Fail2ban: no such file /var/log/roundcubemail/errors.log

fail2ban
v7

(Francesco) #1

*NethServer release 7.6.1810 **
fail2ban-1.1.2-1.ns7:
Hi all, I noticed on my NethServer release 7.6.1810 that fail2ban-1.1.2-1.ns7 has stopped processing the filter rules. Restarting the service, the system reported “Error fail2ban # 11 exit code”.
Analyzing the fail2ban log I noticed this error "Unable to get stat on /var/log/roundcubemail/errors.log because of: [Errno 2] No such file or directory: ‘/var/log/roundcubemail/errors.log’
I proceeded to disable the roundcube rule, and the service has resumed functioning. I ask if it’s a bug or an error in my configuration!
Thank you.
Version: fail2ban-1.1.2-1.ns7


(Stéphane de Labrusse) #2

Do you have roundcubemail installed? If yes why thelog file is no more present


(Stéphane de Labrusse) #3

It’s ok we have a bug here, I will fix it


(Francesco) #4

Hello and thanks for the reply.
I am attaching screenshots of the directory, the log file is not there.
roundcube


Long filename errors in logrotate logs
(Stéphane de Labrusse) #5

What is happening, the log rotated errors.log-20190113 is OK,but at least you must have also a errors.log.

In fact I tested about /var/log/roundcubemail/errors and it was a typo :’(


(Stéphane de Labrusse) #6

@france I will patch my issue, but you must understand why the log rotation has removed the log file /var/log/roundcubemail/errors.log, if roundcubemail does not use this logfile, fail2ban won’t ban attackers on roundcubemail

https://github.com/NethServer/dev/issues/5693


(Giacomo Sanchietti) #7

I’m reporting here the comment I did inside the PR.

The /var/log/roundcubemail/errors contains PHP errors like:

[03-Jan-2019 09:49:47 Europe/Rome] PHP Warning:  strtolower() expects parameter 1 to be string, array given in /usr/share/roundcubemail/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php on line 1417

On my machine last entry is dated 03/01/19.

The /var/log/roundcubemail/errors.log contains invalid logins: fail2ban should watch this.
Example:

[14-Jan-2019 09:17:00 +0100]: <xxx> IMAP Error: Login failed for goofy@nethesis.it from 192.xxx.xxx.xxx. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)

But if no access has been made for more than a week, the file is empty and fail2ban refuse to start.

I can’t figure out a good fix for this rather than disabling the roundcube jail


(Stéphane de Labrusse) #8

The fix is already there, we use it for quite all jails, watch the log file exist before to expand the jail and trigger the fail2ban restart. This is how fail2ban works, fails to start if a jail is not working properly rather to disable the failed jail.

In our particular case, when fail2ban is restarted, it comes from a run-level adjust or a settings modification in the panel, which expand all the fail2ban templates and restart the service. In that case we must check if the roundcubemail log exists before to expand the template and restart fail2ban.

Obviously we will have issues from community/customers if we do not do this, the roundcubemail jaill will be started the next time.


(Giacomo Sanchietti) #9

That’s the real pity :frowning:

There are some corner case not covered here.

Let’s start with an assumption: if nobody uses roundcube for more than a week, the errors.log file is missing after logrotate.
This can happen at least in a couple of situations:

  • on boot
  • after a yum update

Probably the best fix is changing the logrotate configuration of roundcube to prevent the missing file.


(Stéphane de Labrusse) #10

did you mean about this logrotate directive ?
nocreate

http://www.delafond.org/traducmanfr/man/man8/logrotate.8.html


(Giacomo Sanchietti) #11

I’d say the create option but I didn’t try.


(Stéphane de Labrusse) #12

Sorry, I would not arg but something I do not understand, you stated that the roundcubemail error.log is removed each week, and not created if there is no errors

but when I look my log folder

# ll /var/log/roundcubemail/
total 56
-rw-r--r-- 1 apache apache   374 Dec 13 16:26 errors
-rw-r--r-- 1 apache apache 11137 Nov  9 11:24 errors.log
-rw-r--r-- 1 apache apache  5961 Jan  4 16:10 sendmail.log
-rw-r--r-- 1 apache apache 31013 Sep  5 11:02 sendmail.log-20180906

