Default SSH jail broken on Ubuntu

[carlalexander]

Since the changes from #19, fail2ban won't start anymore. That's because the SSH jail in Ubuntu isn't ssh, but sshd. So now, fail2ban just refuses to start since there's no ssh filters on Ubuntu:

Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  Found no accessible config files for 'filter.d/ssh' under /etc/fail2ban
Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  No section: 'Definition'
Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  No section: 'Definition'
Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  Unable to read the filter
Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  Errors in jail 'ssh'. Skipping...
Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  No file(s) found for glob /var/log/nginx/varnish*access.log
Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  Failed during configuration: Have not found any log file for wordpress-badbots jail
Apr 20 20:36:10 dev systemd[1]: fail2ban.service: Control process exited, code=exited status=255
Apr 20 20:36:10 dev systemd[1]: Failed to start Fail2Ban Service.

Before it wasn't an issue because it wasn't added to jail.local, but now it is. I'm not even sure if it's necessary for Debian either. Is the jail in jail.conf? It is on Ubuntu.

[ganto]

Thanks for your report. Which version of Ubuntu/fail2ban are you running?

The mentioned PR creates and enables a custom [ssh] jail. To make sure that the Ubuntu specific SSH jail directives (such as logpath) are set, the [ssh-iptables] jail is renamed to [ssh] in jail.conf (see here). If your version has a [sshd] jail then I must have missed that when checking the various default jail.conf files of the Ubuntu releases.

Would you mind posting the [sshd] section of you jail.conf

[carlalexander]

I'll try to get this for you this week @ganto 😄

[vpzed]

I'm having the same issue. With no custom vars the playbook fails to create a valid setup. Same errors as reported above with Ubuntu 16.04.3 and fail2ban 0.9.3-1 (which is what the playbook installed):

On the debops control host:

<RUNNING HANDLER [debops.fail2ban : Restart fail2ban]>
fatal: [server]: FAILED! => {"changed": false, "failed": true, "msg": 
"Unable to restart service fail2ban:        Job for fail2ban.service failed because the control process
 exited with error code. See \"systemctl status fail2ban.service\" and \"journalctl -xe\" for details.\n"}`

On the target host:

# fail2ban-client -d ERROR Found no accessible config files for 'filter.d/ssh' under /etc/fail2ban ERROR No section: 'Definition' ERROR No section: 'Definition' ERROR Unable to read the filter ERROR Errors in jail 'ssh'. Skipping...

In jail.local:

# List of fail2ban jails # ======================

[ssh] enabled = true

NOTE: filter.d does not include an ssh.conf.

Also there appears to be a default jail conf set in jail.conf and jail.d/defaults-debian.conf:

# grep debian jail.conf before = paths-debian.conf

# ls jail.d defaults-debian.conf

# cat jail.d/defaults-debian.conf [sshd] enabled = true

Had to remove my note about a workaround because even though the playbook passes, fail2ban still dies:

`# /etc/init.d/fail2ban status`
● fail2ban.service - Fail2Ban Service
  Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
   Active: inactive (dead) (Result: exit-code) since Sat 2017-09-02 04:26:32 CDT; 2min 13s ago
     Docs: man:fail2ban(1)
  Process: 7054 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
  Process: 8008 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=255)
 Main PID: 6431 (code=exited, status=0/SUCCESS)

PS: It would be nice to be able to over-ride the default sender entry with a custom var. I tried including a fail2ban_sender entry in my var file but it didn't seem to make it into the jail.local output.

[ganto]

Ok, thanks for the report. With those details I can work and will fix it asap.

[vpzed]

For additional information, this evening I spun up a fresh Ubuntu 16.04 VM (using vagrant with the bento/ubuntu-16.04 box). Then I did "apt-get install fail2ban" and that produces a setup with a default jail of [sshd], and the fail2ban service starts without errors and there are no errors listed in "fail2ban-client -d". So it isn't an issue with the base Ubuntu 16.04 setup or the fail2ban 0.9.3-1 package.

Also in the previous report I was starting from a fresh VM, running "debops bootstrap", and then "debops" with a hosts file that only had a [debops_fail2ban] entry (i.e. no other roles or custom stuff being done).

[irongomme]

I've got the same issue with debian 9.1, I make it works by replacing in defaults/main.yml :

fail2ban_jails:
  - name: 'ssh'
    enabled: 'true'

By :

fail2ban_jails:
  - name: 'sshd'
    enabled: 'true'

[ganto]

I apologize, the idea of renaming the default SSH jail in #19 was crap. I now changed the approach which should hopefully fix the jail name mismatch on Xenial, Stretch and others.