Fail2ban doesn't start after update anymore

fail2ban
v7

(Aaron) #1

After I updated nethserver-fail2ban last Tuesday, it hasn’t started anymore…

Taking a look in the logs, I found the reason:
The dovecot filter was deleted and replaced by a nethserver-dovecot filter (or? I am not sure if the nethserver-dovecot filter had been there before…). However the dovecot jail was still there!!! hence, fail2ban looked still for the filter but didn’t find it anymore…
as a workaround, I now deleted also the jail dovecot… and fail2ban works again!
is this a bug of the last update? can someone confirm it?


(Stéphane de Labrusse) #2

I’m investigating, what is the version of nethserver-fail2ban

rpm -qa |grep fail2ban


(Stéphane de Labrusse) #3

verify that you have the last rpm :

[root@ns7dev9 ~]# rpm -qa nethserver-fail2ban
nethserver-fail2ban-0.1.15-1.ns7.sdl.noarch

I corrected something related to the dovecot jail in the middle of the week… I tested here and it works as expected. You could take a look to /var/log/message and see what it occurred.


(Aaron) #4
~]# rpm -qa |grep fail2ban
fail2ban-server-0.9.6-3.el7.noarch
fail2ban-shorewall-0.9.6-3.el7.noarch
fail2ban-sendmail-0.9.6-3.el7.noarch
nethserver-fail2ban-0.1.15-1.ns7.sdl.noarch
fail2ban-firewalld-0.9.6-3.el7.noarch
fail2ban-0.9.6-3.el7.noarch

I have updated on 13.06. to the current version:

~]# rpm -qa nethserver-fail2ban
nethserver-fail2ban-0.1.15-1.ns7.sdl.noarch

There I found that directly after the update (after expanding the fail2ban template) Fail2ban didn’t start anymore…

J un 13 13:04:34 assa esmith::event[616]: Action: /etc/e-smith/events/nethserver-fail2ban-update/S00initialize-default-databases SUCCESS [0.866112]
Jun 13 13:04:34 assa esmith::event[616]: Event: nethserver-fail2ban-update SUCCESS
Jun 13 13:04:34 assa esmith::event[618]: Event: runlevel-adjust
Jun 13 13:04:34 assa esmith::event[618]: expanding /etc/sudoers
Jun 13 13:04:34 assa esmith::event[618]: expanding /etc/fail2ban/fail2ban.local
Jun 13 13:04:34 assa esmith::event[618]: expanding /etc/fail2ban/jail.local
Jun 13 13:04:34 assa esmith::event[618]: expanding /etc/fail2ban/action.d/shorewall.local
Jun 13 13:04:34 assa esmith::event[618]: expanding /etc/fail2ban/action.d/sendmail-common.local
Jun 13 13:04:34 assa esmith::event[618]: expanding /etc/fail2ban/filter.d/urbackup-auth.conf
Jun 13 13:04:34 assa esmith::event[618]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.424486]
Jun 13 13:04:34 assa systemd: Reloading.
Jun 13 13:04:35 assa systemd: Reloading.
Jun 13 13:04:35 assa systemd: Reloading.
Jun 13 13:04:35 assa systemd: Reloading.
Jun 13 13:04:35 assa systemd: Reloading.
Jun 13 13:04:35 assa systemd: Starting Fail2Ban Service…
Jun 13 13:04:35 assa fail2ban-client: ERROR Found no accessible config files for ‘filter.d/dovecot’ under /etc/fail2ban
Jun 13 13:04:35 assa fail2ban-client: ERROR No section: 'Definition’
Jun 13 13:04:35 assa fail2ban-client: ERROR No section: 'Definition’
Jun 13 13:04:35 assa fail2ban-client: ERROR Unable to read the filter
Jun 13 13:04:35 assa fail2ban-client: ERROR Errors in jail ‘dovecot’. Skipping…
Jun 13 13:04:35 assa systemd: fail2ban.service: control process exited, code=exited status=255
Jun 13 13:04:35 assa systemd: Failed to start Fail2Ban Service.
Jun 13 13:04:35 assa systemd: Unit fail2ban.service entered failed state.
Jun 13 13:04:35 assa systemd: fail2ban.service failed.
Jun 13 13:04:35 assa esmith::event[618]: Job for fail2ban.service failed because the control process exited with error code. See “systemctl status fail2ban.service” and “journalctl -xe” for details.

It seems that the update deleted the dovecot filter but not the dovecot jail…

Should it have deleted both or none of them???


