Bug 917818

Summary: fail2ban can not use systemd-journal to ban ips
Product: [openSUSE] openSUSE Distribution Reporter: Robin Roth <robin.roth>
Component: SecurityAssignee: Johannes Weberhofer <jweberhofer>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None CC: astieger, furlongm, jsegitz, marvin24, P.Suetterlin, robin.roth, sb56637, Willy.Weisz
Version: 13.2   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 13.2   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robin Roth 2015-02-13 13:25:39 UTC
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Build Identifier: 

The fail2ban version availbale with openSuSE 13.2 is not capable of parsing the systemd-journal. Therefore an existing 13.1 configuration that bans ip's based on failed logins will not work when upgrading to 13.2 (fail2ban fails to start saying /var/log/messages does not exist).
This essentially disables the security provided by fail2ban against brute-force attacks.

Reproducible: Always
Comment 1 Johannes Segitz 2015-02-13 13:42:23 UTC
Install rsyslog as a workaround. 

Looks like fail2ban 0.9.0 introduces a systemd backend.
Comment 2 Robin Roth 2015-02-13 14:44:13 UTC
The workaround has the disadvantage that all other tools that assume systemd-logger don't work anymore. As systemd-logger is the default in 13.2 all associated packages, including fail2ban, should be updated supporting it. Especially because fail2ban has this feature upstream.
Comment 3 Johannes Weberhofer 2015-02-13 20:54:38 UTC
Fail2ban (in the current version) requires the installation of syslog which automatically makes the system logging to /var/log/messages; doesn't that work for you?

I think about providing fail2ban 0.9.1+ hopefully in March (I don't have enough time-resources to do that now), but I do not plan to provide a update for OSS 13.1/13.2, as the configuration changes a lot.
Comment 4 Robin Roth 2015-02-16 08:22:56 UTC
fail2ban requires "syslog", but in a 13.2 installation with all current updates:
'systemd-logger' providing 'syslog' is already installed.

systemd-logger is a dummy package that only provides a /var/log/README telling you to not look at /var/log/messages but use the systemd infrastructure.

So the dependency on syslog does not make sense. One could change it to rsyslog or syslog-ng to get a /var/log/messages, but this would then break the systemd install and removes journald. So this is not a realistic option.

In my opinion any package should provide sensible defaults and work out of the box. To do so an upgrade to 0.9.1 also in 13.2 would be important. As soon as there's a factory version available I could help test a backport to 13.2.
13.1 is not affected as there journald is not yet the default.
Comment 5 Marcus Furlong 2015-09-03 04:40:36 UTC
Also seeing this issue, and need to install an alternative syslog provider

# zypper in rsyslog
Loading repository data...
Reading installed packages...
Resolving package dependencies...

Problem: systemd-logger-210-25.16.1.x86_64 conflicts with namespace:otherproviders(syslog) provided by rsyslog-8.4.2-3.1.x86_64
 Solution 1: deinstallation of systemd-logger-210-25.16.1.x86_64
 Solution 2: do not install rsyslog-8.4.2-3.1.x86_64

Choose from above solutions by number or cancel [1/2/c] (c): c
#

+1 to getting 0.9.x in 13.2 if possible.
Comment 6 Bernhard Wiedemann 2015-09-23 07:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (917818) was mentioned in
https://build.opensuse.org/request/show/333078 13.2+13.1 / fail2ban
Comment 7 Benjamin Brunner 2015-10-09 12:04:08 UTC
Update for openSUSE 13.2 released. Resolved fixed.
Comment 8 Swamp Workflow Management 2015-10-09 13:12:11 UTC
openSUSE-RU-2015:1710-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 917818
CVE References: 
Sources used:
openSUSE 13.2 (src):    fail2ban-0.9.3-2.18.1, sssd-1.12.2-3.9.1
openSUSE 13.1 (src):    fail2ban-0.9.3-2.27.1
Comment 9 Robin Roth 2015-10-13 11:24:52 UTC
Thanks for the update. Fail2ban is now up2date, but the problem is not resolved, because the backend 'systemd' does not work.

If I run fail2ban with "backend=systemd", I get errors. Researching those led to a missing dependency: "python-systemd".

