aws-acl-fail2ban command doesn't do anything when executed by fail2ban, but works when executed manually

[DanielMenke]

Hi, first of all thank you for your work, great idea!

I have a running fail2ban setup using your project- The problem is that the ACL doesn't get updated by fail2ban, and the logs are showing no errors. When I execute the command manually (e.g ./aws-acl-fail2ban -i acl-XXXXX -b 123.45.67.9) the ACL gets updated correctly. Do you have any idea why it behaves like that?

[anthonymartin]

You probably need to make sure your fail2ban filters and actions are configured correctly. The filter will look for the conditions under which to trigger the action (in this case the action is the aws-acl-fail2ban script.

On Fri, Nov 2, 2018, 15:11 ElePhontitis <notifications@github.com wrote:

Hi, first of all thank you for your work, great idea!

I have a running fail2ban setup using your project- The problem is that the ACL doesn't get updated by fail2ban, and the logs are showing no errors. When I execute the command manually like ./aws-acl-fail2ban -i acl-XXXXX -b 123.45.67.9 the ACL gets correctly updated. Do you have any idea why it behaves like that?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/anthonymartin/aws-acl-fail2ban/issues/6, or mute the thread https://github.com/notifications/unsubscribe-auth/AA59Av3NUMy0bFl_bsoUWHZXCto_R-l6ks5urFKbgaJpZM4YLuaJ .

[DanielMenke]

The action seems to use the right command. I assume that because I first tried to use it unknowingly with php 5.x and it logged an error(executed manually AND by fail2ban) . When I updated my system to php 7.2 the error vanished, and the manual executed command started to work, but when it should get executed by fail2ban it seems to fail silently...

[DanielMenke]

Also fail2ban is logging bans and unbans but without any consequences.

[anthonymartin]

Then it seems like a permissions issue on the executable. Make sure that the user running fail2ban has executable privileges on the file.

On Fri, Nov 2, 2018, 15:49 ElePhontitis <notifications@github.com wrote:

Also the fail2ban is logging bans and unbans.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/anthonymartin/aws-acl-fail2ban/issues/6#issuecomment-435404597, or mute the thread https://github.com/notifications/unsubscribe-auth/AA59AuUaSRtVKW0oHaCZ6plWyQZO6E8xks5urFtngaJpZM4YLuaJ .

[DanielMenke]

You were kind of right that it is a system-user issue(caused by myself). The problem was actually not the permissions of the user that executes your script, but the configuration of the aws-cli for the root user. I installed fail2ban with the standard ec2-user, but I always used sudo service fail2ban to start fail2ban. Because I started it that way, the aws-cli always executed the commands in your script with the configuration for the root user which was not configured. So the script failed with "You have to set a region". This message did not appear in the fail2ban log and I just saw it because I tried to execute the aws-acl-fail2ban command manually as root user. So no issues with your script at all, but maybe this will be helpful for others. Thank you for this script, it works fine.