On 12/07/2021 03:59, Simon Wilson via Fail2ban-users wrote:
----- Message from Nick Howitt <n...@howitts.co.uk> ---------
Date: Sat, 10 Jul 2021 10:50:02 +0100
From: Nick Howitt <n...@howitts.co.uk>
Subject: [Fail2ban-users] NOTICE Jail started without 'journalmatch' set
To: fail2ban-users@lists.sourceforge.net
I am running F2b v0.11.1 from EPEL on ClearOS 7 (binary compatible
with Centos7). Every time I start f2b I see the following in my logs:
2021-07-09 07:18:48,499 fail2ban.filtersystemd [5101]: INFO [postfix]
Added journal match for: '_SYSTEMD_UNIT=postfix.service'
2021-07-09 07:18:48,505 fail2ban.filter [5101]: INFO maxRetry: 5
2021-07-09 07:18:48,505 fail2ban.filter [5101]: INFO encoding:
UTF-8
2021-07-09 07:18:48,505 fail2ban.filter [5101]: INFO findtime:
36000
2021-07-09 07:18:48,505 fail2ban.actions [5101]: INFO banTime:
432000
2021-07-09 07:18:48,506 fail2ban.jail [5101]: INFO Creating
new jail 'postfix-sasl'
2021-07-09 07:18:48,506 fail2ban.jail [5101]: INFO Jail
'postfix-sasl' uses systemd {}
2021-07-09 07:18:48,506 fail2ban.jail [5101]: INFO Initiated
'systemd' backend
2021-07-09 07:18:48,506 fail2ban.filtersystemd [5101]: INFO
[postfix-sasl] Added journal match for: '_SYSTEMD_UNIT=postfix.service'
2021-07-09 07:18:48,508 fail2ban.filter [5101]: INFO maxRetry: 1
2021-07-09 07:18:48,508 fail2ban.filter [5101]: INFO encoding:
UTF-8
2021-07-09 07:18:48,508 fail2ban.filter [5101]: INFO findtime:
14400
2021-07-09 07:18:48,508 fail2ban.actions [5101]: INFO banTime:
432000
2021-07-09 07:18:48,508 fail2ban.jail [5101]: INFO Creating
new jail 'cyrus-imap'
2021-07-09 07:18:48,508 fail2ban.jail [5101]: INFO Jail
'cyrus-imap' uses systemd {}
2021-07-09 07:18:48,508 fail2ban.jail [5101]: INFO Initiated
'systemd' backend
2021-07-09 07:18:48,510 fail2ban.filter [5101]: INFO maxRetry: 1
2021-07-09 07:18:48,510 fail2ban.filter [5101]: INFO encoding:
UTF-8
2021-07-09 07:18:48,510 fail2ban.filter [5101]: INFO findtime:
86400
2021-07-09 07:18:48,510 fail2ban.actions [5101]: INFO banTime:
432000
<snip>
2021-07-09 07:18:48,993 fail2ban.jail [5101]: INFO Jail
'postfix' started
2021-07-09 07:18:48,997 fail2ban.jail [5101]: INFO Jail
'postfix-sasl' started
2021-07-09 07:18:48,997 fail2ban.filtersystemd [5101]: NOTICE Jail
started without 'journalmatch' set. Jail regexs will be checked
against all journal entries, which is not advised for performance
reasons.
2021-07-09 07:18:48,998 fail2ban.jail [5101]: INFO Jail
'cyrus-imap' started
I assume the journalmatch warning is in reference to the preceding
jail, postfix-sasl, but if that is the case, why is the postfix jail
not seeing the same warning?
At the same time the jails are using the default basic configuration
except for changed findtime, bantime and max retries, and for
cyrus-imap the port range is extended to include imap3, pop3 and pop3s.
Do you know why I am getting the warning and what do I need to do to
fix it?
Regards,
Nick
It's the cyrus-imap jail, not Postfix - that line is BEFORE the
applicable jail, not after it... it's a message on its way to starting
the jail. Postfix jail has already started when that message is logged,
so it's fine - as also indicated by the earlier messages in your log
about "added journal match".
Look in /etc/fail2ban/filter.d/cyrus.imap.conf and you will see it has
no journal-match line.
I have added
journalmatch = _SYSTEMD_UNIT=cyrus-imapd.service
... on my machine to a copied cyrus.imap.conf file as cyrus.imap.local.
Simon.
Thanks, I see. I've created a cyrus-imap.local file with just an [INIT]
section in it with "journalmatch = _SYSTEMD_UNIT=cyrus-imapd.service"
and it worked.
Tracking back, some jails have a backend set like postfix and cyrus-imap
and that then seem to need a journalmatch. It looks like if there is no
backend specified, f2b falls back to a polling backend and no
journalmatch is needed. What are the pros and cons of the different
backends?
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
