-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fail2ban - Raspberry Pi5 64bit Bookworm - not working as expected, not reading systemd logs? #3747
Comments
Well, it depends what You can compare your version with the stock Anyway one doesn't need to set Line 282 in 65e9c41
and it is included in fail2ban/config/paths-debian.conf Line 15 in 65e9c41
So I'm unsure setting of Instead, you have either to set [sshd]
backend = systemd
enabled = true
Firstly ensure that sshd jail really uses backend systemd (inspect fail2ban.log or output of Also you've to check whether you can see the sshd-messages with
You could then check whether you'd see matches with other values using: If there are no sshd messages with |
Thank @sebres,
2)with fail2ban-client -d | grep sshd
I have to note that to het this output I am not able to user the -u option as the service name is ssh and not sshd, but looking into this json log I cannot see the failed elements So I dug further and looked at the full journal in json. I cannot figure our any further. |
I've found the solution (at least it seems like so). I paste the solution found elsewhere for the people. in my previous implementation I was missing the "init" part. Seems There is a bug with the Debian implementation of fail2ban, where the debian backend is now all systemd but fail2ban expects the old way for logging. Here's how you fix it. First, activate systemd as the backend by going to the defaults-debian.conf using the command: sudo nano /etc/fail2ban/defaults-debian.conf and adding backend = systemd under the [DEFAULTS] tag in the file. So it looks like: [DEFAULT] add the word [Init] above it. So now it should look as: [Init] Now restart the service with: sudo systemctl restart fail2ban, and then check with sudo systemctl status fail2ban. |
I don't see the issue in stock debian 12, the unit is indeed @fail2ban/maintainers, @sylvestre what shall we do here? Anyway for the people having same issue for some reason, the simple configuration can be this (directly in jail.local for the sshd jail, where you enable it): [sshd]
backend = systemd
journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd
enabled = true |
@sebres sure, let me fix that. Where do you recommend I added this ? (ssh by default) |
Yep, it looks like good place for that... Just, the question is how it looks with other distros... fail2ban/config/filter.d/sshd.conf Line 129 in 65e9c41
|
I run many Pi, but on the latest one, the pi 5, with the 64 bit Bookworm version, it does not work.
I had to manually tweak the "systemd" in /etc/fail2ban/paths-common.conf to replace
and avoid the error "Failed during configuration: Have not found any log file for sshd jail"
But after this, even if fail2ban is working, it does not see anything coming from journal regarding sshd. It simply stay put.
I run the latest version from Debian repository:
On another PI with Buster 64 bit I have version Installed: 0.10.2-2.1 that works with systemd (maybe this one on bookwork is not the latest?)
Here is the OS version:
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
I have tried googling for solutions, but seems like everyone fixes this with systemd modification (which worked for me on the others older pi).
thanks for pointing me in the right direction
The text was updated successfully, but these errors were encountered: