Re: [Fail2ban-users] NOTICE Jail started without 'journalmatch' set

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

----- Message from Nick Howitt <ni...@ho...> ---------
    Date: Sat, 10 Jul 2021 10:50:02 +0100
    From: Nick Howitt <ni...@ho...>
Subject: [Fail2ban-users] NOTICE Jail started without 'journalmatch' set
      To: fai...@li...

> I am running F2b v0.11.1 from EPEL on ClearOS 7 (binary compatible  
> with Centos7). Every time I start f2b I see the following in my logs:
>
> 2021-07-09 07:18:48,499 fail2ban.filtersystemd  [5101]: INFO  
> [postfix] Added journal match for: '_SYSTEMD_UNIT=postfix.service'
> 2021-07-09 07:18:48,505 fail2ban.filter         [5101]: INFO maxRetry: 5
> 2021-07-09 07:18:48,505 fail2ban.filter         [5101]: INFO encoding: UTF-8
> 2021-07-09 07:18:48,505 fail2ban.filter         [5101]: INFO findtime: 36000
> 2021-07-09 07:18:48,505 fail2ban.actions        [5101]: INFO banTime: 432000
> 2021-07-09 07:18:48,506 fail2ban.jail           [5101]: INFO  
> Creating new jail 'postfix-sasl'
> 2021-07-09 07:18:48,506 fail2ban.jail           [5101]: INFO    Jail  
> 'postfix-sasl' uses systemd {}
> 2021-07-09 07:18:48,506 fail2ban.jail           [5101]: INFO  
> Initiated 'systemd' backend
> 2021-07-09 07:18:48,506 fail2ban.filtersystemd  [5101]: INFO  
> [postfix-sasl] Added journal match for:  
> '_SYSTEMD_UNIT=postfix.service'
> 2021-07-09 07:18:48,508 fail2ban.filter         [5101]: INFO maxRetry: 1
> 2021-07-09 07:18:48,508 fail2ban.filter         [5101]: INFO encoding: UTF-8
> 2021-07-09 07:18:48,508 fail2ban.filter         [5101]: INFO findtime: 14400
> 2021-07-09 07:18:48,508 fail2ban.actions        [5101]: INFO banTime: 432000
> 2021-07-09 07:18:48,508 fail2ban.jail           [5101]: INFO  
> Creating new jail 'cyrus-imap'
> 2021-07-09 07:18:48,508 fail2ban.jail           [5101]: INFO    Jail  
> 'cyrus-imap' uses systemd {}
> 2021-07-09 07:18:48,508 fail2ban.jail           [5101]: INFO  
> Initiated 'systemd' backend
> 2021-07-09 07:18:48,510 fail2ban.filter         [5101]: INFO maxRetry: 1
> 2021-07-09 07:18:48,510 fail2ban.filter         [5101]: INFO encoding: UTF-8
> 2021-07-09 07:18:48,510 fail2ban.filter         [5101]: INFO findtime: 86400
> 2021-07-09 07:18:48,510 fail2ban.actions        [5101]: INFO banTime: 432000
> <snip>
> 2021-07-09 07:18:48,993 fail2ban.jail           [5101]: INFO    Jail  
> 'postfix' started
> 2021-07-09 07:18:48,997 fail2ban.jail           [5101]: INFO    Jail  
> 'postfix-sasl' started
> 2021-07-09 07:18:48,997 fail2ban.filtersystemd  [5101]: NOTICE  Jail  
> started without 'journalmatch' set. Jail regexs will be checked  
> against all journal entries, which is not advised for performance  
> reasons.
> 2021-07-09 07:18:48,998 fail2ban.jail           [5101]: INFO    Jail  
> 'cyrus-imap' started
>
> I assume the journalmatch warning is in reference to the preceding  
> jail, postfix-sasl, but if that is the case, why is the postfix jail  
> not seeing the same warning?
>
> At the same time the jails are using the default basic configuration  
> except for changed findtime, bantime and max retries, and for  
> cyrus-imap the port range is extended to include imap3, pop3 and  
> pop3s.
>
> Do you know why I am getting the warning and what do I need to do to fix it?
>
> Regards,
>
> Nick
>

It's the cyrus-imap jail, not Postfix - that line is BEFORE the  
applicable jail, not after it... it's a message on its way to starting  
the jail. Postfix jail has already started when that message is  
logged, so it's fine - as also indicated by the earlier messages in  
your log about "added journal match".

Look in /etc/fail2ban/filter.d/cyrus.imap.conf and you will see it has  
no journal-match line.

I have added

journalmatch = _SYSTEMD_UNIT=cyrus-imapd.service

... on my machine to a copied cyrus.imap.conf file as cyrus.imap.local.

Simon.

-- 
Simon Wilson
M: 0400 12 11 16