Package: fail2ban
Version: 0.8.6-2
Severity: normal
Tags: patch
Hi.
fail2ban's logrotate config file (/etc/logrotate.d/fail2ban) unconditionally
overwrites fail2bans logtarget to /var/log/fail2ban.log during the postrotate
phase.
So when a user has modified the logtarget in /etc/fail2ban/fail2ban.conf
this will get mangled up after the first run of logrotate.
Is the call to fail2ban-client set logtarget necessary at all? I guess
it lets fail2ban recreate the logfile... but has anyone checked whether
this can be done differently (e.g. SIGHUP)?
If it's necessary then please switch to do the following:
Please call a small helper script (which should not go into the PATH)
in the postrotate phase which detects the current value of logtarget.
Alternatively one could call fail2ban-client reload ... but this will put all
other
configuration changes into effect... I doubt we desire that logrotate
automatically
does this.
The attached script[0] reloads the logtarget setting. It parses
/etc/default/fail2ban
to find out whether any other config dir (-c) was set, if not it falls back to
/etc/fail2ban.
It will of course also always get the current value of logtarget.
One could cache this perhaps in /var/run/something... (at every restart of the
fail2ban
daemon) would be perhaps cleaner.
Best would be to lobby upstream to add a command to fail2ban-client which makes
the
logfile (if any) recreated.
Or at least to include the attached script for convenience of all users.
Cheers,
Chris.
[0] If you desire another license, please tell,... I just always add one even
to simple
scripts like this, just to be safe.
#!/bin/sh
#initialise and secure the shell execution environment
unset -v IFS
PATH='/usr/sbin:/sbin:/usr/bin:/bin'
#********************************************************************************
#*** Default Values ***
#********************************************************************************
DEFAULT_FAIL2BAN_CONFIGURATION_DIRECTORY='/etc/fail2ban'
#********************************************************************************
#*** Support Functions ***
#********************************************************************************
get_configuration_directory_from_fail2ban_options()
{
#Note: When the command option “-c” is set multiple times, Fail2ban uses its last definition.
while [ $# -ge 1 ]; do
if [ "$1" = '-c' ]; then #handle the syntax “-c <configuration directory>”
configuration_directory="$2"
#the current “$2” (if any) must not be processed again
if [ $# -ge 2 ]; then
shift 1
fi
else
tmp="${1#-c}"
if [ ! "$1" = "${tmp}" ]; then #handle the syntax “-c<configuration directory>”
configuration_directory="${tmp}"
fi
fi
shift 1
done
printf '%s' "${configuration_directory:-"${DEFAULT_FAIL2BAN_CONFIGURATION_DIRECTORY}"}"
return 0
}
#********************************************************************************
#*** Determine Fail2ban’s Configuration Directory ***
#********************************************************************************
#determine Fail2ban’s configuration directory
if [ -r /etc/default/fail2ban ]; then
. /etc/default/fail2ban
fi
configuration_directory="$( eval get_configuration_directory_from_fail2ban_options "${FAIL2BAN_OPTS}" )"
#********************************************************************************
#*** Determine The Value Of Fail2ban’s Configuration Parameter “logtarget” ***
#********************************************************************************
#Note: When a configuration parameter is set multiple times, Fail2ban uses its last definition.
logtarget="$( sed -n 's/^logtarget[[:space:]]*=[[:space:]]*\(.*\)$/\1/p' "${configuration_directory}/fail2ban.conf" | tail -n 1 )"
#********************************************************************************
#*** Set Fail2ban’s Configuration Parameter “logtarget” ***
#********************************************************************************
fail2ban-client set logtarget "${logtarget}"
#Copyright © 2013, Christoph Anton Mitterer <[email protected]>.
#All rights reserved.
#
#
#This program is free software: you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program. If not, see <http://www.gnu.org/licenses/>.