Fail2ban - Raspberry Pi5 64bit Bookworm - not working as expected, not reading systemd logs? about fail2ban HOT 6 CLOSED

I had to manually tweak the "systemd" in /etc/fail2ban/paths-common.conf to replace

Well, it depends what paths-common.conf does contain in your case, e. g. whether it was (incorrectly) patched by maintainers etc...
However I guess some configs are changed previously by hand (and not upgraded later) or you have some mix now.
Don't modify *.conf files... Instead, just use *.local to write local modifications only (not a copy of *.conf, but empty file with modified parameters only).

You can compare your version with the stock paths-common.conf and paths-debian.conf (or whatever is included in your jail.conf).

Anyway one doesn't need to set default_backend, because normally in jail.conf sshd jail uses

So I'm unsure setting of default_backend would set it to the sshd jail.

Instead, you have either to set sshd_backend or to specify it directly in jail sshd in your jail.local (where you enable the jail):

[sshd]
backend = systemd
enabled = true

But after this, even if fail2ban is working, it does not see anything coming from journal regarding sshd.

Firstly ensure that sshd jail really uses backend systemd (inspect fail2ban.log or output of fail2ban-client -d | grep sshd).

Also you've to check whether you can see the sshd-messages with journalctl.
If so there may be two reasons:

• either incorrect journalflags (see #2444 for details)
• or incorrect journalmatch... by default sshd filter uses

  fail2ban/config/filter.d/sshd.conf

  Line 129 in 65e9c41

  journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

  
  You can find correct value if you inspect JSON output of journalctl for some sshd-message that must match.

You could then check whether you'd see matches with other values using:
fail2ban-regex --journalmatch="..." systemd-journal[journalflags=1] sshd.

If there are no sshd messages with journalctl too, you have to find logpath where sshd really logs, set it to the jail and then set backend to auto (for file related monitoring).

from fail2ban.

Thank @sebres,
Here is my report after your suggestions

1. Tried to make a /etc/fail2ban/paths-common.local and revert the .conf to default, but then fail2ban won't start. Maybe I've not understood the suggestion

2)with fail2ban-client -d | grep sshd
I see
['add', 'sshd', 'systemd']
so I suppose it's correct

3. in journalctl is see sshd events correctly in real-time
   May 19 04:47:13 Raspi sshd[351506]: Failed password for XxX from 192.168.1.7 port 54837 ssh2

4. I've tried to decode the rest of your message and I figure out that raspi journalctl will produce json entries of sshd
   with journalctl -t sshd -o json-pretty
   like this one:
   {
   "MESSAGE" : "Received signal 15; terminating.",
   "_SYSTEMD_UNIT" : "ssh.service",
   "_SYSTEMD_CGROUP" : "/system.slice/ssh.service",
   "SYSLOG_IDENTIFIER" : "sshd",
   "_RUNTIME_SCOPE" : "system",
   "_UID" : "0",
   "_TRANSPORT" : "syslog",
   "_GID" : "0",
   "_BOOT_ID" : "fd170a20f4014d829c87630ba9b99c59",
   "SYSLOG_FACILITY" : "4",
   "_CAP_EFFECTIVE" : "1ffffffffff",
   "PRIORITY" : "6",
   "_SYSTEMD_SLICE" : "system.slice",
   "__MONOTONIC_TIMESTAMP" : "1236398097895",
   "_EXE" : "/usr/sbin/sshd",
   "SYSLOG_TIMESTAMP" : "May 11 01:38:23 ",
   "_PID" : "3026454",
   "_HOSTNAME" : "raspi",
   "__CURSOR" : "s=70a9a355a57644179aad5c7dc55898cf;i=ffeb;b=fd170a20f4014d829c87630ba9b99c59;m=11fdf11c5e7;t=618270f8a1c65;x=cb45d48fd36426df",
   "_COMM" : "sshd",
   "_CMDLINE" : ""sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"",
   "_SYSTEMD_INVOCATION_ID" : "6151415db05e43ce8ebdb42aebfd384e",
   "_SOURCE_REALTIME_TIMESTAMP" : "1715405903764563",
   "__REALTIME_TIMESTAMP" : "1715405903764581",
   "SYSLOG_PID" : "3026454",
   "_MACHINE_ID" : "0605a94ee130427f8d1f8d8fa39b4082"
   }

I have to note that to het this output I am not able to user the -u option as the service name is ssh and not sshd, but looking into this json log I cannot see the failed elements

So I dug further and looked at the full journal in json.
when a password is wrong I see:
{"_HOSTNAME":"Raspi","MESSAGE":"Failed password for pi from 192.168.1.7 port 56310 ssh2","SYSLOG_IDENTIFIER":"sshd","_SYSTEMD_INVOCATION_ID":"f89307b2e15d42c5a30aa75db319c80f","SYSLOG_PID":"352486","_RUNTIME_SC>

I cannot figure our any further.
thanks for any assistance

from fail2ban.

I've found the solution (at least it seems like so). I paste the solution found elsewhere for the people. in my previous implementation I was missing the "init" part.

Seems There is a bug with the Debian implementation of fail2ban, where the debian backend is now all systemd but fail2ban expects the old way for logging. Here's how you fix it.

First, activate systemd as the backend by going to the defaults-debian.conf using the command: sudo nano /etc/fail2ban/defaults-debian.conf

and adding backend = systemd under the [DEFAULTS] tag in the file. So it looks like:

[DEFAULT]
backend = systemd
Next, go to /etc/fail2ban/filter.d/sshd.conf and find the line: journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd

add the word [Init] above it. So now it should look as:

[Init]
journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd
Done.

Now restart the service with: sudo systemctl restart fail2ban, and then check with sudo systemctl status fail2ban.

from fail2ban.

Seems There is a bug with the Debian implementation of fail2ban, where the debian backend is now all systemd but fail2ban expects the old way for logging

I don't see the issue in stock debian 12, the unit is indeed ssh, but it'd anyway find all entries by _COMM=sshd and therefore journalmatch still works as expected on my debian boxes.

@fail2ban/maintainers, @sylvestre what shall we do here?

Anyway for the people having same issue for some reason, the simple configuration can be this (directly in jail.local for the sshd jail, where you enable it):

[sshd]
backend = systemd
journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd
enabled = true

from fail2ban.

@sebres sure, let me fix that. Where do you recommend I added this ? (ssh by default)
here ?
https://salsa.debian.org/python-team/packages/fail2ban/-/blob/master/debian/debian-files/jail.d_defaults-debian.conf
Thanks

from fail2ban.

Yep, it looks like good place for that... Just, the question is how it looks with other distros...
If this is default name for the unit now, we could then adjust it here, directly in stock filter in

from fail2ban.