Description of problem: Fail2ban does not catch ssh attempts from journal logs, until fail2ban is restarted. At restart, it reads journal logs properly and after awhile stops catching the new ones. I have trouble with specify when exactly it brakes. Version-Release number of selected component (if applicable): # rpm -qa | grep fail2ban fail2ban-server-0.11.2-12.el9.noarch fail2ban-firewalld-0.11.2-12.el9.noarch fail2ban-sendmail-0.11.2-12.el9.noarch fail2ban-0.11.2-12.el9.noarch fail2ban-systemd-0.11.2-12.el9.noarch How reproducible: Always, on several hosts. Steps to Reproduce: 1. # sudo su - Last login: Wed Aug 24 11:04:31 CEST 2022 on pts/0 Last failed login: Wed Aug 24 12:09:09 CEST 2022 from 88.169.87.158 on ssh:notty There were 97 failed login attempts since the last successful login. 2. # fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 2 | |- Total failed: 836 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 0 |- Total banned: 57 `- Banned IP list: 3. # systemctl restart fail2ban 4. # fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 11 | |- Total failed: 292 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 13 |- Total banned: 13 `- Banned IP list: 209.141.33.154 182.208.21.162 61.12.85.130 165.98.12.251 177.91.41.68 23.224.36.103 24.63.51.246 91.201.240.153 153.122.27.57 188.166.211.7 220.117.232.74 186.233.210.86 210.91.73.167 # iptables -L -v -n [...] Chain f2b-sshd (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 187.8.106.50 0.0.0.0/0 8 480 DROP all -- * * 194.141.2.239 0.0.0.0/0 8 480 DROP all -- * * 88.169.87.158 0.0.0.0/0 12 720 DROP all -- * * 103.136.42.95 0.0.0.0/0 0 0 DROP all -- * * 106.240.49.115 0.0.0.0/0 12 720 DROP all -- * * 104.131.185.48 0.0.0.0/0 [...] Actual results: Fail2ban do not scrape journal logs for failed ssh attempts. Expected results: fail2ban drop IP's, as they appear in journal logs. Additional info: # cat /etc/fail2ban/jail.local [sshd] mode = aggressive enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s findtime = 1h maxretry = 3 bantime = 1h banaction = iptables-multiport [mek-recidive] enabled = true logpath = /var/log/fail2ban.log backend = auto filter = recidive findtime = 1d maxretry = 2 bantime = 366d banaction = iptables-multiport those bots are really annoying. )-: Thank You. Łukasz Posadowski
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=PROCTITLE msg=audit(08/24/2022 12:10:26.805:1617809) : proctitle=/usr/bin/python3 -s /usr/bin/fail2ban-server -xf start type=SYSCALL msg=audit(08/24/2022 12:10:26.805:1617809) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7fb1e37fd990 a2=0x1000386 a3=0x9 items=0 ppid=1 pid=967244 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=f2b/f.sshd exe=/usr/bin/python3.9 subj=system_u:system_r:fail2ban_t:s0 key=(null) type=AVC msg=audit(08/24/2022 12:10:26.805:1617809) : avc: denied { watch } for pid=967244 comm=f2b/f.sshd path=/run/log/journal dev="tmpfs" ino=63 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(08/24/2022 12:10:26.805:1617810) : proctitle=/usr/bin/python3 -s /usr/bin/fail2ban-server -xf start type=SYSCALL msg=audit(08/24/2022 12:10:26.805:1617810) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7fb1e37fd990 a2=0x1000386 a3=0x9 items=0 ppid=1 pid=967244 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=f2b/f.sshd exe=/usr/bin/python3.9 subj=system_u:system_r:fail2ban_t:s0 key=(null) type=AVC msg=audit(08/24/2022 12:10:26.805:1617810) : avc: denied { watch } for pid=967244 comm=f2b/f.sshd path=/var/log/journal dev="dm-0" ino=786690 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(08/24/2022 12:10:26.805:1617811) : proctitle=/usr/bin/python3 -s /usr/bin/fail2ban-server -xf start type=SYSCALL msg=audit(08/24/2022 12:10:26.805:1617811) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7fb1e37fd910 a2=0x1002fc6 a3=0x21 items=0 ppid=1 pid=967244 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=f2b/f.sshd exe=/usr/bin/python3.9 subj=system_u:system_r:fail2ban_t:s0 key=(null) type=AVC msg=audit(08/24/2022 12:10:26.805:1617811) : avc: denied { watch } for pid=967244 comm=f2b/f.sshd path=/var/log/journal/a6632658026643ceb1efbebad23889a9 dev="dm-0" ino=786664 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
With problems like this it's probably better to report upstream via an issue or on the mailing list. I've been watching my log over the last several days and cannot reproduce the issue, which makes it very difficult to troubleshoot.
Thank You. Maybe it is indeed my problem. For now restarting fail2ban every 20 minutes does the job well.
I would definitely ask about it on the fail2ban users list on Source Forge, or submit an issue on their github page: https://github.com/fail2ban/fail2ban/issues I just checked and mine is still running fine after 4 days (since my last reboot). $ sudo fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 3 | |- Total failed: 3875 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 106 |- Total banned: 604 `- Banned IP list: 51.15.105.243 186.206.144.34 178.128.184.213 51.83.132.19 70.57.83.145 159.223.235.27 142.93.64.67 112.146.205.124 13.82.51.214 175.118.152.100 128.199.193.246 137.184.25.247 219.94.32.121 132.226.174.181 103.153.141.42 43.138.123.221 192.81.212.80 145.239.90.141 109.92.14.243 45.70.179.22 139.135.229.31 143.244.145.146 159.203.102.122 46.101.224.69 152.32.145.211 159.65.115.222 167.71.16.200 208.113.167.217 206.189.226.38 167.99.55.86 189.195.123.28 134.122.18.0 202.61.105.17 165.232.35.74 142.93.186.29 35.244.25.124 85.51.33.209 159.65.136.44 105.159.249.53 209.141.57.23 52.142.11.171 194.204.194.11 152.89.198.123 159.65.65.135 47.51.71.110 95.85.39.74 200.91.219.250 180.250.248.170 87.148.115.139 134.17.94.181 96.79.228.114 77.109.16.42 185.18.214.162 159.89.197.1 205.185.122.8 80.229.18.62 143.110.188.7 165.22.60.53 164.90.210.8 139.135.229.24 121.161.122.176 167.99.66.74 137.135.226.173 178.160.194.123 104.211.227.191 164.92.142.65 202.83.16.138 45.232.73.83 103.92.24.242 168.227.200.161 222.124.214.10 115.248.153.89 104.225.159.240 213.55.96.11 45.90.108.26 139.255.245.86 203.150.102.162 45.119.81.134 137.184.59.232 82.180.162.70 190.181.25.210 178.62.14.181 43.135.96.240 107.184.205.109 134.17.94.229 176.122.171.31 82.65.239.16 208.91.255.4 181.198.192.101 128.199.62.182 193.228.110.131 182.75.139.26 122.52.48.92 185.164.30.78 49.206.244.232 143.198.41.35 139.59.230.111 139.59.36.71 139.59.64.41 137.184.50.19 118.163.170.24 159.223.213.212 207.154.228.201 14.225.198.182 104.248.155.136 174.138.6.151 If you find a problem I can fix in the packaging, please reopen or submit a new BZ..