Fail2ban: NOTICE Jail started without 'journalmatch' set

tmb · June 4, 2019, 4:51pm

**NethServer Version 7.6
Module: fail2ban

Daily I see the following in my fail2ban log.

“fail2ban.filtersystemd [7357]: NOTICE Jail started without ‘journalmatch’ set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.”

Searching the internet it looks like there is a misconfiguration in the fail2ban conf file in connection with systemd but I do not really understand the issue and wondering if this is something which should be fixed in the pre-configured NS fail2ban package.

stephdl · June 4, 2019, 7:25pm

on my system I have three jails with that log info : postfix, dovecot, recidive

these jails are not custom

stephdl · June 4, 2019, 7:29pm

the jails are actives

[root@prometheus ~]# fail2ban-client status postfix
Status for the jail: postfix
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	82
|  `- Journal matches:	_SYSTEMD_UNIT=postfix.service
`- Actions
   |- Currently banned:	0
   |- Total banned:	4
   `- Banned IP list:	
[root@prometheus ~]# fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	750
|  `- Journal matches:	_SYSTEMD_UNIT=dovecot.service
`- Actions
   |- Currently banned:	0
   |- Total banned:	31
   `- Banned IP list:	
[root@prometheus ~]# fail2ban-client status recidive
Status for the jail: recidive
|- Filter
|  |- Currently failed:	63
|  |- Total failed:	905
|  `- File list:	/var/log/fail2ban.log
`- Actions
   |- Currently banned:	12
   |- Total banned:	99
   `- Banned IP list:	185.211.245.170 82.34.214.225 104.248.150.150 186.31.116.78 114.32.120.181 196.203.31.154 141.98.80.47 185.222.209.99 82.227.139.213 185.211.245.198 210.100.252.201 182.61.179.84

stephdl · June 4, 2019, 7:49pm

journalmatch are set in the

[root@prometheus ~]# grep -srni "journalmatch" /etc/fail2ban/filter.d/
/etc/fail2ban/filter.d/postfix.conf:28:journalmatch = _SYSTEMD_UNIT=postfix.service
/etc/fail2ban/filter.d/sendmail-reject.conf:36:journalmatch = _SYSTEMD_UNIT=sendmail.service
/etc/fail2ban/filter.d/sshd.conf:73:journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
/etc/fail2ban/filter.d/dovecot.conf:22:journalmatch = _SYSTEMD_UNIT=dovecot.service
/etc/fail2ban/filter.d/ejabberd-auth.conf:33:# Option:  journalmatch
/etc/fail2ban/filter.d/ejabberd-auth.conf:37:journalmatch = 
/etc/fail2ban/filter.d/perpetual.conf:39:journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
/etc/fail2ban/filter.d/postfix-stolen-sasl.conf:19:journalmatch = _SYSTEMD_UNIT=postfix.service
/etc/fail2ban/filter.d/postfix-sasl.conf:18:journalmatch = _SYSTEMD_UNIT=postfix.service
/etc/fail2ban/filter.d/postfix-sasl-abuse.conf:19:journalmatch = _SYSTEMD_UNIT=postfix.service
/etc/fail2ban/filter.d/pure-ftpd.conf:26:journalmatch = _SYSTEMD_UNIT=pure-ftpd.service + _COMM=pure-ftpd
/etc/fail2ban/filter.d/recidive.conf:36:journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
/etc/fail2ban/filter.d/sendmail-auth.conf:18:journalmatch = _SYSTEMD_UNIT=sendmail.service

I suspect a systemd issue

dnutan · February 1, 2020, 12:33pm

I think it is related to pam_generic jail(s)