Bug 891798

Summary: fail2ban logrotate script is either useless or mangles up the setting of fail2ban's logtarget
Product: [Fedora] Fedora EPEL Reporter: Christoph Anton Mitterer <calestyo>
Component: fail2banAssignee: Orion Poplawski <orion>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: el6CC: admiller, daniel, orion
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: fail2ban-0.8.13-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-15 18:58:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
fail2ban-re-set-logtarget none

Description Christoph Anton Mitterer 2013-01-04 02:56:06 UTC
Created attachment 672286 [details]
fail2ban-re-set-logtarget

Hi.

Since some time(?) EPEL's fail2ban uses SYSLOG as default logtarget in fail2ban, right?

So if you just want to stick with that (quite limiting)... drop the logrotate config snippet... it's useless as there is no /var/log/fail2ban.log.

If you want to allow a bit more then you suffer from the same buggy logrotate config problem, that I describe in Debian bug #697333 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697333), which I hereby refer you to.


As usual Debian is a bit more mighty and provides the /etc/defaults framework with fail2ban. Fedora/EPEL doesn't seem to provide this, so I've attached here a simplified version of the script attached to the Debian bug.
If you choose to add a /etc/default/fail2ban config file like Debian has one, simply take the mightier script from the Debian bug.


Oh and I guess this issue also applies to Fedora and not just EPEL, can you forward it there?


Cheers,
Chris.

Comment 1 Christoph Anton Mitterer 2013-01-04 15:28:23 UTC
Some additions/corrections:

1) As Yaroslav pointed out in the corresponding Debian bug... the whole thing to find out the current logtarget (to then re-set it) can be done much easier with
fail2ban-client get logtarget

2) Even when the postrotate phase is made dynamic,... the logrotate config snippet will still apply only to /var/log/fail2ban.
So the only advantage we'd get is, that the user would need to modify the logrotate config snippet only in the first line,... not the postrotate phase.
And the problem of useless "empty" rotations in the case that e.g. SYSLOG is used as target isn't solved either.

Comment 2 Daniel Black 2013-11-26 22:15:16 UTC
upstream bug: https://github.com/fail2ban/fail2ban/issues/458 might see if I can implement a flushlog method on fail2ban-client.

Comment 3 Daniel Black 2013-12-07 01:15:23 UTC
Upstream fix committed.

https://github.com/fail2ban/fail2ban/pull/470/files

Comment 4 Fedora Update System 2014-07-21 23:07:25 UTC
fail2ban-0.8.13-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/fail2ban-0.8.13-1.el6

Comment 5 Fedora Update System 2014-07-22 18:09:40 UTC
Package fail2ban-0.8.13-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing fail2ban-0.8.13-1.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1985/fail2ban-0.8.13-1.el6
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2014-07-30 19:34:57 UTC
Package fail2ban-0.8.13-2.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing fail2ban-0.8.13-2.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1985/fail2ban-0.8.13-2.el6
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2014-08-15 18:58:39 UTC
fail2ban-0.8.13-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.