fail2ban won't start on Debian 12

Status
Not open for further replies.

whut

Member
Dec 23, 2022
212
19
18
I am trying fusion on Debian 12 but fail2ban will not start. Fusion website says Debian12 is the recommended operating system now.

How do you get fail2ban to run on Debian 12? 1 warning and 2 errors.

I think one of the problems is the ssh logpath /var/log/auth.log does not exist. I think debian12 is using /var/log/journal/<something> instead.
 

Attachments

  • Screenshot 2024-01-13 134220.png
    Screenshot 2024-01-13 134220.png
    24.8 KB · Views: 11
Last edited:

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,496
413
83
Quite a lot has changed in Debian12. We have just uplifted the install script for DjangoPBX and we have seen a lot of breaking changes.

In Debian11 sshd logged to /var/log/auth.log.

In Debian12, as you rightly say, the traditional syslog system has been replaced with systemd-journald. This means that the old log files like syslog, messages, auth.log are no longer available. The journalctl command replaces these logs.

Journalctl is quite good, some examples below:

Code:
journalctl -u ssh.service
journalctl --since "1 hour ago"

I think the answer for Fail2Ban is here: https://github.com/fail2ban/fail2ban/issues/3292#issuecomment-1142503461
 

whut

Member
Dec 23, 2022
212
19
18
Thank you for taking the time to reply, Adrian. I was able to fix most of the issues by changing ssh jail logpath by disabling its logpath and adding bankend = systemd. Perhaps it would be improved further with journalctl -u ssh.service.

f2b is now running for me and I have no warnings and no errors. But this comes at the currently required cost of disabling fusionpbx and fusionpbx-mac jails which is unacceptable IMO.

fusionpbx jail is watching /var/log/auth.log which does not exist. fusionpbx-mac jail is watching /var/log/syslog which also does not exist.
 

whut

Member
Dec 23, 2022
212
19
18
going back to debian 11 since all of the jails can be enabled and they work on that version. :mad:
 

Jimbob

New Member
Dec 19, 2023
9
1
3
48
You probably just need to install rsyslog to get the auth.log file back for Fail2ban to monitor.
 

whut

Member
Dec 23, 2022
212
19
18
Thanks for the input @Jimbob . I destroyed the deb 12 server and will not be getting back to it for some time. Hopefully The fusion installation will be thoroughly tested on deb 12 and be fixed before I have time to throw at it again.
 

Jimbob

New Member
Dec 19, 2023
9
1
3
48
I think your issue may have been that some cloud providers use a minimal version of Debian 12. I am fairly sure I've had a similar issue with fail2ban and installing rsyslog solved the problem.
 
Status
Not open for further replies.