FS#48540 - [fail2ban] missing own arch paths-foo.conf file
Attached to Project:
Community Packages
Opened by Gustavo Alvarez (sl1pkn07) - Friday, 11 March 2016, 20:15 GMT
Last edited by Felix Yan (felixonmars) - Friday, 03 November 2017, 08:40 GMT
Opened by Gustavo Alvarez (sl1pkn07) - Friday, 11 March 2016, 20:15 GMT
Last edited by Felix Yan (felixonmars) - Friday, 03 November 2017, 08:40 GMT
|
Details
since fail2ban 0.9.4, the way to set the log path is
througth file /etc/fail2ban/paths-foo.conf
fedora, debian, freebsd, opensuse and osx is provided by upstream -rw-r--r-- 1 root root 2361 mar 8 03:50 paths-common.conf -rw-r--r-- 1 root root 642 mar 8 03:50 paths-debian.conf -rw-r--r-- 1 root root 1059 mar 8 03:50 paths-fedora.conf -rw-r--r-- 1 root root 1174 mar 8 03:50 paths-freebsd.conf -rw-r--r-- 1 root root 659 mar 8 03:50 paths-opensuse.conf -rw-r--r-- 1 root root 290 mar 8 03:50 paths-osx.conf Arch must provide a own file with own Arch paths/configuration. if not. can't load the service greetings |
This task depends upon
Closed by Felix Yan (felixonmars)
Friday, 03 November 2017, 08:40 GMT
Reason for closing: Implemented
Additional comments about closing: 0.10.1-2
Friday, 03 November 2017, 08:40 GMT
Reason for closing: Implemented
Additional comments about closing: 0.10.1-2
before = paths-fedora.conf
instead of
before = paths-debian.conf
but i think is more accurate make a own paths-foo.conf file with a own arch paths/configurations
greetings
if not set that, the fail2ban service fail to load (after merged the changes between /etc/fail2ban/jail.conf.pacnew and /etc/fail2ban/jail.conf)
┌─┤[$]|[sl1pkn07]|[sL1pKn07]|[~]|
└───╼ sudo systemctl restart fail2ban
Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.
┌─┤[$]|[sl1pkn07]|[sL1pKn07]|[~]|
└───╼ systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: inactive (dead) (Result: exit-code) since vie 2016-03-11 20:59:32 CET; 4s ago
Docs: man:fail2ban(1)
Process: 16703 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=255)
Main PID: 2206 (code=killed, signal=TERM)
mar 11 20:59:32 sL1pKn07 systemd[1]: Failed to start Fail2Ban Service.
mar 11 20:59:32 sL1pKn07 systemd[1]: fail2ban.service: Unit entered failed state.
mar 11 20:59:32 sL1pKn07 systemd[1]: fail2ban.service: Failed with result 'exit-code'.
mar 11 20:59:32 sL1pKn07 systemd[1]: fail2ban.service: Service hold-off time over, scheduling restart.
mar 11 20:59:32 sL1pKn07 systemd[1]: Stopped Fail2Ban Service.
mar 11 20:59:32 sL1pKn07 systemd[1]: fail2ban.service: Start request repeated too quickly.
mar 11 20:59:32 sL1pKn07 systemd[1]: Failed to start Fail2Ban Service.
└───╼ sudo fail2ban-client start
ERROR No file(s) found for glob /var/log/auth.log
ERROR Failed during configuration: Have not found any log file for sshd jail
sshd_backend = %(default_backend)s
It looks like this is the offending change, because adding 'default_backend = systemd' to my jail.local file made this error go away for me.
└───╼ grep -R paths-common
paths-debian.conf:before = paths-common.conf
paths-opensuse.conf:before = paths-common.conf
paths-freebsd.conf:before = paths-common.conf
paths-osx.conf:before = paths-common.conf
paths-fedora.conf:before = paths-common.conf
this means load the 'paths-common.conf' before load the 'paths-foo.conf' set in 'jail.conf', by default, in arch package, is set 'paths-debian.conf'
└───╼ grep -R paths-
jail.conf:#before = paths-distro.conf
jail.conf:#before = paths-debian.conf
jail.conf:before = paths-fedora.conf
---snip---
the workground is set the file 'paths-fedora.conf' instead of 'paths-debian.conf' in the 'jail.conf' file
or make a arch specific 'paths-archlinux.conf' file and set/include into 'jail.conf' in the package
This is also a solution to a problem I ran into with using fail2ban with roundcube. Arch has it configured to put the roundcube log in /var/log/roundcubemail/ by default, while the default fail2ban config is set to look at /var/roundcube/. This path is specified in paths-common.conf, and while it can be fixed by editing that file, having it overridden in a paths-arch.conf would be the more elegant and preferable solution.
Also worth mentioning that none of the mail applications (postfix, dovecot, seive) that I tried worked without configuring the backend to be systemd. Considering arch is all-in on systemd, I think this should also be specified as the default_config in the paths-arch/conf file.
BUT
missing variable in paths-arch.conf lead to refuse start
in my case (sshd jail actived):
before, when set 'paths-fedora.conf', exist the variable
'syslog_authpriv = /var/log/secure'
(see https://github.com/fail2ban/fail2ban/blob/0.11/config/paths-fedora.conf#L16)
this variable is called by the file 'paths-common.conf':
https://github.com/fail2ban/fail2ban/blob/0.11/config/paths-common.conf#L12
now, in the file 'paths-arch.conf', that variables no exist, then when edit the file 'jail.conf' for change 'paths-fedora.conf' to 'paths-arch.conf' in the [INCLUDE] section, when reload fail2ban service:
└───╼ sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2017-08-27 12:37:42 CEST; 1s ago
Docs: man:fail2ban(1)
Process: 8789 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255)
Process: 8788 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 8789 (code=exited, status=255)
ago 27 12:37:42 sL1pKn07 systemd[1]: Starting Fail2Ban Service...
ago 27 12:37:42 sL1pKn07 systemd[1]: Started Fail2Ban Service.
ago 27 12:37:42 sL1pKn07 fail2ban-server[8789]: Failed during configuration: Bad value substitution: option 'logpath' in section 'sshd' contains an interpolation key 'syslog_authpriv' which is not a valid option name. Raw value: '%(sshd_log)s'
ago 27 12:37:42 sL1pKn07 fail2ban-server[8789]: Async configuration of server failed
ago 27 12:37:42 sL1pKn07 systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/n/a
ago 27 12:37:42 sL1pKn07 systemd[1]: fail2ban.service: Unit entered failed state.
ago 27 12:37:42 sL1pKn07 systemd[1]: fail2ban.service: Failed with result 'exit-code'.
seems need add the missing variable into 'paths-arch.conf'
The simple workground is create the file called 'paths-overrides.local' under '/etc/fail2ban' with this content:
---------------
[DEFAULT]
syslog_authpriv =
---------------
(the variable is empty because the default path no exist)
or add the variable into the file 'paths-arch.conf'
or wait be fixed in upstream (felix?)
the other missing variables is:
------------
syslog_mail =
syslog_mail_warn =
syslog_user =
syslog_ftp =
syslog_daemon =
syslog_local0 =
------------
see the others paths-foo.conf files
greetings
But PKGBUILD needs a sed -i 's/before = paths-debian.conf/before = paths-arch.conf/' "$pkgdir"/etc/fail2ban/jail.conf.