Bug#1010842: fail2ban not starting proftpd and sshd jails correctly

Wed, 11 May 2022 04:21:14 -0700 

Package: fail2ban
Version: 0.11.2-2
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,
we have problem using fail2ban on proftpd and sshd jails on Debian Bullseye and 
Buster.
we have pretty simple/standard config, with proftpd jail enabled in our file 
/etc/fail2ban/jail.d/proftpd.conf

[proftpd]
enabled = true

Some hosts use default banaction, some use banaction with ipset.
We use iptables-legacy, because we use firehol for generating our firewall.

Problem is, proftpd and sshd jails are never registered in firewall, but 
fail2ban loads them. 
Some other jails are loaded and registered in firewall without problems 
(mostly...).
For example:

# iptables -L -n -v | grep f2b
 140K 8379K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         match-set f2b-firehol src

# fail2ban-client status 
Status
|- Number of jail:      3
`- Jail list:   firehol, proftpd, sshd

# fail2ban-client status proftpd 
Status for the jail: proftpd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/proftpd/proftpd.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

and this is in log

2022-05-11 12:51:09,596 fail2ban.jail           [732814]: INFO    Creating new 
jail 'proftpd'
2022-05-11 12:51:09,596 fail2ban.jail           [732814]: INFO    Jail 
'proftpd' uses pyinotify {}
2022-05-11 12:51:09,596 fail2ban.filter         [732814]: DEBUG   Setting 
usedns = warn for FilterPyinotify(Jail('proftpd'))
2022-05-11 12:51:09,596 fail2ban.filter         [732814]: DEBUG   Created 
FilterPyinotify(Jail('proftpd'))
2022-05-11 12:51:09,599 fail2ban.filter         [732814]: DEBUG   Setting 
usedns = warn for FilterPyinotify(Jail('proftpd'))
2022-05-11 12:51:09,599 fail2ban.server         [732814]: DEBUG     prefregex: 
'^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ 
*\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?proftpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?proftpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID
 \\d+ \\S+\\]\\s+)?\\S+ \\(\\S+\\[<HOST>\\]\\)[: -]+ 
<F-CONTENT>(?:USER|SECURITY|Maximum) .+</F-CONTENT>$'
2022-05-11 12:51:09,601 fail2ban.filter         [732814]: INFO    Added 
logfile: '/var/log/proftpd/proftpd.log' (pos = 3553, hash = 
621b6cc23a2073ed6173a4b7bff999ac9705b311)
2022-05-11 12:51:09,602 fail2ban.filterpyinotify[732814]: DEBUG   New <Watch 
wd=1 path=/var/log/proftpd mask=1073745280 proc_fun=None auto_add=False 
exclude_filter=<function WatchManager.<lambda> at 0x7fe14c092ca0> dir=True >
2022-05-11 12:51:09,602 fail2ban.filterpyinotify[732814]: DEBUG   Added monitor 
for the parent directory /var/log/proftpd
2022-05-11 12:51:09,602 fail2ban.filterpyinotify[732814]: DEBUG   New <Watch 
wd=2 path=/var/log/proftpd/proftpd.log mask=2 proc_fun=None auto_add=False 
exclude_filter=<function WatchManager.<lambda> at 0x7fe14c092ca0> dir=False >
2022-05-11 12:51:09,602 fail2ban.filterpyinotify[732814]: DEBUG   Added file 
watcher for /var/log/proftpd/proftpd.log
2022-05-11 12:51:09,602 fail2ban.filterpyinotify[732814]: MSG     Log absence 
detected (possibly rotation) for /var/log/proftpd/proftpd.log, reason: INITIAL 
of /var/log/proftpd/proftpd.log
2022-05-11 12:51:09,602 fail2ban.CommandAction  [732814]: DEBUG     Set name = 
'proftpd'
2022-05-11 12:51:09,611 fail2ban.jail           [732814]: DEBUG   Starting jail 
'proftpd'
2022-05-11 12:51:09,611 fail2ban.filterpyinotify[732814]: DEBUG   [proftpd] 
filter started (pyinotifier)
2022-05-11 12:51:09,611 fail2ban.filterpyinotify[732814]: MSG     Log presence 
detected for file /var/log/proftpd/proftpd.log
2022-05-11 12:51:09,611 fail2ban.jail           [732814]: INFO    Jail 
'proftpd' started
2022-05-11 12:51:23,025 fail2ban.jail           [732814]: DEBUG   Stopping jail 
'proftpd'
2022-05-11 12:51:23,025 fail2ban.filter         [732814]: INFO    Removed 
logfile: '/var/log/proftpd/proftpd.log'
2022-05-11 12:51:23,025 fail2ban.filterpyinotify[732814]: DEBUG   Removed file 
watcher for /var/log/proftpd/proftpd.log
2022-05-11 12:51:23,025 fail2ban.filterpyinotify[732814]: DEBUG   Removed 
monitor for the parent directory /var/log/proftpd
2022-05-11 12:51:23,127 fail2ban.filterpyinotify[732814]: DEBUG   [proftpd] 
filter exited (pyinotifier)
2022-05-11 12:51:23,628 fail2ban.actions        [732814]: NOTICE  [proftpd] 
Flush ticket(s) with iptables-ipset-proto6-drop
2022-05-11 12:51:23,628 fail2ban.actions        [732814]: DEBUG     Unbanned 0, 
0 ticket(s) in 'proftpd'
2022-05-11 12:51:23,628 fail2ban.actions        [732814]: DEBUG   proftpd: 
action iptables-ipset-proto6-drop terminated
2022-05-11 12:51:23,629 fail2ban.filterpyinotify[732814]: DEBUG   [proftpd] 
filter terminated (pyinotifier)
2022-05-11 12:51:23,629 fail2ban.jail           [732814]: INFO    Jail 
'proftpd' stopped
2022-05-11 12:51:23,765 fail2ban.jail           [733102]: INFO    Creating new 
jail 'proftpd'
2022-05-11 12:51:23,765 fail2ban.jail           [733102]: INFO    Jail 
'proftpd' uses pyinotify {}
2022-05-11 12:51:23,773 fail2ban.filter         [733102]: INFO    Added 
logfile: '/var/log/proftpd/proftpd.log' (pos = 3553, hash = 
621b6cc23a2073ed6173a4b7bff999ac9705b311)
2022-05-11 12:51:23,783 fail2ban.jail           [733102]: INFO    Jail 
'proftpd' started


