Re: Bookworm, fail2ban and sshd
On Fri, 15 Mar 2024 14:59:49 - (UTC) Curt wrote: > I guess it's this old bug: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171 Yup, thank you. I added the following stanza to /etc/fail2ban/jail.d/curley.conf: [sshd] backend = systemd (The "enabled" pair is already given in defaults-debian.conf.) And running "fail2ban-client -d | grep -i ssh" confirms both that the server is running, and that the ssh jail is enabled. Which lead to another problem: I got a warning: 519846]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto' Which would have been fine, except a) I don't like warnings, and 2) I do not use or want ipv6. So I changed that to a no in fail2ban.local. And I had to move that stanza to under the [Definition] heading to quiet the warning. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Re: Bookworm, fail2ban and sshd
I have fail2ban working for sshd on Bookworm. My jail.local file looks like this: [sshd] bantime = 2d enabled = true mode = extra port = filter = sshd[mode=aggressive] backend = systemd journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd maxretry = 1 findtime = 300
Re: Bookworm, fail2ban and sshd
On 2024-03-14, Charles Curley wrote: > I'm trying to set fail2ban up on bookworm. It refuses to run with the > default configuration (sshd only), reporting: I guess it's this old bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171 > Failed during configuration: Have not found any log file for sshd jail > > Near as I can figure, fail2ban expects sshd's log file to be > /var/log/auth.log. Which does not exist on my target machine. > > On a brief inspection, machines that have new installations of bookworm > do not have /var/log/auth.log. Machines running bullseye or upgraded > from bullseye to bookworm have it. > > Commenting out sshd's "enabled" line (in > /etc/fail2ban/jail.d/defaults-debian.conf) allows the daemon to start, > but it isn't doing anything useful. > --
Re: Bookworm, fail2ban and sshd
On Thu, 14 Mar 2024 22:27:36 + Andy Smith wrote: > I think you want to set "backend = journald" in > /etc/fail2ban/jail.conf or its usual local override, but I have not > tested this as I still use rsyslogd. Thanks, but no cigar. I also tried setting backend to systemd (as noted in man jail.conf). Also no go. The man page also suggest specifying the path to the journal. I tried [DEFAULT] backend = systemd[journalpath=/var/log/journal/2284a3a8f11544c5a5c355d3ff3e744d/] That worked if I disabled sshd, but sshd still doesn't like it. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Re: Bookworm, fail2ban and sshd
Hi, On Thu, Mar 14, 2024 at 04:01:54PM -0600, Charles Curley wrote: > I'm trying to set fail2ban up on bookworm. It refuses to run with the > default configuration (sshd only), reporting: > > Failed during configuration: Have not found any log file for sshd jail I think you want to set "backend = journald" in /etc/fail2ban/jail.conf or its usual local override, but I have not tested this as I still use rsyslogd. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Bookworm, fail2ban and sshd
I'm trying to set fail2ban up on bookworm. It refuses to run with the default configuration (sshd only), reporting: Failed during configuration: Have not found any log file for sshd jail Near as I can figure, fail2ban expects sshd's log file to be /var/log/auth.log. Which does not exist on my target machine. On a brief inspection, machines that have new installations of bookworm do not have /var/log/auth.log. Machines running bullseye or upgraded from bullseye to bookworm have it. Commenting out sshd's "enabled" line (in /etc/fail2ban/jail.d/defaults-debian.conf) allows the daemon to start, but it isn't doing anything useful. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/