[BR]: Fail2ban fails to send email due to systemd network target

[alexghergh]

Environment:

Output of uname -a: Linux raspberrypi 5.15.32-v8+ #1538 SMP PREEMPT Thu Mar 31 19:40:39 BST 2022 aarch64 GNU/Linux

• Fail2Ban version : 0.11.2
• OS, including release name/version : Raspberry Pi OS - Debian 11 bullseye
• [x] Fail2Ban installed via OS/distribution mechanisms
• [x] You have not applied any additional foreign patches to the codebase
• [x] Some customizations were done to the configuration (provide details below is so)

The issue:

When the system boots, the fail2ban service fails to send an email to an outside system, due to failed DNS name resolution. This happens due to the fact that the systemd fail2ban.service unit doesn't wait for IP address acquisition before starting fail2ban.

Steps to reproduce

Have fail2ban send an email to an outside system (in my case, google.com email address) when jails are started (refer to config below).

Expected behavior

The email would be sent normally.

Observed behavior

The email gets stuck in a dead.letter inside the user's home directory.

Any additional information

Configuration, dump and another helpful excerpts

Any customizations done to /etc/fail2ban/ configuration

[DEFAULT]
bantime = 72h
maxretry = 3

mta = sendmail
action = %(action_)s
        sendmail-whois-lines[mailcmd="/usr/bin/s-nail <redacted-dest>", dest=<redacted-dest>]

[sshd]
enabled = true

Relevant parts of /var/log/fail2ban.log file:

2022-08-09 19:23:52,039 fail2ban.utils          [559]: ERROR   7fb42a2df0 -- exec: printf %b "Subject: [Fail2Ban] sshd: started on raspberrypi
Date: `LC_ALL=C date +"%a, %d %h %Y %T %z"`
From: Fail2Ban <fail2ban>
To: <redacted-dest>\n
Hi,\n
The jail sshd has been started successfully.\n
Regards,\n
Fail2Ban" | '/usr/bin/s-nail <redacted-dest>'
2022-08-09 19:23:52,039 fail2ban.utils          [559]: ERROR   7fb42a2df0 -- stdout: '/home/<user>/dead.letter 23/553'
2022-08-09 19:23:52,039 fail2ban.utils          [559]: ERROR   7fb42a2df0 -- stderr: 's-nail: Lookup of smtp.gmail.com:587 failed: Temporary failure in name resolution'
2022-08-09 19:23:52,040 fail2ban.utils          [559]: ERROR   7fb42a2df0 -- stderr: 's-nail: ... message not sent'
2022-08-09 19:23:52,040 fail2ban.utils          [559]: ERROR   7fb42a2df0 -- returned 4
2022-08-09 19:23:52,040 fail2ban.actions        [559]: ERROR   Failed to start jail 'sshd' action 'sendmail-whois-lines': Error starting action Jail('sshd')/sendmail-whois-lines: 'Script error'

The systemd fail2ban unit file has the following line as an After:

After=network.target <other-services>

For the issue above to be fixed, the line should be changed to:

After=network-online.target <other-services>

From the Freedesktop systemd man page:

network.target

    ...

    It must emphasized that at start-up there's no guarantee that hardware-based devices have shown up by the time this target is reached, or even acquired complete IP configuration. For that purpose use network-online.target as described above.

I am aware that this issue doesn't necessarily affect fail2ban itself, but rather an external tool that fail2ban is using.

[sebres]

Hmm...

I guess in such case (fail2ban sending mails), it can either get Wants= or Requires= dependency. Isn't it simply feasible in your local override.conf (systemctl edit fail2ban)?

Although we could indeed change the ordering dependency in: https://github.com/fail2ban/fail2ban/blob/92d5455bdd5df080863a030258e290d44e6e10a6/files/fail2ban.service.in#L4

@fail2ban/maintainers what do you think about possible consequences (e. g. certain delay of fail2ban start, platform dependency or some system constellation, etc)?

[alexghergh]

Thanks for the quick answer!

Indeed it seems to work if I modify the local override.conf file. Seems a bit unintuitive to have to override this setting, however it makes sense that you would want to start fail2ban immediately after the software establishes the network interface. This leaves open the aforementioned case, though.