Comments (6)
I had to manually tweak the "systemd" in /etc/fail2ban/paths-common.conf to replace
Well, it depends what paths-common.conf
does contain in your case, e. g. whether it was (incorrectly) patched by maintainers etc...
However I guess some configs are changed previously by hand (and not upgraded later) or you have some mix now.
Don't modify *.conf
files... Instead, just use *.local
to write local modifications only (not a copy of *.conf
, but empty file with modified parameters only).
You can compare your version with the stock paths-common.conf
and paths-debian.conf
(or whatever is included in your jail.conf
).
Anyway one doesn't need to set default_backend
, because normally in jail.conf sshd jail uses
Line 282 in 65e9c41
and it is included in
fail2ban/config/paths-debian.conf
Line 15 in 65e9c41
So I'm unsure setting of default_backend
would set it to the sshd jail.
Instead, you have either to set sshd_backend
or to specify it directly in jail sshd in your jail.local (where you enable the jail):
[sshd]
backend = systemd
enabled = true
But after this, even if fail2ban is working, it does not see anything coming from journal regarding sshd.
Firstly ensure that sshd jail really uses backend systemd (inspect fail2ban.log or output of fail2ban-client -d | grep sshd
).
Also you've to check whether you can see the sshd-messages with journalctl
.
If so there may be two reasons:
- either incorrect
journalflags
(see #2444 for details) - or incorrect
journalmatch
... by default sshd filter usesfail2ban/config/filter.d/sshd.conf
Line 129 in 65e9c41
You can find correct value if you inspect JSON output ofjournalctl
for some sshd-message that must match.
You could then check whether you'd see matches with other values using:
fail2ban-regex --journalmatch="..." systemd-journal[journalflags=1] sshd
.
If there are no sshd messages with journalctl
too, you have to find logpath where sshd really logs, set it to the jail and then set backend to auto
(for file related monitoring).
from fail2ban.
Thank @sebres,
Here is my report after your suggestions
- Tried to make a /etc/fail2ban/paths-common.local and revert the .conf to default, but then fail2ban won't start. Maybe I've not understood the suggestion
2)with fail2ban-client -d | grep sshd
I see
['add', 'sshd', 'systemd']
so I suppose it's correct
-
in journalctl is see sshd events correctly in real-time
May 19 04:47:13 Raspi sshd[351506]: Failed password for XxX from 192.168.1.7 port 54837 ssh2 -
I've tried to decode the rest of your message and I figure out that raspi journalctl will produce json entries of sshd
with journalctl -t sshd -o json-pretty
like this one:
{
"MESSAGE" : "Received signal 15; terminating.",
"_SYSTEMD_UNIT" : "ssh.service",
"_SYSTEMD_CGROUP" : "/system.slice/ssh.service",
"SYSLOG_IDENTIFIER" : "sshd",
"_RUNTIME_SCOPE" : "system",
"_UID" : "0",
"_TRANSPORT" : "syslog",
"_GID" : "0",
"_BOOT_ID" : "fd170a20f4014d829c87630ba9b99c59",
"SYSLOG_FACILITY" : "4",
"_CAP_EFFECTIVE" : "1ffffffffff",
"PRIORITY" : "6",
"_SYSTEMD_SLICE" : "system.slice",
"__MONOTONIC_TIMESTAMP" : "1236398097895",
"_EXE" : "/usr/sbin/sshd",
"SYSLOG_TIMESTAMP" : "May 11 01:38:23 ",
"_PID" : "3026454",
"_HOSTNAME" : "raspi",
"__CURSOR" : "s=70a9a355a57644179aad5c7dc55898cf;i=ffeb;b=fd170a20f4014d829c87630ba9b99c59;m=11fdf11c5e7;t=618270f8a1c65;x=cb45d48fd36426df",
"_COMM" : "sshd",
"_CMDLINE" : ""sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"",
"_SYSTEMD_INVOCATION_ID" : "6151415db05e43ce8ebdb42aebfd384e",
"_SOURCE_REALTIME_TIMESTAMP" : "1715405903764563",
"__REALTIME_TIMESTAMP" : "1715405903764581",
"SYSLOG_PID" : "3026454",
"_MACHINE_ID" : "0605a94ee130427f8d1f8d8fa39b4082"
}
I have to note that to het this output I am not able to user the -u option as the service name is ssh and not sshd, but looking into this json log I cannot see the failed elements
So I dug further and looked at the full journal in json.
