search

jelastic-jps / fail2ban

Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time.
Apache License 2.0
3 stars 15 forks source link

Invalid jail.conf file #7

Open davidofsky opened 1 year ago

davidofsky commented 1 year ago

A few days ago, fail2ban stopped supporting python 2.x. The changes that came with it, causes this addon to crash on installation.

At first it crashed because the nginx loadbalancer for Jelastic uses python 2.7.5.

Log:

-- Subject: Unit fail2ban.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit fail2ban.service has begun starting up.
Jun 20 12:00:30 -- fail2ban[1046]: Starting fail2ban: Traceback (most recent call last):
Jun 20 12:00:30 -- fail2ban[1046]: File "/usr/bin/fail2ban-client", line 34, in <module>
Jun 20 12:00:30 -- fail2ban[1046]: from fail2ban.client.fail2banclient import exec_command_line, sys
Jun 20 12:00:30 -- fail2ban[1046]: File "/usr/lib/python2.7/site-packages/fail2ban/client/fail2banclient.py", line 35, in <module>
Jun 20 12:00:30 -- fail2ban[1046]: from .beautifier import Beautifier
Jun 20 12:00:30 -- fail2ban[1046]: File "/usr/lib/python2.7/site-packages/fail2ban/client/beautifier.py", line 25, in <module>
Jun 20 12:00:30 -- fail2ban[1046]: from ..helpers import getLogger, logging
Jun 20 12:00:30 -- fail2ban[1046]: File "/usr/lib/python2.7/site-packages/fail2ban/helpers.py", line 293
Jun 20 12:00:30 -- fail2ban[1046]: return {**x, **y}
Jun 20 12:00:30 -- fail2ban[1046]: ^
Jun 20 12:00:30 -- fail2ban[1046]: SyntaxError: invalid syntax
Jun 20 12:00:30 -- fail2ban[1046]: [FAILED]
Jun 20 12:00:30 -- systemd[1]: fail2ban.service: control process exited, code=exited status=1
Jun 20 12:00:30 -- systemd[1]: Failed to start LSB: Start/Stop fail2ban.

I was able to fix this issue by installing python3 on the loadbalancer before installing this addon.

After that it crashed because of an invalid jail.conf file. Output of command "fail2ban-client start":

2023-06-21 09:42:51,670 fail2ban                [1431]: ERROR   Failed during configuration: While reading from '/etc/fail2ban/jail.conf' [line 355]: option 'enabled' in section 'postfix' already exists

It seems that the previous versions of fail2ban simply ignored the duplicate options. In the contents of the jail.conf, I can see that there are indeed duplicate 'enabled' options in multiple sections

[postfix]

port     = smtp,465,submission
logpath = /var/log/mail.warn
enabled = false
enabled = false
action = %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

[postfix-rbl]

port     = smtp,465,submission
logpath = /var/log/mail.warn
enabled = false
enabled = false
action = %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
maxretry = 1

...

[postfix-sasl]

port     = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn
enabled = false
enabled = false instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.warn
enabled = false
enabled = false
action = %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

Once these duplicate options are removed, fail2ban-client is able to start.

DavidGelici commented 1 year ago

I forked this repository and made the necessary changes to make the addon work again.

You can find the fork here.

changes per file

install.sh

The install.sh makes sure python3 is installed before installing fail2ban.

setup.sh

I noticed that all of the blocks in jail.conf that had a non-existent logpath were disabled,
but the way that the jail.conf was edited made the config invalid.

It didn't make much sense to me to disable those blocks anyway, so instead I chose to create the logfiles if they don't exist.

mainfest.jps

Only changed URL's to point to the forked repo instead of the original.