FS#48540 - [fail2ban] missing own arch paths-foo.conf file

Attached to Project: Community Packages
Opened by Gustavo Alvarez (sl1pkn07) - Friday, 11 March 2016, 20:15 GMT
Last edited by Felix Yan (felixonmars) - Friday, 03 November 2017, 08:40 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Felix Yan (felixonmars)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

since fail2ban 0.9.4, the way to set the log path is througth file /etc/fail2ban/paths-foo.conf

fedora, debian, freebsd, opensuse and osx is provided by upstream

-rw-r--r-- 1 root root 2361 mar 8 03:50 paths-common.conf
-rw-r--r-- 1 root root 642 mar 8 03:50 paths-debian.conf
-rw-r--r-- 1 root root 1059 mar 8 03:50 paths-fedora.conf
-rw-r--r-- 1 root root 1174 mar 8 03:50 paths-freebsd.conf
-rw-r--r-- 1 root root 659 mar 8 03:50 paths-opensuse.conf
-rw-r--r-- 1 root root 290 mar 8 03:50 paths-osx.conf

Arch must provide a own file with own Arch paths/configuration. if not. can't load the service

greetings
This task depends upon

Closed by  Felix Yan (felixonmars)
Friday, 03 November 2017, 08:40 GMT
Reason for closing:  Implemented
Additional comments about closing:  0.10.1-2
Comment by Doug Newgard (Scimmia) - Saturday, 12 March 2016, 05:13 GMT
So how has this worked for years? I think you need to provide more info.
Comment by Gustavo Alvarez (sl1pkn07) - Saturday, 12 March 2016, 11:33 GMT
a workground is set in the /etc/fail2ban/jail.conf, in the secction [INCLUDE]

before = paths-fedora.conf

instead of

before = paths-debian.conf

but i think is more accurate make a own paths-foo.conf file with a own arch paths/configurations

greetings
Comment by Doug Newgard (Scimmia) - Saturday, 12 March 2016, 12:14 GMT
So you're still not going to tell us what the problem is?
Comment by Gustavo Alvarez (sl1pkn07) - Saturday, 12 March 2016, 12:21 GMT
the problems is described in the first post, since the version 0.9.4 the configuration of fail2ban is changed, now used a own file with a distro specific configuration with the paths of the logs/configuration backend

if not set that, the fail2ban service fail to load (after merged the changes between /etc/fail2ban/jail.conf.pacnew and /etc/fail2ban/jail.conf)

┌─┤[$]|[sl1pkn07]|[sL1pKn07]|[~]|
└───╼ sudo systemctl restart fail2ban
Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.
┌─┤[$]|[sl1pkn07]|[sL1pKn07]|[~]|
└───╼ systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: inactive (dead) (Result: exit-code) since vie 2016-03-11 20:59:32 CET; 4s ago
Docs: man:fail2ban(1)
Process: 16703 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=255)
Main PID: 2206 (code=killed, signal=TERM)

mar 11 20:59:32 sL1pKn07 systemd[1]: Failed to start Fail2Ban Service.
mar 11 20:59:32 sL1pKn07 systemd[1]: fail2ban.service: Unit entered failed state.
mar 11 20:59:32 sL1pKn07 systemd[1]: fail2ban.service: Failed with result 'exit-code'.
mar 11 20:59:32 sL1pKn07 systemd[1]: fail2ban.service: Service hold-off time over, scheduling restart.
mar 11 20:59:32 sL1pKn07 systemd[1]: Stopped Fail2Ban Service.
mar 11 20:59:32 sL1pKn07 systemd[1]: fail2ban.service: Start request repeated too quickly.
mar 11 20:59:32 sL1pKn07 systemd[1]: Failed to start Fail2Ban Service.

└───╼ sudo fail2ban-client start
ERROR No file(s) found for glob /var/log/auth.log
ERROR Failed during configuration: Have not found any log file for sshd jail
Comment by Doug Newgard (Scimmia) - Saturday, 12 March 2016, 12:25 GMT
The problem was not described in the first post, only a proposed solution. Thank you for providing the logs.
Comment by Aaron Lindsay (aclindsa) - Saturday, 12 March 2016, 16:13 GMT
I'm also seeing this same issue (sshd jail not finding a log file). It looks like between 0.9.3-6 and 0.9.4-1, the /etc/fail2ban/jail.conf file gained the line:
sshd_backend = %(default_backend)s

It looks like this is the offending change, because adding 'default_backend = systemd' to my jail.local file made this error go away for me.
Comment by Gustavo Alvarez (sl1pkn07) - Saturday, 12 March 2016, 16:23 GMT
'default_backend' is set in the file 'paths-common.conf'
Comment by Aaron Lindsay (aclindsa) - Friday, 18 March 2016, 12:12 GMT
@sl1pkn07 - Yes, but you'll notice that it's set as "default_backend = auto" rather than "default_backend = systemd" in paths-common.conf. I believe this is what's causing fail2ban to attempt to use /var/log/auth.log for "syslog_authpriv" rather than the systemd journal. sshd_log is then set to syslog_authpriv in paths-common.conf, which then causes the error you're seeing (unless you override the default backend as I did, so it doesn't use /var/log/auth.log).
Comment by Gustavo Alvarez (sl1pkn07) - Saturday, 19 March 2016, 18:01 GMT
@aclindsa

