Fail2ban service does not start

1. offizieller Beitrag

    I installed the fail2ban plugin, enabled some of the default jails, and enabled the service. However the service doesn't start:

    Code
    systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sat 2022-02-26 17:12:54 CET; 6min ago
       Docs: man:fail2ban(1)
    Process: 2396217 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
    Process: 2396218 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255/EXCEPTION)
   Main PID: 2396218 (code=exited, status=255/EXCEPTION)

    If I run the start command manually I can see the problem:

    Code
    /usr/bin/fail2ban-server -xf start
2022-02-26 17:13:41,660 fail2ban.configreader   [2397030]: ERROR   Found no accessible config files for 'filter.d/sshd-ddos' under /etc/fail2ban
2022-02-26 17:13:41,661 fail2ban.jailreader     [2397030]: ERROR   Unable to read the filter 'sshd-ddos'
2022-02-26 17:13:41,661 fail2ban.jailsreader    [2397030]: ERROR   Errors in jail 'ssh-ddos'. Skipping...
2022-02-26 17:13:41,669 fail2ban.configreader   [2397030]: ERROR   Found no accessible config files for 'filter.d/apache-404' under /etc/fail2ban
2022-02-26 17:13:41,669 fail2ban.jailreader     [2397030]: ERROR   Unable to read the filter 'apache-404'
2022-02-26 17:13:41,669 fail2ban.jailsreader    [2397030]: ERROR   Errors in jail 'apache-404'. Skipping...
2022-02-26 17:13:41,675 fail2ban                [2397030]: ERROR   Failed during configuration: Have not found any log file for apache-noscript jail
2022-02-26 17:13:41,678 fail2ban                [2397030]: ERROR   Async configuration of server failed

    I find various proposed solutions for these issues for fail2ban in general, but it seems like the configuration should be managed by openmediavault-fail2ban. So manually tweaking this seems to go against the recommended practice for OMV.


    I can disable the ssh-ddos and apache-noscript jails and then the service does start, but it seems they should have configuration by default as well. How to fix?

    • Offizieller Beitrag
    Zitat von arjan

    it seems they should have configuration by default as well.

    They do have config by default. It seems like something went wrong on plugin installation.

    https://github.com/OpenMediaVa…f.service.fail2ban.sh#L54

    https://github.com/OpenMediaVa…f.service.fail2ban.sh#L78


    What is the output of: sudo omv-showkey fail2ban

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.2 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4 | scripts 7.0.1


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    You're right, this shows config for all services:

    • Offizieller Beitrag

    Ok. What about: sudo omv-salt deploy run fail2ban

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.2 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4 | scripts 7.0.1


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    This seems to have created config files:


    But, the comment "Service fail2ban is already enabled, and is running" is incorrect. When I hard-refresh to GUI it fail2ban is not running, and systemctl status fail2ban shows failure as before.

    • Offizieller Beitrag

    What is the output: sudo journalctl -u fail2ban

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.2 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4 | scripts 7.0.1


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    Do you get the same error when running the start command manually again?

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.2 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4 | scripts 7.0.1


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    Yes, same errors as before. I notice there's many config files in /etc/fail2ban/filter.d/ but indeed no apache-404 or sshd-ddos:


    Thanks for looking into this!

    I am running fail2ban on OMV 6.x without any problems. The only jail I am running is ssh.


    I also do not have /etc/fail2ban/filter.d/apache-404 or /etc/fail2ban/filter.d/sshd-ddos files.


    Even if I enable those two jails, those files do not appear in /etc/fail2ban/filter.d/

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 7.x on headless Chenbro NR12000 1U 1x 8m Quad Core E3-1220 3.1GHz 32GB ECC RAM.

    • Offizieller Beitrag

    The plugin doesn't create filter.d files. The missing filters must have been included in the fail2ban package in previous versions of debian. I don't use the plugin so I'm not sure what the proper change should be but I would guess the two jails should be removed from the plugin.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.2 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4 | scripts 7.0.1


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    Can you try to purg the plugin and fail2ban and then reinstall.

    If it is a leftover of an old fail2ban config this will be the easiest way to get current configs.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    Can you share the contents of /etc/fail2ban/jail

    This is where these are defined.


    I have:


    Code
    root@omv6-test:/etc/fail2ban/jail.d# ls *
openmediavault-36b96e6c-9187-4b93-b0c6-05c6d3e29dc3.conf.disabled  openmediavault-645ae684-0950-4fcf-92fc-eba1b88775b1.conf.disabled
openmediavault-4e3a2d25-326c-4dc8-bc05-22f303a62b75.conf.disabled  openmediavault-6e3a7d25-326c-4dc8-bc05-63f303a62b21.conf.disabled
openmediavault-59650e01-5e07-4076-9b15-ce352f4b4356.conf.disabled  openmediavault-6e3a7d25-326c-4dc8-bc05-63f303a62b60.conf.disabled
openmediavault-5f2b2d25-726c-5dc8-ac05-79f303a62b35.conf.disabled  openmediavault-7e9a7d35-326c-4dc8-bc05-35f308a62b78.conf.disabled
root@omv6-test:/etc/fail2ban/jail.d#

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

    I have config files in /etc/fail2ban/jail.d/ for all the jails in the OMV GUI. I see the problem for sshd-ddos is that it should use filter = sshd inside the section [sshd-ddos]. Instead the filter was also set to sshd-ddos. When I change it to sshd the service starts again.

    Zitat von arjan

    I have config files in /etc/fail2ban/jail.d/ for all the jails in the OMV GUI

    And you activated them all because you know what they are/do, because you have all those services running or just because?!?


    Can you explain me why you activated the apache jails, for eg??? Or the owncloud?? proFTPd also???

    I didn't install ownCloud or proFTPd, so I did not enable those. I just enabled the webserver jails since OMV is running a webserver, but I see now it's not running Apache by default.


    However that should still not result in failure to start the fail2ban service. If I were running Apache the configuration files would still be missing/misconfigured, just like the [sshd-ddos] filter.

    Zitat von Zoki

    Can you share the contents of /etc/fail2ban/jail

    This is where these are defined.


    Code
    I have:


    Code
    root@omv6-test:/etc/fail2ban/jail.d# ls *
openmediavault-36b96e6c-9187-4b93-b0c6-05c6d3e29dc3.conf.disabled  openmediavault-645ae684-0950-4fcf-92fc-eba1b88775b1.conf.disabled
openmediavault-4e3a2d25-326c-4dc8-bc05-22f303a62b75.conf.disabled  openmediavault-6e3a7d25-326c-4dc8-bc05-63f303a62b21.conf.disabled
openmediavault-59650e01-5e07-4076-9b15-ce352f4b4356.conf.disabled  openmediavault-6e3a7d25-326c-4dc8-bc05-63f303a62b60.conf.disabled
openmediavault-5f2b2d25-726c-5dc8-ac05-79f303a62b35.conf.disabled  openmediavault-7e9a7d35-326c-4dc8-bc05-35f308a62b78.conf.disabled
root@omv6-test:/etc/fail2ban/jail.d#

    There should be 8 of them (the active and disabled one's)

    This fixes the ssh-ddos jail, I'm not sure what it should be for the apache-404 filter. Maybe others aren't having this problem because they upgraded their system from an older version and inherited filters with an older name?

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden