Re: [Fail2ban-users] "Dangling" symlink to log file path that contains wildcard (*) causes fail2ban not to ban

[Charles B. <br...@br...>]

Hi Ben

Just some thoughts for you:

I don't think fail2ban deletes logs so what did? It certainly doesn't
create missing ones.

Presumably the apache-badbots jail is intended to monitor the access.log
files of a number of virtual servers.

Does apache actually log to the file in question? example.com doesn't
sound like real configuration!

I don't have any wild card configurations, but I have seen exactly the
same sort of missing log problem, obviously the jail does nothing if it
can't stat a log file. The fail2ban-server is a single task and should
continue to run because typically it's serving other jails.

I think your problem can only happen in the symlink situation, it all
depends on how a jail determines if a log file exists or not.

It's down to the difference between the stat and lstat system calls, the
former follows a symlink so will produce 'file not found', whereas lstat
would not. I suppose f2b could ignore missing symlink targets, but would
have to do both tests.

-oldbrad

 
On Fri, 2013-09-27 at 17:57 -0400, Ben Johnson wrote:
> Hi, everyone!
> 
> Recently, I noticed that fail2ban stopped banning IP addresses (this was
> after a system reboot).
> 
> I examined the log at /var/log/fail2ban.log and find:
> 
> fail2ban.comm   : WARNING Command ['set', 'apache-badbots',
> 'addlogpath', '/var/log/ispconfig/httpd/example.com/access.log'] has
> failed. Received IOError(2, 'No such file or directory')
> 
> I know why the log file doesn't exist (there's a "dangling" symlink that
> points to a file that doesn't exist, which is actually expected in this
> case), and that's not my concern.
> 
> I'm just wondering if this type of error is "fatal"? It doesn't seem so,
> because the fail2ban daemon does "start" and continues to run in the
> background, but I see no evidence that fail2ban does any banning. And
> the contents of the fail2ban log do not grow after the above error.
> 
> I created an empty file so that the above-mentioned symlink points to a
> real (though empty) log file, and the error disappears. Then I see the
> fail2ban log filling-up, and everything is back to normal.
> 
> If this error does actually cause fail2ban not to function at all, then
> might I suggest skipping non-existing log files that are added via
> "globbing" (using an asterisk (*) in the log path within the jail
> definition) when the files don't exist?
> 
> If this type of skipping already happens, then is it possible that the
> "dangling" symlink pointing to a non-existent file is a different
> situation that requires different handling?
> 
> Thanks for any help here,
> 
> -Ben
> 
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users