Package: fail2ban
Version: 0.9.1-1
Severity: important
Dear Maintainer,
when a system is configured to use the systemd journal as the
sole logging system, i.e. when none of the packages provided by
system-log-daemon are installed, the default sshd jail does not work.
When logging in the system is done by using the systemd journal, the
file /var/log/auth.log is not used anymore. While fail2ban 0.9
can use the systemd journal for matching offending log entries, the
Debian package comes with a "backend = auto" statement that
effectively disables matching against entries in the journal. As the
log files in /var/log are not updated anymore, fail2ban becomes
useless.
In order to have the sshd jail to work correctly I had to:
1. install python3-systemd, which is right now only suggested by
fail2ban, but given that systemd is going to be default in jessy
it should probably become a Depends
2. activate the systemd backend by adding
[DEFAULT]
backend = systemd
to the jail.d/defaults-debian.conf file
3. modify filter.d/sshd.conf to use the correct name of the sshd
systemd unit in Debian, which is ssh.service and not
sshd.service:
[Init]
journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd
I did not find a way to perform 3 in a way that is robust against future
upgrades of the fail2ban package...
With the above mentioned modifications in place fail2ban correctly
bans abusive hosts. I am not sure if syslog-ng or rsyslog are still
going to be installed by default in jessy (probably yes?), but
I would assume that a number of people would want to solely rely on
the systemd journal, as otherwise logging gets duplicated and would
be unhappy to discover that fail2ban has not been working for months
(like it happened to me ;).
I don't know if fail2ban should use the systemd backend by default,
but the steps needed to make it work that way should be at least
mentioned in NEWS.Debian or README.Debian *and* the sshd filter
should use the correct name of the systemd unit [maybe all filters
should be checked for wrong systemd unit names?].
As a side note, do you think that package systemd should Provide
system-log-daemon? Is this worth filing a bug against systemd?
Ciao,
Tiziano
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.17-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages fail2ban depends on:
ii init-system-helpers 1.21
ii lsb-base 4.1+Debian13+nmu1
ii python3 3.4.2-1
pn python3:any <none>
Versions of packages fail2ban recommends:
ii iptables 1.4.21-2+b1
pn python3-pyinotify <none>
ii whois 5.2.2
Versions of packages fail2ban suggests:
pn mailx <none>
ii python3-systemd 215-6
pn system-log-daemon <none>
-- Configuration Files:
/etc/fail2ban/filter.d/sshd.conf changed:
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication
(?:failure|error) for .* from <HOST>( via \S+)?\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying
authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?:
ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client
user ".*", client host ".*")?))?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not
listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in
DenyUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not in
any group\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth
fail$
^%(__prefix_line)sUser .+ from <HOST> not allowed because a group
is listed in DenyGroups\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of
user's groups are listed in AllowGroups\s*$
^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account
is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>:
11: .+ \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many
authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error:
)?Connection closed by <HOST> \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?:
on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication
failures for .+? \[preauth\]$
ignoreregex =
[Init]
maxlines = 10
journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd
/etc/fail2ban/jail.d/defaults-debian.conf changed:
[DEFAULT]
backend = systemd
[sshd]
enabled = true
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