What can cause the problems? I remember, there were some lock problems when 
using iptables-legacy, but i don't see any error message in logs

With regards,
Libor


- -- System Information:
Debian Release: bookworm/sid
  APT prefers experimental
  APT policy: (700, 'experimental'), (700, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=cs_CZ.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fail2ban depends on:
ii  lsb-base  11.1.0
ii  python3   3.10.4-1+b1

Versions of packages fail2ban recommends:
ii  iptables           1.8.7-1
ii  python3-pyinotify  0.9.6-1.3
pn  python3-systemd    <none>
ii  whois              5.5.13

Versions of packages fail2ban suggests:
pn  mailx                        <none>
pn  monit                        <none>
ii  rsyslog [system-log-daemon]  8.2204.1-1
ii  sqlite3                      3.38.5-1

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEPGZVVU37tFmB0TQv8O+MbsKfR44FAmJ7mdsVHGxpYm9yLmts
ZXBhY0BiY29tLmN6AAoJEPDvjG7Cn0eOwakP/1rdASyTzArODbBPDyP3Oj0KtnwB
Z0kLm5eyAbYnYLsY/4eDmWzx9T2Kw4WoSoUMO++9DiyOLSR/P3NUrE1msaKqTEil
5cv49e6BjjhxnZCM8I/5ZiOIB37vhxvqgnky+nJIi8JAIaSlhfAXerD+vO0nHB+H
UhqDpJLcQHIzDjUE2UxxiLlfiXDSnQCi436zcSXnc0cIDUgScNBY5mpCIObJtfdn
Cwgj3KOu8Cu440zfW2LThrDpCeWD50c7sm4ezNTPXLuBxXI8rIQAQdQg5gB9kV+h
IiMwSgZP9OEs7zufJVDpmUMFORBZK3dz/Qxp2U8WPX8oOOCYeNcI1hUk6amW+uqn
fBGLPhsieN9JKANcN5TzGFru47rjK5M1DJ1ZgrqAnXMuHIW54e3T80XsyG229dd7
28FiWF1MMMOEtbUkePz+mLN9H7p7nYTRXnzUtcNS9WEA5f8ZwOxU110YtS31yggh
WChP4Za8Wn6fHzxH6PR+N4xztiRq8S7Rm/gf4hfKMqFkvkBTvV/xKfs2tKBYQH0x
MEziaMyxxi5qnk+ndZIA5JmJLFvWlYWO+nzrXq+9Cg2mJzkaYiLY797ld9gLrqid
g3UH807mFmPXl+fsF8OrN1IYoEYiSUnO/Vr3XQI6AFsXb8BNSHot3e4vA/dLtUye
QTZwbd1BwickXhtA
=FTmp
-----END PGP SIGNATURE-----

Reply via email to