(Stéphane de Labrusse) #5

I still have the filter dovecot

[root@ns7dev9 ~]# ll /etc/fail2ban/filter.d/dovecot*
-rw-r--r-- 1 root root 1875 Dec  9  2016 /etc/fail2ban/filter.d/dovecot.conf
-rw-r--r-- 1 root root  468 Jun 12 21:53 /etc/fail2ban/filter.d/dovecot-nethserver.conf

the dovecot.conf comes from the fail2ban rpm, not from nethserver-fail2ban (which add dovecot-nethserver.conf)

[root@ns7dev9 ~]# rpm -qf /etc/fail2ban/filter.d/dovecot-nethserver.conf
nethserver-fail2ban-0.1.15-1.ns7.sdl.noarch
[root@ns7dev9 ~]# rpm -qf /etc/fail2ban/filter.d/dovecot.conf
fail2ban-server-0.9.6-3.el7.noarch

if you miss this filter then

yum reinstall *fail2ban*

you might have more specific information also in the log /var/log/fail2ban.log

I don’t understand, the filter and the jail dovecot should be here…see the jail.local

[dovecot]
enabled  = true
port     = 110,143,4190,993,995
logpath  = %(dovecot_log)s
backend  = %(dovecot_backend)s
maxretry = 3

[dovecot-nethserver]
enabled  = true
port     = 110,143,4190,993,995
logpath  = /var/log/imap*
maxretry = 3

(Aaron) #6

thanks!!! I missed the dovecot filter somehow…
now everything works again!

Can you describe me how to save customized filters? you remember my problem with openvpn (Openvpn jail for fail2ban)…


(Aaron) #7

I have just created a file /etc/e-smith/templates-custom/etc/fail2ban/filter.d/openvpn.conf/10base containing the customized filter and one (empty) file /etc/e-smith/events/nethserver-fail2ban-save/templates2expand/etc/fail2ban/filter.d.

Will this make the filter persistent through updates and reinstallations?


(Stéphane de Labrusse) #8

when you use a template, you have a valuable reason, for example if the value of a variable might change.
eg a domain name, a service name

If you have static value, then you can drop a file in /etc/fail2ban/filter.d and add your own migrate fragment in /etc/e-smith/templates/etc/fail2ban/jail.local/90MycustomJail

if you remove or upgrade fail2ban, these files won’t move

Edit I spoke too fast

do a custom template

vim /etc/e-smith/templates-custom/etc/fail2ban/filter.d/openvpn.conf/10base

then add to the event

ln -s /etc/fail2ban/filter.d/openvpn.conf /etc/e-smith/events/nethserver-fail2ban-save/templates2expand/etc/fail2ban/filter.d/openvpn.conf


(Aaron) #9

That is approximately what I did before… :wink:

however I still don’t fully understand why one has to link these files… as far as I see, the files for the events (/etc/e-smith/events...) normally aren’t linked but empty…
I must admit that I learned using the template system rather by try and error… so, please correct me if I am wrong…


(Stéphane de Labrusse) #10

still right for me :slight_smile:


(Stéphane de Labrusse) #11

when you use the createlinks at the rpm level, you have empty files, but here I could link them, like you saw, I never tested the emtpy file, but it should work.


(Aaron) #12

thanks for the explaination!!!
I guess, I have already make an empty file for another event… and it worked…!
however, you say that linked files are better in principle, right?


(Stéphane de Labrusse) #13

both are valuable for me


(Aaron) #14

unfortunately, the nethserver-fail2ban-save event isn’t called after an update…
the nethserver-fail2ban-update event only calls the initialize-default-databases action…

I have tried to link the nethserver-fail2ban-save event into the nethserver-fail2ban-update event, but it doesn’t work…
I also tried to link the templates2expand directory but it also doesn’t work.

only the S00initialize-default-databases link is working in the nethserver-fail2ban-update event.

I would like to make the custom configuration files persistent through updates by using a template-custjom…
do you have any clue?


(Stéphane de Labrusse) #15

in this case only the runlevel-adjust event is used (for an update) but for any modifications in the panel, you use the nethserver-fail2ban-save event

see https://github.com/stephdl/nethserver-fail2ban/blob/ns7/createlinks#L16


(Stéphane de Labrusse) #16

Well this morning I was not woke up, if you a did a custom-template, then you don’t need to do something more…indeed when the original file will be expanded, then the custom-template will be used first.

So you need nothing more, except to do a custom-template with the same path than the original template


(Aaron) #17

ah… ok! probably, I just need to add the something also at the respective positions in the template folder (empty files or so).
does the template system only expand templates if there is something in the template folder (and not only in the template-custom folder)?? I added the files only in the template-custom folder since I thought that some update might add something in the template folder and override my files. I didn’t know that one need to have some file in the template folder in order to get the files in the template-custom folder expanded automatically in case of an update…
am I right?
or do I have to add the links to the runlevel-adjust event?


(Stéphane de Labrusse) #18

In fact my module takes care to expand the jail.local (for example) at the good time, if you just a provide a custom-template of the jail.local, when the module will expand the jail.local, then your custom-template will be expanded…

Life is simple :slight_smile:

but here you provided a custom-template of the /etc/fail2ban/filter.d/openvpn.conf, that is not templatised in my module so you must expand it following runlevel-adjust and nethserver-fail2ban-save if you want to follow all updates

see the createlink for example

I read too fast what you wanted to do :’(

so create the folders and put an empty file in the runlevel-adjust and the nethserver-fail2ban-save event


(Aaron) #19

thanks for the explanation! :wink: I just wasn’t aware of the runlevel-adjust event at beginning…! (isn’t it a bit redundant?)