└───╼ grep -R paths-common
paths-debian.conf:before = paths-common.conf
paths-opensuse.conf:before = paths-common.conf
paths-freebsd.conf:before = paths-common.conf
paths-osx.conf:before = paths-common.conf
paths-fedora.conf:before = paths-common.conf

this means load the 'paths-common.conf' before load the 'paths-foo.conf' set in 'jail.conf', by default, in arch package, is set 'paths-debian.conf'

└───╼ grep -R paths-
jail.conf:#before = paths-distro.conf
jail.conf:#before = paths-debian.conf
jail.conf:before = paths-fedora.conf
---snip---

the workground is set the file 'paths-fedora.conf' instead of 'paths-debian.conf' in the 'jail.conf' file

or make a arch specific 'paths-archlinux.conf' file and set/include into 'jail.conf' in the package
Comment by Aaron Lindsay (aclindsa) - Tuesday, 22 March 2016, 13:06 GMT
@sl1pkn07 - I'm willing to believe you're right since I just noticed that although the error regarding /var/log/auth.log went away, fail2ban hasn't actually been banning anyone since I made that change. However, I still don't understand why my approach isn't working.
Comment by Abrar Syed (AbrarSyed) - Saturday, 17 September 2016, 18:39 GMT
bump?
This is also a solution to a problem I ran into with using fail2ban with roundcube. Arch has it configured to put the roundcube log in /var/log/roundcubemail/ by default, while the default fail2ban config is set to look at /var/roundcube/. This path is specified in paths-common.conf, and while it can be fixed by editing that file, having it overridden in a paths-arch.conf would be the more elegant and preferable solution.

Also worth mentioning that none of the mail applications (postfix, dovecot, seive) that I tried worked without configuring the backend to be systemd. Considering arch is all-in on systemd, I think this should also be specified as the default_config in the paths-arch/conf file.
Comment by Felix Yan (felixonmars) - Tuesday, 14 February 2017, 10:44 GMT
I've opened a PR for this, please let me know if anything needs to be adjusted: https://github.com/fail2ban/fail2ban/pull/1688
Comment by Gustavo Alvarez (sl1pkn07) - Sunday, 27 August 2017, 11:06 GMT
fixed in fail2ban 0.10.0

BUT

missing variable in paths-arch.conf lead to refuse start


in my case (sshd jail actived):

before, when set 'paths-fedora.conf', exist the variable

'syslog_authpriv = /var/log/secure'

(see https://github.com/fail2ban/fail2ban/blob/0.11/config/paths-fedora.conf#L16)

this variable is called by the file 'paths-common.conf':

https://github.com/fail2ban/fail2ban/blob/0.11/config/paths-common.conf#L12

now, in the file 'paths-arch.conf', that variables no exist, then when edit the file 'jail.conf' for change 'paths-fedora.conf' to 'paths-arch.conf' in the [INCLUDE] section, when reload fail2ban service:

└───╼ sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2017-08-27 12:37:42 CEST; 1s ago
Docs: man:fail2ban(1)
Process: 8789 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255)
Process: 8788 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 8789 (code=exited, status=255)

ago 27 12:37:42 sL1pKn07 systemd[1]: Starting Fail2Ban Service...
ago 27 12:37:42 sL1pKn07 systemd[1]: Started Fail2Ban Service.
ago 27 12:37:42 sL1pKn07 fail2ban-server[8789]: Failed during configuration: Bad value substitution: option 'logpath' in section 'sshd' contains an interpolation key 'syslog_authpriv' which is not a valid option name. Raw value: '%(sshd_log)s'
ago 27 12:37:42 sL1pKn07 fail2ban-server[8789]: Async configuration of server failed
ago 27 12:37:42 sL1pKn07 systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/n/a
ago 27 12:37:42 sL1pKn07 systemd[1]: fail2ban.service: Unit entered failed state.
ago 27 12:37:42 sL1pKn07 systemd[1]: fail2ban.service: Failed with result 'exit-code'.

seems need add the missing variable into 'paths-arch.conf'

The simple workground is create the file called 'paths-overrides.local' under '/etc/fail2ban' with this content:

---------------
[DEFAULT]

syslog_authpriv =

---------------
(the variable is empty because the default path no exist)

or add the variable into the file 'paths-arch.conf'

or wait be fixed in upstream (felix?)

the other missing variables is:

------------
syslog_mail =
syslog_mail_warn =
syslog_user =
syslog_ftp =
syslog_daemon =
syslog_local0 =
------------
see the others paths-foo.conf files

greetings
Comment by Monson Shao (monson) - Monday, 30 October 2017, 07:03 GMT
This is fixed in upstream.

But PKGBUILD needs a sed -i 's/before = paths-debian.conf/before = paths-arch.conf/' "$pkgdir"/etc/fail2ban/jail.conf.
Comment by Felix Yan (felixonmars) - Friday, 03 November 2017, 08:40 GMT
All implemented in 0.10.1-2.

Loading...