Menu
▾
▴
Re: [Fail2ban-users] fail2ban does not ban IP addresses (and logs nothing), even though fail2ban-regex indicates matches
|
From: Yaroslav H. <li...@on...> - 2013-02-19 04:12:29
|
uff -- even not sure what to say, I thought that I have replicated your situation (and creating /var/run/fail2ban didn't help) but then it stopped "replicating" ;) so if creating that directory doesn't help, report back meanwhile -- I have added more debug messages printed by client so that fail2ban-client -v -v -v start should be more informative now also check if you somehow do not have some other fail2ban-client laying around (i.e. "which fail2ban-client") and that you still have fail2ban-server in the same directory (hopefully /usr/bin/) as that -client. Cheers On Mon, 18 Feb 2013, Yaroslav Halchenko wrote: > On Mon, 18 Feb 2013, Ben Johnson wrote: > > >>> [FAIL] Starting authentication failure monitor: fail2ban[....] Socket file /var/run/fail2ban/fail2ban.sock is present ... failed! > > >>> . ok > > >> Hmm. I'm on Debian (well, Ubuntu), too, and I don't even have the > > >> directory /var/run/fail2ban, no less the file > > >> /var/run/fail2ban/fail2ban.sock. On another similarly configured server, > > >> that directory and that file exist. Well, at least we know that not to > > >> be the problem! > > > ah.. right -- we all (debian and ubuntu) decided to go for /run, I > > > forgotten about that, so indeed you might be cherishing the fruits of > > > such changes... Myself I have not run into this since on Debian systems we do > > > still maintain compatibility with a symlink... so as a quick workaround you > > > could try doing > > You lost me there. ;) > we are even then! ;-) > > To be clear, I do indeed have the directory /var/run. It just doesn't > > contain a "fail2ban" sub-directory (it contains plenty of other items). > > I'm on an older OS, Ubuntu 10.04 (you declared it an "elderly beastie", > > quite aptly), and as such, shouldn't be affected by Debian/Ubuntu > > transitioning from /var/run to /run. > ah -- then I have no clue where /var/run/fail2ban is gone since since > 0.8.2 init script creates it: > $> git lg debian/fail2ban.init > * 86ae7d2 - debian/fail2ban.init: Should-(start|stop): iptables-persistent (Closes: #598109), ferm (Closes: #604843) (7 months ago) [Yaroslav Halchenko] > * 7154b3a - Since we are exiting with non-0 -- all msgs should be failures (1 year ago) [Yaroslav Halchenko] > * 5cac32e - Making sure that the status command gives the correct exit code when fail2ban is not running. (1 year ago) [Glenn Aaldering] > * de502cf - NF: run as different user (disabled by default) (1 year, 1 month ago) [Zbigniew Jędrzejewski-Szmek] > * d1b9e71 - Adding arno-iptables-firewall (no deprecation of ipmasq per Joey Hess mentioning, which still could be used on lenny systems) (2 years, 9 months ago) [Yaroslav Halchenko] > * 32281ed - BF: Assure that /var/run/fail2ban exists upon start (LP: #222804, #223706) (4 years, 10 months ago) [Yaroslav Halchenko] > ... > $> git describe --contains 32281ed > debian/0.8.2-3~1^2 > so I would look for someone who destroyed it for you! ;) > > As I mentioned, I have another nearly identically-configured server, > > with fail2ban 0.8.6 (the latest version available from the 10.04 repos), > > and the /var/run/fail2ban directory, and socket file within it, do exist > > there. > as they should! ;-) good > > Also, this installation of fail2ban-0.8.8 has functioned without issue > > since you created the Ubuntu 10.04 backport .deb package for me several > > months ago. I thought we were "out of the woods", so to speak. > succesful start means that /var/run/fail2ban was there!;-) > > But, alas, this seems to be the same problem that I described back in > > December, 2012, on this list ( > > http://sourceforge.net/mailarchive/forum.php?thread_name=50BE77A2.4060300%40indietorrent.org&forum_name=fail2ban-users > > ). > sorry -- my memory span getting shorter and shorter with every email I > read ;-) > > Could not start server. Maybe an old socket file is still present. Try > > to remove /var/run/fail2ban/fail2ban.sock. If you used fail2ban-client > > to start the server, adding the -x option will do it". > > What's taking so long? > hope that server would come up -- look at __waitOnServer function in > -client and its comment on 30 sec there ;) > > I do find it a bit odd that fail2ban doesn't log its start-up sequence, > > in detail, especially at maximum verbosity. It seems that this is not > > simply a matter of increasing the log-level; I had it at 3, and just > > changed it to 4, but absolutely nothing is written to > > /var/log/fail2ban.log. > yeah -- that is how it was designed... -client dumps stuff only to stdout, not > to the .log file... not sure if it would function just fine with two processes > (-client and -server) trying to dump into the same file > > If the client executable can spit-out an error > > message, one would think it capable of writing other (more useful) > > information to the log-file, too. > > I haven't changed anything recently, either. In /etc/fail2ban/fail2ban.conf: > > logtarget = /var/log/fail2ban.log > > socket = /var/run/fail2ban/fail2ban.sock > > Those look correct, and as I said, shouldn't have changed any time recently. > > What else might we check? > check on who killed /var/run/fail2ban ;-) > meanwhile just mkdir /var/run/fail2ban/ and see if that helps (it should!) > > I'm still a bit hazy on the issue here, or if that was just a > > miscommunication. As expected, this command yields the following on the > > affected system: "ln: creating symbolic link `/var/run': File exists". > right -- my wild guess was wrong due to misinterpretation of your email... just > mkdir -p /var/run/fail2ban > and be happy again ;-) -- Yaroslav O. Halchenko http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Postdoctoral Fellow, Department of Psychological and Brain Sciences Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik |