Your message dated Tue, 02 Jan 2024 19:34:24 +0000
with message-id <e1rkkwu-001hsy...@fasolo.debian.org>
and subject line Bug#770171: fixed in fail2ban 1.0.2-3
has caused the Debian Bug report #770171,
regarding sshd jail fails when system solely relies on systemd journal for
logging
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
770171: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: fail2ban
Version: 0.9.1-1
Severity: important
Dear Maintainer,
when a system is configured to use the systemd journal as the
sole logging system, i.e. when none of the packages provided by
system-log-daemon are installed, the default sshd jail does not work.
When logging in the system is done by using the systemd journal, the
file /var/log/auth.log is not used anymore. While fail2ban 0.9
can use the systemd journal for matching offending log entries, the
Debian package comes with a "backend = auto" statement that
effectively disables matching against entries in the journal. As the
log files in /var/log are not updated anymore, fail2ban becomes
useless.
In order to have the sshd jail to work correctly I had to:
1. install python3-systemd, which is right now only suggested by
fail2ban, but given that systemd is going to be default in jessy
it should probably become a Depends
2. activate the systemd backend by adding
[DEFAULT]
backend = systemd
to the jail.d/defaults-debian.conf file
3. modify filter.d/sshd.conf to use the correct name of the sshd
systemd unit in Debian, which is ssh.service and not
sshd.service:
[Init]
journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd
I did not find a way to perform 3 in a way that is robust against future
upgrades of the fail2ban package...
With the above mentioned modifications in place fail2ban correctly
bans abusive hosts. I am not sure if syslog-ng or rsyslog are still
going to be installed by default in jessy (probably yes?), but
I would assume that a number of people would want to solely rely on
the systemd journal, as otherwise logging gets duplicated and would
be unhappy to discover that fail2ban has not been working for months
(like it happened to me ;).
I don't know if fail2ban should use the systemd backend by default,
but the steps needed to make it work that way should be at least
mentioned in NEWS.Debian or README.Debian *and* the sshd filter
should use the correct name of the systemd unit [maybe all filters
should be checked for wrong systemd unit names?].
As a side note, do you think that package systemd should Provide
system-log-daemon? Is this worth filing a bug against systemd?
Ciao,
Tiziano
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.17-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages fail2ban depends on:
ii init-system-helpers 1.21
ii lsb-base 4.1+Debian13+nmu1
ii python3 3.4.2-1
pn python3:any <none>
Versions of packages fail2ban recommends:
ii iptables 1.4.21-2+b1
pn python3-pyinotify <none>
ii whois 5.2.2
Versions of packages fail2ban suggests:
pn mailx <none>
ii python3-systemd 215-6
pn system-log-daemon <none>
-- Configuration Files:
/etc/fail2ban/filter.d/sshd.conf changed:
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication
(?:failure|error) for .* from <HOST>( via \S+)?\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying
authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?:
ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client
user ".*", client host ".*")?))?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not
listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in
DenyUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not in
any group\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth
fail$
^%(__prefix_line)sUser .+ from <HOST> not allowed because a group
is listed in DenyGroups\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of
user's groups are listed in AllowGroups\s*$
^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account
is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>:
11: .+ \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many
authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error:
)?Connection closed by <HOST> \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?:
on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication
failures for .+? \[preauth\]$
ignoreregex =
[Init]
maxlines = 10
journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd
/etc/fail2ban/jail.d/defaults-debian.conf changed:
[DEFAULT]
backend = systemd
[sshd]
enabled = true
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: fail2ban
Source-Version: 1.0.2-3
Done: Sylvestre Ledru <sylves...@debian.org>
We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sylvestre Ledru <sylves...@debian.org> (supplier of updated fail2ban package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 19 Sep 2023 13:55:20 +0200
Source: fail2ban
Architecture: source
Version: 1.0.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Sylvestre Ledru <sylves...@debian.org>
Closes: 770171 1037437
Changes:
fail2ban (1.0.2-3) unstable; urgency=medium
.
* Add banaction = nftables in the defaults-debian.conf default
see
https://github.com/fail2ban/fail2ban/discussions/3575#discussioncomment-7045315
* Move python3-systemd as depend (Closes: #770171, #1037437)
* Add backend = systemd to jail.d/defaults-debian.conf
Checksums-Sha1:
a221158a81ce3906b05263c58fdaece56c57f8b0 2059 fail2ban_1.0.2-3.dsc
d829392cc6f53fb56b982bb3ba7ab41803221ef0 29616 fail2ban_1.0.2-3.debian.tar.xz
28f80e77797db56e03b1b4efc6e35301fe07bfe3 6938 fail2ban_1.0.2-3_amd64.buildinfo
Checksums-Sha256:
7c7c70e55b8d0ddeb9e860053a4db66acd9a75e133d62e3f58e6be012c1bb9d7 2059
fail2ban_1.0.2-3.dsc
720d8c6fd124031f7c2488af6a6f86f4be0d407c45cd94b7220209e7cf4f93c0 29616
fail2ban_1.0.2-3.debian.tar.xz
ee98ac04f491e5ca921bd8f1742a917a72da11653229fd056acff92229fb92fc 6938
fail2ban_1.0.2-3_amd64.buildinfo
Files:
59fbaf232d2f678777e538b75286fe7c 2059 net optional fail2ban_1.0.2-3.dsc
4e233c00e21527de7ae02c9b889e6fc5 29616 net optional
fail2ban_1.0.2-3.debian.tar.xz
0c83648e5ef62309e42a04768d375a28 6938 net optional
fail2ban_1.0.2-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtg21mU05vsTRqVzPfmUo2nUvG+EFAmWUX4kACgkQfmUo2nUv
G+FPSA//Qev+iTo3047na6J3er9NbuLg1k3IUoPfRE4VNlApapA7mEZsfQmmfqTg
1gUfBpeFN6qINdVVby7kB2zTel0z1dsyDkra+17WgoQJv8nTLiUEUdGq8JFuzYoq
a+gljp6HbYSry7bS3RnZMZD11wW+1JzkxJ2OtbKopfEcVyNe7FDa+Dm8W4NOudyl
7VFL93uC1Sb2I5hE5mWexdi8By8rk4fwTh4RQhcLbsd45gf9y4MB9S7Dk1S+k+n7
uRVFBZqzTY89gGULgpQboTewLiGqRQGAcNtF7jBZMElOe7Wy6eJSKA8oTloNZQHT
zIFlvt5XP+XbS4zi4DIGPmCTVmg3F90CSbzMJqsqU2tvPeIMo11OEG1+ZeBGkqD/
9jYV3xpkpYkp/emhOvxuq3Ll22ty3qa4PhoTT4W4zaTeb3eLsJev2iT4eQdzH1vI
GNayOQ5wGe2vSdqPwi4BjUjKsa6snLcrjXerpnaHzihrE22qajiKjxn1TOTd2lKN
eJR3a4O5BwIXyeR+03VqGIehEhaAXE6sfeQTvvk+pRLzZA8vXXzecXV+TmNPm6py
bmycYs2kg/KaLHBJAdevg0CYaSEauYltBPtk3mRPsltIZKIj+gK8mOx04ab3inni
f0z/mJ0TcuixKb3qMFvjEU+8k6XLafJvencJWfh+7HY/beFuB6A=
=DbGW
-----END PGP SIGNATURE-----
--- End Message ---
