Confirmed that this is still annoying. I (as a moderate linux user) had to search several hours, during several days until finding the fix.
It works fine in a debian11 fresh install, not in a debian12. So I suppose it was fixed some time before, but came back an issue recently.
After adding "backend=systemd" to the jail.d/defaults-debian.conf in the ssh section should be the simplest solution for having back some safety in a default apt-get install.
An extra burden is that you need to manually install python3-systemd also. If not, it will not work after a fresh install. This should be a dependency on the jail2ban installation.
For me, it is not the extra work to do to make it work that is the problem, the big issue is that people may rely on the fact that they installed fail2ban, and think their safety increased, however it doesn't work out of the box! I wonder how they make all these tutorials.
Have a nice day, Stefaan On Sun, 24 Sep 2023 19:52:07 +0200 Stefan Weil <s...@weilnetz.de> wrote: > This bug report from 2014 is meanwhile more important than ever. > > With the latest stable release Debian marked rsyslog as deprecated (see > https://wiki.debian.org/Rsyslog). > > If a user removes the rsyslog package without removing the related > logfiles in /var/log, fail2ban silently stops doing its job, because > it looks for failed ssh logins in /var/log/auth which no longer gets > updates. The same applies to other jails which were activated by local > settings. > > If the user not only removes rsyslog but also removes all old files in > /var/log/, fail2ban no longer runs at all but silently fails. > > If fail2ban is not working as expected or not running at all, that can > effect the security of a Debian system. Therefore I suggest to increase > the priority of this bug report. > > My fix for this issue (and also for issue 1024305) is a small > modification of jail.d/defaults-debian.conf: > > ------ > > # cat /etc/fail2ban/jail.d/defaults-debian.conf > [DEFAULT] > allowipv6 = auto > dovecot_backend = systemd > postfix_backend = systemd > sshd_backend = systemd > # ... add more affected backends here > > [sshd] > enabled = true > > ------ > > I only added the backends which where required for my Debian system. > Maybe some other jails also must use the systemd backend. > > I suggest to update jail.d/defaults-debian.conf and distribute that as a > security fix. > > In addition, rsyslog could be removed from the list of suggested > packages in future Debian releases. > > Stefan > > >
