Bug 891798 - fail2ban logrotate script is either useless or mangles up the setting of fail2ban's logtarget
Summary: fail2ban logrotate script is either useless or mangles up the setting of fail...
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: fail2ban
Version: el6
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-04 02:56 UTC by Christoph Anton Mitterer
Modified: 2014-08-15 18:58 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-08-15 18:58:39 UTC


Attachments (Terms of Use)
fail2ban-re-set-logtarget (1.93 KB, application/octet-stream)
2013-01-04 02:56 UTC, Christoph Anton Mitterer
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 697333 None None None Never

Description Christoph Anton Mitterer 2013-01-04 02:56:06 UTC
Created attachment 672286 [details]
fail2ban-re-set-logtarget

Hi.

Since some time(?) EPEL's fail2ban uses SYSLOG as default logtarget in fail2ban, right?

So if you just want to stick with that (quite limiting)... drop the logrotate config snippet... it's useless as there is no /var/log/fail2ban.log.

If you want to allow a bit more then you suffer from the same buggy logrotate config problem, that I describe in Debian bug #697333 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697333), which I hereby refer you to.


As usual Debian is a bit more mighty and provides the /etc/defaults framework with fail2ban. Fedora/EPEL doesn't seem to provide this, so I've attached here a simplified version of the script attached to the Debian bug.
If you choose to add a /etc/default/fail2ban config file like Debian has one, simply take the mightier script from the Debian bug.


Oh and I guess this issue also applies to Fedora and not just EPEL, can you forward it there?


Cheers,
Chris.

Comment 1 Christoph Anton Mitterer 2013-01-04 15:28:23 UTC
Some additions/corrections:

1) As Yaroslav pointed out in the corresponding Debian bug... the whole thing to find out the current logtarget (to then re-set it) can be done much easier with
fail2ban-client get logtarget

2) Even when the postrotate phase is made dynamic,... the logrotate config snippet will still apply only to /var/log/fail2ban.
So the only advantage we'd get is, that the user would need to modify the logrotate config snippet only in the first line,... not the postrotate phase.
And the problem of useless "empty" rotations in the case that e.g. SYSLOG is used as target isn't solved either.

Comment 2 Daniel Black 2013-11-26 22:15:16 UTC
upstream bug: https://github.com/fail2ban/fail2ban/issues/458 might see if I can implement a flushlog method on fail2ban-client.

Comment 3 Daniel Black 2013-12-07 01:15:23 UTC
Upstream fix committed.

https://github.com/fail2ban/fail2ban/pull/470/files

Comment 4 Fedora Update System 2014-07-21 23:07:25 UTC
fail2ban-0.8.13-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/fail2ban-0.8.13-1.el6

Comment 5 Fedora Update System 2014-07-22 18:09:40 UTC
Package fail2ban-0.8.13-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing fail2ban-0.8.13-1.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1985/fail2ban-0.8.13-1.el6
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2014-07-30 19:34:57 UTC
Package fail2ban-0.8.13-2.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing fail2ban-0.8.13-2.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1985/fail2ban-0.8.13-2.el6
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2014-08-15 18:58:39 UTC
fail2ban-0.8.13-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.