On 3/8/2021 10:24 AM, Phillip Carroll wrote:
I will just need to check it for manual restart whenever csf does one of its automatic updates.
After further analysis, I finally realized why the csf update is killing fail2ban and also why fail2ban fails to restart after the csf update completed.
The problem stemmed from the systemd fail2ban.service definition. Most CentOS sysops run firewalld.service as their firewall, whereas the firewall service on my system is lfd.service. (csf is the tool used to configure lfd.)
When csf updates, it stops the lfd.service, indirectly stopping the iptables and ipset services that fail2ban states that it needs in its service definition file. Which therefore causes systemd to klll fail2ban. All OK.
However, the default fail2ban.service definition doesn't contain anything that would cause systemd to restart it when lfd is restarted after the update.
I have now changed the following two lines in the fail2ban service definition:
After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service PartOf=firewalld.service
Those lines now read:
After=network.target iptables.service lfd.service ip6tables.service ipset.service nftables.service PartOf=lfd.service
After making this change, I tested it by restarting lfd. As expected, systemd shut down fail2ban, and then after restarting lfd, it also started fail2ban.
Someday, I may get to a state where I actually fully understand this OS. LOL Phil _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