when a password is wrong I see:
{"_HOSTNAME":"Raspi","MESSAGE":"Failed password for pi from 192.168.1.7 port 56310 ssh2","SYSLOG_IDENTIFIER":"sshd","_SYSTEMD_INVOCATION_ID":"f89307b2e15d42c5a30aa75db319c80f","SYSLOG_PID":"352486","_RUNTIME_SC>
I cannot figure our any further.
thanks for any assistance
from fail2ban.
I've found the solution (at least it seems like so). I paste the solution found elsewhere for the people. in my previous implementation I was missing the "init" part.
Seems There is a bug with the Debian implementation of fail2ban, where the debian backend is now all systemd but fail2ban expects the old way for logging. Here's how you fix it.
First, activate systemd as the backend by going to the defaults-debian.conf using the command: sudo nano /etc/fail2ban/defaults-debian.conf
and adding backend = systemd under the [DEFAULTS] tag in the file. So it looks like:
[DEFAULT]
backend = systemd
Next, go to /etc/fail2ban/filter.d/sshd.conf and find the line: journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd
add the word [Init] above it. So now it should look as:
[Init]
journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd
Done.
Now restart the service with: sudo systemctl restart fail2ban, and then check with sudo systemctl status fail2ban.
from fail2ban.
Seems There is a bug with the Debian implementation of fail2ban, where the debian backend is now all systemd but fail2ban expects the old way for logging
I don't see the issue in stock debian 12, the unit is indeed ssh
, but it'd anyway find all entries by _COMM=sshd
and therefore journalmatch
still works as expected on my debian boxes.
@fail2ban/maintainers, @sylvestre what shall we do here?
Anyway for the people having same issue for some reason, the simple configuration can be this (directly in jail.local for the sshd jail, where you enable it):
[sshd]
backend = systemd
journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd
enabled = true
from fail2ban.
@sebres sure, let me fix that. Where do you recommend I added this ? (ssh by default)
here ?
https://salsa.debian.org/python-team/packages/fail2ban/-/blob/master/debian/debian-files/jail.d_defaults-debian.conf
Thanks
from fail2ban.
Yep, it looks like good place for that... Just, the question is how it looks with other distros...
If this is default name for the unit now, we could then adjust it here, directly in stock filter in
fail2ban/config/filter.d/sshd.conf
Line 129 in 65e9c41
from fail2ban.
Related Issues (20)
- [FR]: nginx-bad-request.conf nginx-botsearch.conf should also support the new journalctl format introduced in the other nginx filters
- New jail matches but doesn't ban nginx-limit-req.conf HOT 3
- [RFE]: Change cloudflare.conf to use WAF Custom Rules rather than Firewall Access Rules due to deprecation
- [BR]: basic setup fail HOT 2
- Not working filter apache logs HOT 1
- [FR]: qbittorrent-nox HOT 8
- [BR]: README.md typos
- [FR]: Ubuntu 22.04.4 LTS fail2ban Unable to match some authentication failure logs HOT 4
- [BR]: Test testStatusStats fails with 1.1.0 on Fedora Rawhide HOT 10
- Help Needed: Creating Fail2ban Filter for Exchange Autodiscover Failed Login Attempts HOT 1
- [BR]: installing fail2ban on ubuntu 24.04 with apt-get showing errors and is not starting HOT 2
- [BR]: ERROR No module named 'asynchat' on Ubuntu 24.04 HOT 7
- [FR]: Wordpress Fail2ban filter not processing authentication failures on Debian bookworm HOT 7
- [BR]:The jail set in the configuration file is not loaded HOT 6
- >Jail not being loaded issue HOT 2
- Failed to execute ban HOT 8
- [RFE]: Extend ignoreip to cater for dynamic IP scenarios by resolving FDNs assigned HOT 1
- [BR]: Can't start fail2ban service on Ubuntu 24.04 HOT 1
- [BR]: You can use root commands HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fail2ban.