At 
https://github.com/fail2ban/fail2ban/blob/master/fail2ban/server/filtersystemd.py#L29
and other places, fail2ban uses the library from
https://github.com/systemd/python-systemd

The opensuse fail2ban package does not depend on that library and as far as I can see the library is not even available through the repositories:
https://software.opensuse.org/search?utf8=%E2%9C%93&q=python-systemd&search_devel=false&search_unsupported=false&baseproject=openSUSE%3A13.2

Please package/add python-systemd and add the according dependence to fail2ban.
Comment 10 Johannes Weberhofer 2015-10-15 04:47:09 UTC
(In reply to Robin Roth from comment #9)
> Thanks for the update. Fail2ban is now up2date, but the problem is not
> resolved, because the backend 'systemd' does not work.
> 
> If I run fail2ban with "backend=systemd", I get errors. Researching those
> led to a missing dependency: "python-systemd".

> Please package/add python-systemd and add the according dependence to
> fail2ban.

You are right. As I currently don't use systemd logging on my test systems I have not seen that. I have now packaged python-systemd which you could download from http://download.opensuse.org/repositories/home:/weberho:/branches:/devel:/languages:/python/

It would be great if you could give it a try an give some feedback!
Comment 11 Robin Roth 2015-10-15 08:45:39 UTC
Thanks for the quick response and testpackage!

With python-systemd installed and setting backend=systemd it works.

Taking the default config (backend=auto) fails.
I get:
2015-10-15 10:34:45,443 fail2ban.jail           [10150]: INFO    Creating new jail 'sshd'
2015-10-15 10:34:45,555 fail2ban.jail           [10150]: INFO    Jail 'sshd' uses pyinotify
2015-10-15 10:34:45,615 fail2ban.filter         [10150]: INFO    Set jail log file encoding to UTF-8
2015-10-15 10:34:45,633 fail2ban.jail           [10150]: INFO    Initiated 'pyinotify' backend
2015-10-15 10:34:09,879 fail2ban.filter         [10006]: INFO    Added logfile = /var/log/messages
2015-10-15 10:34:10,133 fail2ban.server         [10006]: INFO    Jail sshd is not a JournalFilter instance

instead of

2015-10-15 10:01:20,586 fail2ban.jail           [5392]: INFO    Creating new jail 'sshd'
2015-10-15 10:01:20,610 fail2ban.jail           [5392]: INFO    Jail 'sshd' uses systemd
2015-10-15 10:01:20,655 fail2ban.jail           [5392]: INFO    Initiated 'systemd' backend

Setting logpath to "" doesn't help either. 


Can you get python-systemd into the official repo? If really should be a dependency of fail2ban.
Comment 12 Willy Weisz 2015-10-21 21:21:31 UTC
When will an x86_64 version be available for python-systemd?
Comment 13 Johannes Weberhofer 2015-10-22 06:23:02 UTC
(In reply to Willy Weisz from comment #12)
> When will an x86_64 version be available for python-systemd?

I have activated the above mentioned repository again - You can try to use it. However, it takes some time to pass the package to the devel-project, to factory and back to the security project...
Comment 14 Johannes Weberhofer 2015-10-22 06:54:11 UTC
(In reply to Johannes Weberhofer from comment #13)
> (In reply to Willy Weisz from comment #12)
> > When will an x86_64 version be available for python-systemd?
> 
> I have activated the above mentioned repository again - You can try to use
> it. However, it takes some time to pass the package to the devel-project, to
> factory and back to the security project...

After adding a patch, the library builds for openSUSE 13.1, too. You might try it out, I have not yet tested it.
Comment 15 Peter Sütterlin 2016-01-15 09:47:45 UTC
Hmm, Leap 42.1 has the same problem again:  There is (still) no official systemd-python package in the official repositories.
Is this going to be added at some point?
Comment 16 S. B. 2016-03-05 04:03:08 UTC
Any news on getting this fixed for Leap 42.1? For the record, I made it work by setting jail.local to `backend = systemd` and installing python-systemd from here:

https://build.opensuse.org/package/show?project=devel%3Alanguages%3Apython&package=python-systemd
Comment 17 S. B. 2016-03-05 04:05:12 UTC
Setting severity to "Major", as this is a critical tool in the toolkit of any admin interested in security.
Comment 18 Johannes Weberhofer 2016-03-10 12:17:52 UTC
I have just published the new fail2ban version 0.9.4 which allows to define the backends via /etc/fail2ban/paths-opensuse.conf

This allows to pre-set the backend for all the distributions. Please test the update and I will soon make a request for inclusion in the normal leap update channel.
Comment 19 Bernhard Wiedemann 2016-06-08 21:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (917818) was mentioned in
https://build.opensuse.org/request/show/400732 42.1 / fail2ban
Comment 20 Andreas Stieger 2016-06-10 15:24:02 UTC
Jan, just reviewing your submission. Can you add python-systemd to the incident?

(remove old package)
osc branch -M -N openSUSE:Leap:42.1:Update/python-systemd home:weberho:branches:openSUSE:Leap:42.1:Update
osc copypac -e -K openSUSE:Factory/python-systemd home:weberho:branches:openSUSE:Leap:42.1:Update/python-systemd.openSUSE_Leap_42.1_Update
osc mr home:weberho:branches:openSUSE:Leap:42.1:Update -m "... message"
Comment 21 Andreas Stieger 2016-06-10 15:30:01 UTC
S.B., can you please install 0.9.4 from security/fail2ban to verify functionality while the maintenance update is being prepared.

Johannes, if this is too invasive, especially for working setups, we can push this to 42.2. If you think this should be a 42.1 maintenance update we'll review python-systemd.
Comment 22 Johannes Weberhofer 2016-06-10 15:43:02 UTC
(In reply to Andreas Stieger from comment #21)
> Johannes, if this is too invasive, especially for working setups, we can
> push this to 42.2. If you think this should be a 42.1 maintenance update
> we'll review python-systemd.

Andreas, when the sysadmins followed the fail2ban guidelines, then the update is not problematic (IMHO). Internally many things have changed. I have fail2ban currently running on at ~6 machines; all rules provided by fail2ban were running without issues but I had to adapt some of my additional rules. That's why I was waiting so long before submitting the update. 

There also was e.g. issue #971941 - such things may happen with the release and improper configured software.
Comment 23 Peter Sütterlin 2016-06-13 12:04:17 UTC
FYI, I'm also running fail2ban (0.9.4) and pthon-systemd (6.1) from security on our server (leap 42.1) without issues.
Comment 24 Bernhard Wiedemann 2016-07-07 08:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (917818) was mentioned in
https://build.opensuse.org/request/show/407045 42.1 / fail2ban+python-systemd
Comment 25 Benjamin Brunner 2016-07-14 15:57:21 UTC
We've started an update and, after there are several changes, we would appreciate some feedback if everything works as expected.

You can use the following repository for testing (as soon as it's build and published):
http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5366/openSUSE_Leap_42.1_Update

Thanks in advance!
Comment 26 Johannes Weberhofer 2016-07-22 07:44:11 UTC
(In reply to Benjamin Brunner from comment #25)
> We've started an update and, after there are several changes, we would
> appreciate some feedback if everything works as expected.
> 
> You can use the following repository for testing (as soon as it's build and
> published):
> http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5366/
> openSUSE_Leap_42.1_Update
> 
> Thanks in advance!

