Hello I tried setting up Fail2Ban on Google Cloud Compute Engine virtual machines based on stock Google images. Fail2Ban installs with apt-get and runs fine but the rules never fire. When I verify the rules with fail2ban-regex the rules match lines in the actual log files.
After some investigation I found out that if I run pyinotify on a file that I change I see: > <Event dir=False mask=0x20 maskname=IN_OPEN name='' path=/tmp/test > pathname=/tmp/test wd=1 > > <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/tmp/test > pathname=/tmp/test wd=1 > > <Event dir=False mask=0x8 maskname=IN_CLOSE_WRITE name='' path=/tmp/test > pathname=/tmp/test wd=1 > OTOH, the log files always end in IN_CLOSE_NOWRITE. > <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log > pathname=/var/log/auth.log wd=1 > > <Event dir=False mask=0x20 maskname=IN_OPEN name='' path=/var/log/auth.log > pathname=/var/log/auth.log wd=1 > > <Event dir=False mask=0x1 maskname=IN_ACCESS name='' path=/var/log/auth.log > pathname=/var/log/auth.log wd=1 > > <Event dir=False mask=0x10 maskname=IN_CLOSE_NOWRITE name='' > path=/var/log/auth.log pathname=/var/log/auth.log wd=1 > Is this the reason the rules don’t fire? I have tried setting the backend to polling, but without success. If I tail -f the log files I can see they are appended when there are events to be logged. I have no idea if Google has tweaked their Debian images somehow or if this is a by-product of the virtualized environment. What should be my next step? br, Petri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
