15

I've install fail2ban on Debian Jessie LXC container, currently it's failing due to:

Starting authentication failure monitor: fail2ban
ERROR  No file(s) found for glob /var/log/auth.log
ERROR  Failed during configuration: Have not found any log file for ssh jail

There's no syslog or rsyslog on the system and thus /var/log/auth.log is not generated. Is there a way how to tell fail2ban to use output of journalctl _COMM=sshd?

sourcejedi
  • 48,311
  • 17
  • 143
  • 296
Tombart
  • 2,630
  • 5
  • 26
  • 39

4 Answers4

18

For systemd systems:

You have to specify the backend in /etc/fail2ban/jail.conf to use systemd as follows:

backend = systemd

Then restart fail2ban:

systemctl restart fail2ban

Edit:

I'm a heavy CentOS/RHEL/Fedora guy so you may have to adapt what I say a bit. As far as this answer, you may have to update the fail2ban package to a version that supports systemd as a backend or you'll have to install rsyslog and add the following to your /etc/rsyslog.conf: 

authpriv.*      /var/log/auth.log

This will make sure sshd auth logs are logging to /var/log/auth.log which will be read by the default pyinotify backend in fail2ban:

  • `systemd` option doesn't seem to be supported by `fail2ban 0.8.13`: `fail2banERROR NOK: ("Unknown backend systemd. Must be among ['pyinotify', 'gamin', 'polling'] or 'auto'",)` – Tombart Jan 07 '17 at 10:18
  • @Tombart What version of Debian are you running? Looks like you need an updated fail2ban package that supports the systemd backend OR you can install rsyslog and add the right configuration to your rsyslog.conf –  Jan 08 '17 at 05:31
  • It's the latest version of Debian 8 Jessie which comes with `systemd` support. – Tombart Jan 09 '17 at 08:13
  • @MatthewSanabria, why `have to install rsyslog` in centos? – kittygirl Oct 12 '18 at 03:24
  • How do you specify/configure the systemd unit? How does fail2ban know where to look? – Chris Stryczynski Aug 13 '20 at 14:42
3

There is an Issue with the config files.

I had jail.conf and jail.d/defaults-debian.conf

The content of the latter one was:

[sshd]
enabled = true

Because of backend not being set here the default value is used instead of the one in jail.conf. The Problem ist described in detail here: https://github.com/fail2ban/fail2ban/issues/1372

adding backend = systemd did the trick.

defaults-debian.conf

[sshd]
enabled = true
backend = systemd
Yurij Goncharuk
  • 4,177
  • 2
  • 19
  • 36
southz rgw
  • 131
  • 3
2

You'll need fail2ban version 0.9.0 which can support systemd, while Debian Jessie has 0.8.3 in the repository.

Try downloading and installing from sources, or look for the alternative repos.

Regards.

Tim Connor
  • 74
  • 1
1

I have the same problem. Rather than figuring it out, I ended up re-installing syslogd to generate the logfile(s).

apt-get install inetutils-syslogd

It may take a few mins after installation for the log file to be created - It will be created when a log entry is added.

I wouldn't recommend it long term (as it doesn't actually fix the problem), but if you want fail2ban working immediately, it does the job.

Glen Davies
  • 11
  • 2