You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First encountered in FreeBSD 12.1 py38-fail2ban-0.11.1_1
reproduced in Linux on master branch
Fail2Ban installed via OS/distribution mechanisms
You have not applied any additional foreign patches to the codebase
Some customizations were done to the configuration (provide details below is so)
The issue:
The presence of either a filter.d/sendmail-auth.local or filter.d/sendmail-reject.local file which contains a [Definition] section causes fail2ban to abort while loading its config during startup.
Steps to reproduce
Enable either sendmail-auth or sendmail-reject - I'll use sendmail-auth for the example
fail2ban starts with customized sendmail-auth filter variable(s)
Observed behavior
fail2ban fails to start, producing this error:
Failed during configuration: Recursion limit exceeded in value substitution: option 'failregex' in section 'Definition' contains an interpolation key which cannot be substituted in 10 steps. Raw value: '^%(__prefix_line)s(\\S+ )?\\[(?:IPv6:<IP6>|<IP4>)\\]( \\(may be forged\\))?: possible SMTP attack: command=AUTH, count=\\d+$'
Any additional information
Due to this recent change to match longer Sendmail ID strings in the sendmail filter files: __prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
I think python configparser is caught in endless recursion in configparserinc.py: interpolate_some()
This can be resolved by creating a new variable instead of reusing __prefix_line in filter.d/sendmail-auth.conf:
sendmail_prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
# "w{14,20}" will give support for IDs from 14 up to 20 characters long
failregex = ^%(sendmail_prefix_line)s(\S+ )?\[(?:IPv6:<IP6>|<IP4>)\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
I don't know enough about how configparser should behave in this unusual case to know if this is the best solution.
While debugging I added print statements to client/configparserinc.py_interpolate_some()
Any customizations done to /etc/fail2ban/ configuration
jail.local:
[sendmail-auth]
enabled = true
filter.d/sendmail-auth.local:
[Definition]
failregex = foo
Relevant parts of /var/log/fail2ban.log file:
+ 89 7F0DC6658700 fail2ban.configparserinc INFO | configparserinc-20: read | Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/sendmail-auth.conf', '/etc/fail2ban/filter.d/sendmail-auth.local']
+ 89 7F0DC6658700 fail2ban.configparserinc TRACE | configparserinc-7 : _getSharedSCPWI | Shared file: /etc/fail2ban/filter.d/common.conf
+ 89 7F0DC6658700 fail2ban.configparserinc TRACE | configparserinc-7 : _getSharedSCPWI | Shared file: /etc/fail2ban/filter.d/sendmail-auth.conf
+ 89 7F0DC6658700 fail2ban.configparserinc TRACE | configparserinc-7 : _getSharedSCPWI | Shared file: /etc/fail2ban/filter.d/sendmail-auth.local
+ 90 7F0DC6658700 fail2ban ERROR | fail2bancmdline-40: readConfig | Failed during configuration: Recursion limit exceeded in value substitution: option 'failregex' in section 'Definition' contains an interpolation key which cannot be substituted in 10 steps. Raw value: '^%(__prefix_line)s(\\S+ )?\\[(?:IPv6:<IP6>|<IP4>)\\]( \\(may be forged\\))?: possible SMTP attack: command=AUTH, count=\\d+$'
The text was updated successfully, but these errors were encountered:
yolabingo
changed the title
unable to start when using custom sendmail-auth.local or sendmail-reject.local filters
unable to start fail2ban-server when using custom sendmail-auth.local or sendmail-reject.local filters
Jun 6, 2020
yolabingo
pushed a commit
to yolabingo/fail2ban
that referenced
this issue
Jun 6, 2020
…lue of `option` from .local config file,
so it wouldn't cause self-recursion if `option` already has a reference to `known/option` (from some include) in .conf file;
closesfail2bangh-2751
Fixed in e569281
Although your PR would also work, but in sense of fix, it is rather a workaround (solves the issue on sendmail-auth filter, but the origin of the problem remains).
Fix e569281 is ultimate, because it provides a general solution for every kind of issues like that.
Environment:
The issue:
The presence of either a
filter.d/sendmail-auth.local
orfilter.d/sendmail-reject.local
file which contains a[Definition]
section causes fail2ban to abort while loading its config during startup.Steps to reproduce
or even just
Expected behavior
fail2ban starts with customized sendmail-auth filter variable(s)
Observed behavior
fail2ban fails to start, producing this error:
Any additional information
Due to this recent change to match longer Sendmail ID strings in the sendmail filter files:
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
I think python configparser is caught in endless recursion in
configparserinc.py: interpolate_some()
This can be resolved by creating a new variable instead of reusing
__prefix_line
in filter.d/sendmail-auth.conf:I don't know enough about how configparser should behave in this unusual case to know if this is the best solution.
While debugging I added print statements to
client/configparserinc.py_interpolate_some()
which repeated these results before exiting with the
Recursion limit exceeded
errorAny customizations done to /etc/fail2ban/ configuration
jail.local:
filter.d/sendmail-auth.local:
Relevant parts of /var/log/fail2ban.log file:
The text was updated successfully, but these errors were encountered: