fail2ban won't start on Debian 12

Status
Not open for further replies.
whut

whut

Active Member
Dec 23, 2022
311
39
28
I am trying fusion on Debian 12 but fail2ban will not start. Fusion website says Debian12 is the recommended operating system now.

How do you get fail2ban to run on Debian 12? 1 warning and 2 errors.

I think one of the problems is the ssh logpath /var/log/auth.log does not exist. I think debian12 is using /var/log/journal/<something> instead.
 

Attachments

  • Screenshot 2024-01-13 134220.png
    Screenshot 2024-01-13 134220.png
    24.8 KB · Views: 13
Last edited:
Quite a lot has changed in Debian12. We have just uplifted the install script for DjangoPBX and we have seen a lot of breaking changes.

In Debian11 sshd logged to /var/log/auth.log.

In Debian12, as you rightly say, the traditional syslog system has been replaced with systemd-journald. This means that the old log files like syslog, messages, auth.log are no longer available. The journalctl command replaces these logs.

Journalctl is quite good, some examples below:

Code: 
journalctl -u ssh.service
journalctl --since "1 hour ago"

I think the answer for Fail2Ban is here: https://github.com/fail2ban/fail2ban/issues/3292#issuecomment-1142503461
 
Thank you for taking the time to reply, Adrian. I was able to fix most of the issues by changing ssh jail logpath by disabling its logpath and adding bankend = systemd. Perhaps it would be improved further with journalctl -u ssh.service.

f2b is now running for me and I have no warnings and no errors. But this comes at the currently required cost of disabling fusionpbx and fusionpbx-mac jails which is unacceptable IMO.

fusionpbx jail is watching /var/log/auth.log which does not exist. fusionpbx-mac jail is watching /var/log/syslog which also does not exist.
 
going back to debian 11 since all of the jails can be enabled and they work on that version. :mad:
 
You probably just need to install rsyslog to get the auth.log file back for Fail2ban to monitor.
 
Thanks for the input @Jimbob . I destroyed the deb 12 server and will not be getting back to it for some time. Hopefully The fusion installation will be thoroughly tested on deb 12 and be fixed before I have time to throw at it again.
 
I think your issue may have been that some cloud providers use a minimal version of Debian 12. I am fairly sure I've had a similar issue with fail2ban and installing rsyslog solved the problem.
 
Status
Not open for further replies.
Top Bottom