Just upgraded jessie to stretch and the problem still exists. /usr/bin/fail2ban-client -vvvvv -x start INFO Loading configs for fail2ban under /etc/fail2ban DEBUG Reading configs for fail2ban under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/fail2ban.conf INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] Level 7 Reading file: /etc/fail2ban/fail2ban.conf INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] Level 7 Shared file: /etc/fail2ban/fail2ban.conf INFO Using socket file /var/run/fail2ban/fail2ban.sock INFO Loading configs for jail under /etc/fail2ban DEBUG Reading configs for jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.d/defaults-debian.conf, /etc/fail2ban/jail.local INFO Loading files: ['/etc/fail2ban/jail.conf'] Level 7 Reading file: /etc/fail2ban/jail.conf INFO Loading files: ['/etc/fail2ban/paths-debian.conf'] Level 7 Reading file: /etc/fail2ban/paths-debian.conf INFO Loading files: ['/etc/fail2ban/paths-common.conf'] Level 7 Reading file: /etc/fail2ban/paths-common.conf INFO Loading files: ['/etc/fail2ban/paths-overrides.local'] Level 7 Reading file: /etc/fail2ban/paths-overrides.local INFO Loading files: ['/etc/fail2ban/jail.d/defaults-debian.conf'] Level 7 Reading file: /etc/fail2ban/jail.d/defaults-debian.conf INFO Loading files: ['/etc/fail2ban/jail.local'] Level 7 Reading file: /etc/fail2ban/jail.local INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/defaults-debian.conf', '/etc/fail2ban/jail.local'] Level 7 Shared file: /etc/fail2ban/paths-common.conf Level 7 Shared file: /etc/fail2ban/paths-debian.conf Level 7 Shared file: /etc/fail2ban/jail.conf Level 7 Shared file: /etc/fail2ban/jail.d/defaults-debian.conf Level 7 Shared file: /etc/fail2ban/jail.local INFO Loading configs for filter.d/sshd under /etc/fail2ban DEBUG Reading configs for filter.d/sshd under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/filter.d/sshd.conf INFO Loading files: ['/etc/fail2ban/filter.d/sshd.conf'] Level 7 Reading file: /etc/fail2ban/filter.d/sshd.conf INFO Loading files: ['/etc/fail2ban/filter.d/common.conf'] Level 7 Reading file: /etc/fail2ban/filter.d/common.conf INFO Loading files: ['/etc/fail2ban/filter.d/common.local'] Level 7 Reading file: /etc/fail2ban/filter.d/common.local INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/sshd.conf'] Level 7 Shared file: /etc/fail2ban/filter.d/common.conf Level 7 Shared file: /etc/fail2ban/filter.d/sshd.conf Level 7 Non essential option 'failregex' not defined in 'sshd'. Level 7 Non essential option 'ignoreregex' not defined in 'sshd'. INFO Loading configs for action.d/iptables-ipset-proto6-allports under /etc/fail2ban DEBUG Reading configs for action.d/iptables-ipset-proto6-allports under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf, /etc/fail2ban/action.d/iptables-ipset-proto6-allports.local INFO Loading files: ['/etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf'] Level 7 Reading file: /etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf'] Level 7 Reading file: /etc/fail2ban/action.d/iptables-common.conf INFO Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local'] Level 7 Reading file: /etc/fail2ban/action.d/iptables-blocktype.local INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.local'] Level 7 Reading file: /etc/fail2ban/action.d/iptables-common.local INFO Loading files: ['/etc/fail2ban/action.d/iptables-ipset-proto6-allports.local'] Level 7 Reading file: /etc/fail2ban/action.d/iptables-ipset-proto6-allports.local INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf', '/etc/fail2ban/action.d/iptables-ipset-proto6-allports.local'] Level 7 Shared file: /etc/fail2ban/action.d/iptables-common.conf Level 7 Shared file: /etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf Level 7 Shared file: /etc/fail2ban/action.d/iptables-ipset-proto6-allports.local Level 7 Non essential option 'actioncheck' not defined in 'Definition'. INFO Loading configs for filter.d/ssh-ddos under /etc/fail2ban DEBUG Reading configs for filter.d/ssh-ddos under /etc/fail2ban ERROR Found no accessible config files for 'filter.d/ssh-ddos' under /etc/fail2ban ERROR No section: 'Definition' ERROR No section: 'Definition' ERROR Unable to read the filter ERROR Errors in jail 'ssh-ddos'. Skipping...
It seems that ssh and ssh-ddos were renamed in jail.conf to sshd and sshd-ddos. So I had to edit /etc/fail2ban/jail.local to replace [ssh] with [sshd] and [ssh-ddos] with [sshd-ddos]. It fixed the problem. (Not strictly bug related, but it's worth to note that ipset lists are no longer named fail2ban-ssh and fail2ban-ssh-ddos, but f2b-sshd and f2b-sshd-ddos now.) Regards. -- Przemysław 'Przemoc' Pawełczyk http://przemoc.net/
