From: Natu <inc...@rj...> - 2014-09-09 21:20:11
|
On 09/09/2014 12:15 PM, Yaroslav Halchenko wrote: > On Tue, 09 Sep 2014, Natu wrote: > >> On 09/09/2014 01:50 AM, Yaroslav Halchenko wrote: >>> On Mon, 08 Sep 2014, Natu wrote: > >>> I've reduced my jail.conf to a very simple/minimal configuration with 1 >>> jail >>>>> which is what? i.e. what is the configuration files (jail.conf in this >>>>> case)? >>>> [DEFAULT] >>>> usedns = warn >>>> ignoreip = 127.0.0.1 >>>> bantime = 600 >>>> findtime = 600 >>>> maxretry = 3 >>>> backend = auto >>>> [postfix-overquota] >>> so there is no longer >>> Starting fail2ban: WARNING 'action' not defined in 'php-url-fopen'. Using default one: '' >>> error logged, right? >>> btw -- did you try to start with loglevel = 4 (since it is 0.8.x series) in fail2ban.conf to see if you get more info? >>>> enabled = true >>>> filter = postfix-overquota >>>> action = sendmail-lines-overquota[name=mail-overquota, >>>> dest=quo...@my...] >>>> logpath = /var/log/maillog >>> how big is that file? may be the beast is just busy doing initial parse? > >> No, my test case is just a 1 line regular expression: > well -- still how big was maillog? > >> [Definition] >> failregex = (?:reject: RCPT from\s+\S+\[(?P<host>[\w\-.^_]+)\]: 554 >> 5.7.1\s+.*: Recipient address rejected: User is over quota) >> ignoreregex = > >> I had previously set the loglevel to 4, but didn't get anything. I >> discovered now, that when I run only one jail with loglevel 4, I get no >> output from the exception even though it is still happening. When I >> started 4 jails I got debug output, but only from 3 of the 4 >> threads/jails, even though I now see that it is happening in all of >> them. They are all the same exception. Here's the output from 1 thread. > >> fail2ban-server -f >> 2014-09-09 10:52:49,494 fail2ban.server [14852]: INFO Starting >> Fail2ban v0.8.14 >> 2014-09-09 10:54:38,917 fail2ban.comm [14852]: DEBUG Command: ['ping'] >> 2014-09-09 10:54:39,088 fail2ban.comm [14852]: DEBUG Command: >> ['stop', 'all'] >> 2014-09-09 10:54:39,088 fail2ban.server [14852]: INFO Stopping all jails >> 2014-09-09 10:54:39,089 fail2ban.comm [14852]: DEBUG Command: >> ['set', 'loglevel', '3'] >> Exception in thread Thread-5: >> Traceback (most recent call last): >> File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner >> self.run() >> File "/usr/share/fail2ban/server/filterpoll.py", line 95, in run >> self.getFailures(filename) >> File "/usr/share/fail2ban/server/filter.py", line 581, in getFailures >> self.processLineAndAdd(line) >> File "/usr/share/fail2ban/server/filter.py", line 379, in >> processLineAndAdd >> for element in self.processLine(line)[1]: >> File "/usr/share/fail2ban/server/filter.py", line 374, in processLine >> return logLine, self.findFailure(timeLine, logLine, returnRawHost, >> checkAllRegex) >> File "/usr/share/fail2ban/server/filter.py", line 426, in findFailure >> date = self.dateDetector.getUnixTime(timeLine) >> File "/usr/share/fail2ban/server/datedetector.py", line 215, in >> getUnixTime >> date = self.getTime(line) >> File "/usr/share/fail2ban/server/datedetector.py", line 203, in getTime >> date = template.getDate(line) >> File "/usr/share/fail2ban/server/datetemplate.py", line 140, in getDate >> date = list(time.strptime(dateMatch.group(), self.getPattern())) >> AttributeError: _strptime_time > ha -- apparently it is a nasty (thus not fixed yet) race condition > triggered bug in Python > http://bugs.python.org/issue7980 > > following recommended workaround in comments: would this fix it up for you? > > diff --git a/server/datedetector.py b/server/datedetector.py > index 61144ac..3612767 100644 > --- a/server/datedetector.py > +++ b/server/datedetector.py > @@ -23,6 +23,8 @@ __license__ = "GPL" > > import sys, time, logging > > +import _strptime > + > from datetemplate import DateStrptime, DateTai64n, DateEpoch, DateISO8601 > from threading import Lock > > >> It looks to be a problem parsing the time/date in my logfile if I'm >> reading the code correctly. I'm enclosing a sample entry from my >> logfile below, though I can't imagine that it would be so different from >> anyone else running CentOS 5. I just tried starting fail2ban on a 1 >> month old logfile, to see if it still got the error and it did. Also, >> note that I do have 4 jails which are all running on /var/log/maillog. >> As far as I know that is a legit configuration, but let me know if that >> is not the case. >> Also, I am currently running under python 2.6 (so this debug output was >> from python 2.6) which I did by changing the first line in >> /usr/bin/fail2ban*. >> Sep 9 11:19:23 myserver postfix/smtpd[16760]: disconnect from unknown[175.156.112.240] I tried that patch and unfortunately, it did not solve the problem. It does seem to me like this is a race condition because sometimes I can start fail2ban and not see the problem at all and turning selinux on/off seems to change the behaviour of the problem. I guess I'll have to play with it some more. Since I now have python 2.6, I can try the new beta release as well as downgrading to older releases of fail2ban. Thank You, Natu |