I have tested the updated repository on one server and it worked.
Comment 27 Andreas Stieger 2016-07-23 11:22:36 UTC
releasing for openSUSE Leap 42.1
Comment 28 Swamp Workflow Management 2016-07-23 15:13:20 UTC
openSUSE-RU-2016:1863-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 917818
CVE References: 
Sources used:
openSUSE Leap 42.1 (src):    fail2ban-0.9.4-4.1, python-systemd-231-2.1
Comment 29 Swamp Workflow Management 2019-03-26 15:31:19 UTC
This is an autogenerated message for OBS integration:
This bug (917818) was mentioned in
https://build.opensuse.org/request/show/688767 15.1 / fail2ban
Comment 30 Swamp Workflow Management 2019-12-18 12:30:07 UTC
This is an autogenerated message for OBS integration:
This bug (917818) was mentioned in
https://build.opensuse.org/request/show/757732 Maintenance / python-systemd
Comment 32 Swamp Workflow Management 2020-09-04 19:34:11 UTC
SUSE-RU-2020:2549-1: An update that has three recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1121610,1174571,917818
CVE References: 
JIRA References: ECO-2130
Sources used:
SUSE Manager Tools 15 (src):    python-pyinotify-0.9.6-4.5.1
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    python-decorator-4.4.2-7.3.13
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    python-Sphinx-1.7.6-3.10.6, python-alabaster-0.7.10-3.2.1, python-barbicanclient-4.10.0-5.3.5, python-cinderclient-7.0.0-8.4.5, python-cliff-3.1.0-7.4.6, python-cmd2-0.8.9-7.4.3, python-contextlib2-0.6.0-3.2.13, python-debtcollector-2.0.1-8.4.6, python-decorator-4.4.2-7.3.13, python-designateclient-4.0.0-5.3.5, python-glanceclient-3.1.1-8.3.5, python-heatclient-2.1.0-8.3.6, python-imagesize-0.7.1-3.2.1, python-ironicclient-4.1.0-5.3.6, python-keystoneauth1-4.0.0-9.3.6, python-keystoneclient-4.0.0-9.4.5, python-magnumclient-3.0.0-7.3.6, python-monascaclient-2.1.0-5.3.6, python-monotonic-1.5-7.3.13, python-neutronclient-7.1.1-7.3.6, python-novaclient-17.0.0-8.4.6, python-octaviaclient-2.0.1-5.3.6, python-openstacksdk-0.46.0-7.4.5, python-os-client-config-2.1.0-8.4.7, python-os-service-types-1.7.0-8.4.5, python-osc-lib-2.0.0-8.4.6, python-oslo.concurrency-4.0.2-8.4.6, python-oslo.config-8.0.2-8.4.5, python-oslo.context-2.20.0-4.6.1, python-oslo.i18n-4.0.1-8.4.5, python-oslo.log-4.1.1-8.4.5, python-oslo.serialization-3.1.1-8.4.5, python-oslo.utils-4.1.1-8.4.4, python-osprofiler-3.1.0-7.4.6, python-pyinotify-0.9.6-4.5.1, python-python-subunit-1.3.0-6.2.4, python-rfc3986-1.4.0-7.4.4, python-snowballstemmer-1.2.1-3.2.1, python-sphinx_rtd_theme-0.2.4-3.2.1, python-sphinxcontrib-1.0.1-4.2.1, python-sphinxcontrib-apidoc-0.3.0-5.3.3, python-sphinxcontrib-svg2pdfconverter-1.0.1-5.3.15, python-sphinxcontrib-websupport-1.0.1-4.2.1, python-statsd-3.3.0-5.3.13, python-stestr-2.6.0-8.4.10, python-stevedore-1.32.0-7.4.4, python-swiftclient-3.9.0-7.4.5, python-systemd-234-5.3.5, python-voluptuous-0.10.5-3.2.1, python-wcwidth-0.1.8-3.5.11
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    python-Sphinx-1.7.6-3.10.6, python-alabaster-0.7.10-3.2.1, python-imagesize-0.7.1-3.2.1, python-monotonic-1.5-7.3.13, python-rfc3986-1.4.0-7.4.4, python-snowballstemmer-1.2.1-3.2.1, python-sphinx_rtd_theme-0.2.4-3.2.1, python-sphinxcontrib-1.0.1-4.2.1, python-sphinxcontrib-websupport-1.0.1-4.2.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    python-Sphinx-1.7.6-3.10.6, python-alabaster-0.7.10-3.2.1, python-imagesize-0.7.1-3.2.1, python-snowballstemmer-1.2.1-3.2.1, python-sphinx_rtd_theme-0.2.4-3.2.1, python-sphinxcontrib-1.0.1-4.2.1, python-sphinxcontrib-websupport-1.0.1-4.2.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    python-Sphinx-1.7.6-3.10.6, python-alabaster-0.7.10-3.2.1, python-imagesize-0.7.1-3.2.1, python-snowballstemmer-1.2.1-3.2.1, python-sphinx_rtd_theme-0.2.4-3.2.1, python-sphinxcontrib-1.0.1-4.2.1, python-sphinxcontrib-websupport-1.0.1-4.2.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python-Sphinx-1.7.6-3.10.6, python-alabaster-0.7.10-3.2.1, python-imagesize-0.7.1-3.2.1, python-snowballstemmer-1.2.1-3.2.1, python-sphinx_rtd_theme-0.2.4-3.2.1, python-sphinxcontrib-1.0.1-4.2.1, python-sphinxcontrib-websupport-1.0.1-4.2.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    python-decorator-4.4.2-7.3.13, python-monotonic-1.5-7.3.13

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Swamp Workflow Management 2020-09-08 10:14:33 UTC
openSUSE-RU-2020:1381-1: An update that has three recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1121610,1174571,917818
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    python-Sphinx-1.7.6-lp152.5.3.1, python-Sphinx-doc-1.7.6-lp152.5.3.1, python-python-subunit-1.3.0-lp152.3.3.1, python-wcwidth-0.1.8-lp152.3.4.1
Comment 34 Swamp Workflow Management 2020-09-08 10:15:33 UTC
openSUSE-RU-2020:1380-1: An update that has three recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1121610,1174571,917818
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    python-Sphinx-1.7.6-lp151.2.9.1, python-Sphinx-doc-1.7.6-lp151.2.9.1, python-python-subunit-1.3.0-lp151.2.3.1, python-wcwidth-0.1.8-lp151.3.6.1