyNe7FDa+Dm8W4NOudyl 7VFL93uC1Sb2I5hE5mWexdi8By8rk4fwTh4RQhcLbsd45gf9y4MB9S7Dk1S+k+n7 uRVFBZqzTY89gGULgpQboTewLiGqRQGAcNtF7jBZMElOe7Wy6eJSKA8oTloNZQHT zIFlvt5XP+XbS4zi4DIGPmCTVmg3F90CSbzMJqsqU2tvPeIMo11OEG1+ZeBGkqD/ 9jYV3xpkpYkp/emhOvxuq3Ll22ty3qa4PhoTT4W4zaTeb3eLsJev2iT4eQdzH1vI GNayOQ5wGe2vSdqPwi4BjUjKsa6snLcrjXerpnaHzihrE22qajiKjxn1TOTd2lKN eJR3a4O5BwIXyeR+03VqGIehEhaAXE6sfeQTvvk+pRLzZA8vXXzecXV+TmNPm6py bmycYs2kg/KaLHBJAdevg0CYaSEauYltBPtk3mRPsltIZKIj+gK8mOx04ab3inni f0z/mJ0TcuixKb3qMFvjEU+8k6XLafJvencJWfh+7HY/beFuB6A= =DbGW -----END PGP SIGNATURE-----
--- End Message ---
