Menu
▾
▴
Re: [Fail2ban-users] NOTICE Jail started without 'journalmatch' set
|
From: Nick H. <ni...@ho...> - 2021-07-12 10:19:16
|
On 12/07/2021 03:59, Simon Wilson via Fail2ban-users wrote:
> ----- Message from Nick Howitt <ni...@ho...> ---------
> Date: Sat, 10 Jul 2021 10:50:02 +0100
> From: Nick Howitt <ni...@ho...>
> Subject: [Fail2ban-users] NOTICE Jail started without 'journalmatch' set
> To: fai...@li...
>
>
>> I am running F2b v0.11.1 from EPEL on ClearOS 7 (binary compatible
>> with Centos7). Every time I start f2b I see the following in my logs:
>>
>> 2021-07-09 07:18:48,499 fail2ban.filtersystemd [5101]: INFO [postfix]
>> Added journal match for: '_SYSTEMD_UNIT=postfix.service'
>> 2021-07-09 07:18:48,505 fail2ban.filter [5101]: INFO maxRetry: 5
>> 2021-07-09 07:18:48,505 fail2ban.filter [5101]: INFO encoding:
>> UTF-8
>> 2021-07-09 07:18:48,505 fail2ban.filter [5101]: INFO findtime:
>> 36000
>> 2021-07-09 07:18:48,505 fail2ban.actions [5101]: INFO banTime:
>> 432000
>> 2021-07-09 07:18:48,506 fail2ban.jail [5101]: INFO Creating
>> new jail 'postfix-sasl'
>> 2021-07-09 07:18:48,506 fail2ban.jail [5101]: INFO Jail
>> 'postfix-sasl' uses systemd {}
>> 2021-07-09 07:18:48,506 fail2ban.jail [5101]: INFO Initiated
>> 'systemd' backend
>> 2021-07-09 07:18:48,506 fail2ban.filtersystemd [5101]: INFO
>> [postfix-sasl] Added journal match for: '_SYSTEMD_UNIT=postfix.service'
>> 2021-07-09 07:18:48,508 fail2ban.filter [5101]: INFO maxRetry: 1
>> 2021-07-09 07:18:48,508 fail2ban.filter [5101]: INFO encoding:
>> UTF-8
>> 2021-07-09 07:18:48,508 fail2ban.filter [5101]: INFO findtime:
>> 14400
>> 2021-07-09 07:18:48,508 fail2ban.actions [5101]: INFO banTime:
>> 432000
>> 2021-07-09 07:18:48,508 fail2ban.jail [5101]: INFO Creating
>> new jail 'cyrus-imap'
>> 2021-07-09 07:18:48,508 fail2ban.jail [5101]: INFO Jail
>> 'cyrus-imap' uses systemd {}
>> 2021-07-09 07:18:48,508 fail2ban.jail [5101]: INFO Initiated
>> 'systemd' backend
>> 2021-07-09 07:18:48,510 fail2ban.filter [5101]: INFO maxRetry: 1
>> 2021-07-09 07:18:48,510 fail2ban.filter [5101]: INFO encoding:
>> UTF-8
>> 2021-07-09 07:18:48,510 fail2ban.filter [5101]: INFO findtime:
>> 86400
>> 2021-07-09 07:18:48,510 fail2ban.actions [5101]: INFO banTime:
>> 432000
>> <snip>
>> 2021-07-09 07:18:48,993 fail2ban.jail [5101]: INFO Jail
>> 'postfix' started
>> 2021-07-09 07:18:48,997 fail2ban.jail [5101]: INFO Jail
>> 'postfix-sasl' started
>> 2021-07-09 07:18:48,997 fail2ban.filtersystemd [5101]: NOTICE Jail
>> started without 'journalmatch' set. Jail regexs will be checked
>> against all journal entries, which is not advised for performance
>> reasons.
>> 2021-07-09 07:18:48,998 fail2ban.jail [5101]: INFO Jail
>> 'cyrus-imap' started
>>
>> I assume the journalmatch warning is in reference to the preceding
>> jail, postfix-sasl, but if that is the case, why is the postfix jail
>> not seeing the same warning?
>>
>> At the same time the jails are using the default basic configuration
>> except for changed findtime, bantime and max retries, and for
>> cyrus-imap the port range is extended to include imap3, pop3 and pop3s.
>>
>> Do you know why I am getting the warning and what do I need to do to
>> fix it?
>>
>> Regards,
>>
>> Nick
>>
>
> It's the cyrus-imap jail, not Postfix - that line is BEFORE the
> applicable jail, not after it... it's a message on its way to starting
> the jail. Postfix jail has already started when that message is logged,
> so it's fine - as also indicated by the earlier messages in your log
> about "added journal match".
>
> Look in /etc/fail2ban/filter.d/cyrus.imap.conf and you will see it has
> no journal-match line.
>
> I have added
>
> journalmatch = _SYSTEMD_UNIT=cyrus-imapd.service
>
> ... on my machine to a copied cyrus.imap.conf file as cyrus.imap.local.
>
> Simon.
>
Thanks, I see. I've created a cyrus-imap.local file with just an [INIT]
section in it with "journalmatch = _SYSTEMD_UNIT=cyrus-imapd.service"
and it worked.
Tracking back, some jails have a backend set like postfix and cyrus-imap
and that then seem to need a journalmatch. It looks like if there is no
backend specified, f2b falls back to a polling backend and no
journalmatch is needed. What are the pros and cons of the different
backends?
|
