Hello all, Been really pulling my hair on out on this one. A bit of background…
I’m running Debian 12 on the machines in question. As some of you may be aware - in Debian 12 the default is that (nearly) all logs go to systemd journal - NOT /var/log/* So as such I’ve had to change my fail2ban configs to interface with this. On one machine, I’m looking at sshd, postfix-sasl and some other things. On this machine the bans/blocks work as well as being logged into the systemd journal: root@orbital:/etc/fail2ban# journalctl -u fail2ban | grep -w Ban | wc -l 20 On another machine, I really only care about openvpn. As openvpn doesn’t seem to have an included filter with fail2ban (at least on Debian 12), I am using these instructions: https://gist.github.com/drmalex07/463e4c7356bcfb2b3d21ff9fdc5aa6b3 My jail.local definition is: [openvpn] enabled = true port = 11194 protocol = udp filter = openvpn maxretry = 5 I have one success and two problems with this setup. The success is that it actually blocks - great ! The two problems (might be related ? hence me posting here…): - NOTICE [openvpn] Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons. I get this as it’s sucking in the whole journal by default. However no amount of journalmatch etc that I have tried seems to work to avoid this. - Even though the bans are working, they are logged to /var/log/fail2ban.log - NOT into systemd journal. On my other machine as listed as above - I get the bans as well as the logs into the journal. On that machine I have the global backend set to systemd, but my sshd jail also has: backend = %(sshd_backend)s I don’t have anything like that for openvpn. Dunno if that is a cause or a red herring. Would greatly appreciate any help on this. Thanks. _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
