Bug#1104790: fail2ban crashes on startup in trixie (no module named distutils?)

Tue, 06 May 2025 07:09:15 -0700 

Package: fail2ban
Version: 1.1.0-7
Severity: grave

Since we upgraded a server to trixie, fail2ban completely fails to
start:

root@submit-01:~# /usr/bin/fail2ban-server -xf start
Server ready
root@submit-01:~# echo $?
255

What's confusing is it doesn't actually show the error message on
startup. The logs do tell the story though:

2025-05-06 13:57:47,549 fail2ban.server         [10131]: INFO    
--------------------------------------------------
2025-05-06 13:57:47,549 fail2ban.server         [10131]: INFO    Starting 
Fail2ban v1.1.0
2025-05-06 13:57:47,550 fail2ban.observer       [10131]: INFO    Observer 
start...
2025-05-06 13:57:47,553 fail2ban.database       [10131]: INFO    Connected to 
fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2025-05-06 13:57:47,554 fail2ban.jail           [10131]: INFO    Creating new 
jail 'postfix-sasl'
2025-05-06 13:57:47,554 fail2ban.jail           [10131]: ERROR   Backend 
'systemd' failed to initialize due to No module named 'distutils'
2025-05-06 13:57:47,554 fail2ban.jail           [10131]: ERROR   Failed to 
initialize any backend for Jail 'postfix-sasl'
2025-05-06 13:57:47,554 fail2ban.transmitter    [10131]: ERROR   Command 
['server-stream', [['set', 'thread', {'stacksize': 0}], ['set', 'syslogsocket', 
'auto'], ['set', 'loglevel', 'INFO'], ['set', 'logtarget', 
'/var/log/fail2ban.log'], ['set', 'allowipv6', 'auto'], ['set', 'dbfile', 
'/var/lib/fail2ban/fail2ban.sqlite3'], ['set', 'dbmaxmatches', 10], ['set', 
'dbpurgeage', '86400'], ['add', 'postfix-sasl', 'systemd'], ['set', 
'postfix-sasl', 'usedns', 'warn'], ['set', 'postfix-sasl', 'prefregex', 
'^\\s*(?:\\S+\\s+)?(?:postfix(-\\w+)?/[^/\\[:\\s]+(?:/smtp[ds])?(?:\\[\\d+\\])?:?\\s+)?(?:kernel:\\s?\\[
 *\\d+\\.\\d+\\]:?\\s+)?warning: <F-CONTENT>.+</F-CONTENT>$'], ['set', 
'postfix-sasl', 'addfailregex', '^[^[]*\\[<HOST>\\](?::\\d+)?: SASL 
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost 
to authentication server| Invalid authentication mechanism)'], ['set', 
'postfix-sasl', 'datepattern', '{^LN-BEG}'], ['set', 'postfix-sasl', 
'addjournalmatch', '_SYSTEMD_UNIT=postfix.service', 
'_SYSTEMD_UNIT=postfix@-.service'], ['set', 'postfix-sasl', 'maxretry', 5], 
['set', 'postfix-sasl', 'maxmatches', 5], ['set', 'postfix-sasl', 'findtime', 
'3m'], ['set', 'postfix-sasl', 'bantime', '10m'], ['set', 'postfix-sasl', 
'ignorecommand', ''], ['set', 'postfix-sasl', 'ignoreself', True], ['set', 
'postfix-sasl', 'addignoreip', '127.0.0.1'], ['set', 'postfix-sasl', 
'logencoding', 'auto'], ['set', 'postfix-sasl', 'addaction', 
'iptables-multiport'], ['multi-set', 'postfix-sasl', 'action', 
'iptables-multiport', [['actionstart', "{ <iptables> -C f2b-postfix-sasl -j 
RETURN >/dev/null 2>&1; } || { <iptables> -N f2b-postfix-sasl || true; 
<iptables> -A f2b-postfix-sasl -j RETURN; }\nfor proto in $(echo 'tcp' | sed 
's/,/ /g'); do\n{ <iptables> -C INPUT -p $proto -m multiport --dports 0:65535 
-j f2b-postfix-sasl >/dev/null 2>&1; } || { <iptables> -I INPUT -p $proto -m 
multiport --dports 0:65535 -j f2b-postfix-sasl; }\ndone"], ['actionstop', "for 
proto in $(echo 'tcp' | sed 's/,/ /g'); do\n<iptables> -D INPUT -p $proto -m 
multiport --dports 0:65535 -j f2b-postfix-sasl\ndone\n<iptables> -F 
f2b-postfix-sasl\n<iptables> -X f2b-postfix-sasl"], ['actionflush', '<iptables> 
-F f2b-postfix-sasl'], ['actioncheck', "for proto in $(echo 'tcp' | sed 's/,/ 
/g'); do\n<iptables> -C INPUT -p $proto -m multiport --dports 0:65535 -j 
f2b-postfix-sasl\ndone"], ['actionban', '<iptables> -I f2b-postfix-sasl 1 -s 
<ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-postfix-sasl -s <ip> 
-j <blocktype>'], ['port', '0:65535'], ['protocol', 'tcp'], ['chain', 'INPUT'], 
['name', 'postfix-sasl'], ['actname', 'iptables-multiport'], ['blocktype', 
'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], 
['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], 
['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], 
['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['start', 
'postfix-sasl']]] has failed. Received RuntimeError("Failed to initialize any 
backend for Jail 'postfix-sasl'")
2025-05-06 13:57:47,554 fail2ban                [10131]: ERROR   NOK: ("Failed 
to initialize any backend for Jail 'postfix-sasl'",)
2025-05-06 13:57:47,554 fail2ban.server         [10131]: INFO    Shutdown in 
progress...
2025-05-06 13:57:47,554 fail2ban.observer       [10131]: INFO    Observer stop 
... try to end queue 5 seconds
2025-05-06 13:57:47,575 fail2ban.observer       [10131]: INFO    Observer 
stopped, 0 events remaining.
2025-05-06 13:57:47,615 fail2ban.server         [10131]: INFO    Stopping all 
jails
2025-05-06 13:57:47,615 fail2ban.database       [10131]: INFO    Connection to 
database closed.
2025-05-06 13:57:47,615 fail2ban.asyncserver    [10131]: WARNING Accept socket 
error: cannot unpack non-iterable NoneType object
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/fail2ban/server/asyncserver.py", line 
218, in handle_accept
    conn, addr = self.accept()
    ^^^^^^^^^^
TypeError: cannot unpack non-iterable NoneType object
2025-05-06 13:57:47,817 fail2ban.server         [10131]: INFO    Exiting 
Fail2ban

The `postfix-sasl` jail looks like:

```
[postfix-sasl]
enabled = true
mode = auth
backend = %(postfix_backend)s
filter = postfix[mode=%(mode)s]
logpath = %(postfix_log)s
maxretry = 5
findtime = 3m
```

and postfix_backend is:

paths-debian.conf:postfix_backend = systemd

... which is where that systemd comes from. I bet it's this line in
filtersystemd.py that's causing trouble:

from distutils.version import LooseVersion

This was fixed upstream in:

https://github.com/fail2ban/fail2ban/commit/a763fbbdfd6486e372965b4009eb3fe5db346718

... shortly *after* the last release, which is present in Debian.

I applied parts of the above patch here and things seem to go back to normal.

Reply via email to