On 2024-05-07 08:35:28 +0200, Sylvestre Ledru wrote:
>
> Le 07/05/2024 à 03:57, Vincent Lefevre a écrit :
> > On 2024-05-07 03:28:28 +0200, Vincent Lefevre wrote:
> > > May 07 03:01:28 qaa fail2ban-server[557228]: 2024-05-07 03:01:28,226
> > > fail2ban [557228]: ERROR Failed during configuration:
> > > Have not found any log file for sshd jail
> > I suppose that this is because sshd no longer uses the systemd
> > backend. This is wrong. If I understand correctly, the point of
> >
> > https://github.com/fail2ban/fail2ban/issues/3292#issuecomment-2078361360
> >
> > is to no longer use the systemd backend for all jails, but for
> > sshd only. So "backend = systemd" has been removed from DEFAULT,
> > but the above comment also points to
> >
> > https://github.com/fail2ban/fail2ban/commit/85a4881a9a818b6a746109f74980919296eedad0
> >
> > which adds for DEFAULT in paths-debian.conf:
> >
> > ------------------------------------------------------------
> > banaction = nftables
> > banaction_allports = nftables[type=allports]
> >
> > sshd_backend = systemd
> > ------------------------------------------------------------
> >
> > But paths-debian.conf has not changed in the fail2ban 1.1.0-1 package.
> >
> ok, thanks.
>
> Any idea what the fix should be? I am a bit lost in this conversation :/
For the sshd issue (mainly this bug), upstream changed 2 visible
things in the above commit:
* It changed default's "backend = systemd" to "sshd_backend = systemd"
with the reason:
remove default backend (systemd) - too dangerous for all jails,
because it's hardly to find an error if some jail mistakenly start
to monitor journal instead of logfile (even if it exists), but will
silently find nothing
Indeed, using systemd as the backend for all jails by default may
yield silent breakage for services that do not use syslog for logging
(this is not like this had already been the default backend).
* It disabled the sshd jail by default.
What you did in
https://salsa.debian.org/python-team/packages/fail2ban/-/commit/c03b1a832132f8033a6c698650daba9c48e22c62
is that the following lines are removed.
[DEFAULT]
banaction = nftables
banaction_allports = nftables[type=allports]
backend = systemd
(leaving the sshd jail enabled, contrary to upstream's Debian files).
Since the sshd jail is still enabled but its backend is now the
default backend, it will use a syslog log file (/var/log/auth.log
if this has not changed), which doesn't exist if rsyslog is not
installed. Said otherwise, the following bugs are back:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037437
(you fixed them in
https://salsa.debian.org/python-team/packages/fail2ban/-/commit/e634fa863e2d8035181e9e03476ae6dd56044fe6
on 2024-01-02 by the "backend = systemd", but reverted them
in c03b1a832132f8033a6c698650daba9c48e22c62).
There are several (non-exclusive) solutions:
1. Do not enable the sshd jail by default, following upstream's
decision, and let the user decide whether he should change the
backend for sshd when he enables the sshd jail.
The side effects after an upgrade:
* The sshd jail may no longer be enabled (i.e. if the user hasn't
explicitly enabled it in jail.local). So this will need to be
announced.
* If it is still enabled (due to jail.local), this solution alone
(without (2) or (3)) will not fix the problem.
2. Add "sshd_backend = systemd" like upstream, so that the sshd jail
will use the systemd backend.
A possible side effect after an upgrade from stable: this will
break for users who do not use systemd (but contrary to the default
"backend = systemd" issue, this should not be a silent breakage,
because fail2ban should be able to detect that the systemd logs
are not available at all - not tested, though).
3. Recommend the rsyslog package (or "rsyslog | system-log-daemon").
This would ensure that any backend will work, but would add another
daemon and additional log files (note that rsyslog is OK, but I don't
know whether the other log daemons are compatible with fail2ban's
default rules).
Moreover, I don't know why you removed the
banaction = nftables
banaction_allports = nftables[type=allports]
from [DEFAULT]. This was about a "switch from iptables to nftables"
as said at
https://github.com/fail2ban/fail2ban/discussions/3575
Indeed, iptables is not always installed by default, while nftables
seems to be installed by the Debian installer (in any case, iptables
recommends nftables). So, I suppose that these lines would still be
necessary.
About the other services that log to the journal via syslog, things
like "postfix_backend = systemd" (as done in paths-arch.conf and
paths-opensuse.conf) may be useful, but since the associated jails are
not enabled by default in Debian, this will change nothing by default.
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