and inside the log file errors.log

[08-Sep-2018 20:06:59 +0200]: <s8dvbvuc> IMAP Error: Login failed for gaele@xxxx.fr from 2.10.2.169. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)
[08-Sep-2018 20:07:22 +0200]: <s8dvbvuc> IMAP Error: Login failed for gaele@xxxxx.fr from 2.10.2.169. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)
[27-Sep-2018 19:12:07 +0200]: <po6i442g> IMAP Error: Login failed for stephane@xxxxx.fr from 90.55.162.107. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)
[27-Sep-2018 19:12:26 +0200]: <po6i442g> IMAP Error: Login failed for stephane@xxxxx.fr from 90.55.162.107. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)
[27-Sep-2018 19:12:48 +0200]: <po6i442g> IMAP Error: Login failed for stephane@xxxxx.fr from 90.55.162.107. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)
[24-Oct-2018 15:50:18 +0200]: <nl7frctd> PHP Error: Request security check failed (GET /webmail/?_task=logout&_token=cfa983aa90ed53782a5468ba77c64e64)
[24-Oct-2018 15:50:23 +0200]: <nl7frctd> PHP Error: Request security check failed (GET /webmail/?_task=logout)
[24-Oct-2018 15:50:30 +0200]: <nl7frctd> PHP Error: Request security check failed (GET /webmail/?_task=logout&_token=cfa983aa90ed53782a5468ba77c64e64)
[09-Nov-2018 11:24:06 +0100]: <vlrq53ag> PHP Error: Request security check failed (GET /webmail/?_task=logout&_token=cfa983aa90ed53782a5468ba77c64e64)
[16-Jan-2019 14:37:16 +0100]: <u0k4iamo> IMAP Error: Login failed for gaele@xxxxxx.fr from 92.184.108.105. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /roundcubemail/?_task=login?_task=login&_action=login)

my log rotate configuration is

# cat /etc/logrotate.d/roundcubemail 
/var/log/roundcubemail/*.log {
    missingok
    su root apache
    notifempty
    size 30k
    nocreate
}

so it seems that my log file is not rotated since really a long time, however it is less than 30KB (so it seems normal), and even if I have not much entries, the last one of today (done by myself) was done without restarted a service. Of course , I do not upgrade or restart my server often :slight_smile:

 # uptime
 14:51:07 up 144 days,  5:45,  2 users,  load average: 0.14, 0.15, 0.17

@all can you provide stats on the roundcubemail log


(Giacomo Sanchietti) #13

Because your errors.log has never been rotated since its smaller than 30K.
If the size is bigger, the file is rotated and no empty log file will be created since there is the nocreate option inside the logrotate config.

So the only way is to create a template for roundcube logrotate and remove the nocreate option.
But IMO this is not a good solution: we shouldn’t change roundcube because fail2ban is buggy.

So in the end, what can we do? /cc @dev_team


(Markus Neuberger) #14

IIUC the issue is fixed in newer versions of fail2ban. If only one jail is working fail2ban just starts, even if there are other misconfigured jails (like missing logfiles). epel actually provides 0.9.7-1.


(Stéphane de Labrusse) #15

Nice to hear this, but IMO we already does this by testing the log file.

I would be pragmatic on this case and do not modify the logrotate file of roundcubemail.

I would propose to test the errors.log, if exist then we expand and start the jail, if not the jail is not created.
For what I tested if the log files errors.log is removed manually, we just warn inside the fail2ban log file, all other jails are active. When the file errors.log is created again, the jail is up without human actions.

I prefer to miss one jail, rather to put fail2ban down.

Other idea could be to modify the logrotate.d/roundcubemail configuration, manually with sed, or by a template, logrotate file configuration are built as noreplace, roudcubemail won’t replace them if modified…BUT we still need to test if the roundcubemail errors.log file exists


(Giacomo Sanchietti) #16

I agree.

As reported before, it will not fix all scenarios (like the reboot after the log rotation).

If someone has Roundcube installed and not really used, the real fix is to disable the jail from the web interface.
I’m willing to close this as “wontfix” or “worksforme” for now.

Edit:
I’ve changed my mind: the fix is better than nothing, merged and ready for QA :wink:


(Giacomo Sanchietti) #17

@france would you like to test it?


(Davide Principi) #18

I started the QA and I come here with an enhancement proposal.

As the new f2b package is late to come we can implement a workaround in the existing systemd configuration file:

[root@vm5 ~]# rpm -ql nethserver-fail2ban | grep systemd
/etc/systemd/system/fail2ban.service.d/nethserver.conf

There we can plug the expansion of fail2ban configuration files in an ExecStartPre= job, to ensure the file existence tests are always run before f2b starts and the config files are always up-to-date with the system state.

This should also prevent failures due to logrotate concurrency with fail2ban.


(Giacomo Sanchietti) #19

Really great idea! :heart_eyes:


(Stéphane de Labrusse) #20

Good idea… Thank @davidep an systemd