Installing a home server - any advice?

daniel.m.tripp · September 11, 2024, 4:18am

PEZZO DI MERDA!

I can’t get it to work this time around! Doh!

And I really can’t be arsed trying to figure it - WHY would you make something that used to work well, “out of the box” now completely broken “out of the box”?

I’ve disabled SSH (to the Pi5 running bookworm) from outside now because of this… I don’t need it…

Found the answer here :

github.com/fail2ban/fail2ban

[BR]: fail2ban does not start on some debian/ubuntu systems - backend should probably be set to systemd on all systemd-based distros

opened 05:45PM - 31 May 22 UTC

closed 12:27AM - 26 Apr 24 UTC

tobixen

bug

### Environment: - Fail2Ban master branch, as well as version 0.11.1 on Ubunt…u Focal and many others - OS, including release name/version : Ubuntu Focal. Allegedly, Ubuntu Xenial is also affected, as well as some Debian installations. - [x] Fail2Ban installed via OS/distribution mechanisms - [x] You have not applied any additional foreign patches to the codebase - [x] Some customizations were done to the configuration (provide details below is so) ### The issue: On modern systemd-based distros, like newer releases of Ubuntu, Debian, Archlinux, RHEL, Fedora, etc, services like sshd logs to the systemd journal. Optionally rsyslog or syslog can be installed and run, and logs will *also* be available i.e. in `/var/log/auth.log` or `/var/log/secure.log`. In the files `/etc/fail2ban/paths-{arch|fedora|opensuse}` there is a section like this: ``` syslog_backend = systemd sshd_backend = systemd dropbear_backend = systemd proftpd_backend = systemd pureftpd_backend = systemd wuftpd_backend = systemd postfix_backend = systemd dovecot_backend = systemd ``` ... and because of this, fail2ban works on arch, fedora (with derivatives) and opensuse. However, it fails on debian and ubuntu, unless the syslog package is installed and the service is running. Apparently this was reported as early as 2014 at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171 and it's also reported for Ubuntu 16.04 at https://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/1696591 ... we're running Ubuntu and EL. On our baseimages with Ubuntu 16.04, fail2ban installs and runs because we have syslog running there, on Ubuntu 20.04 we've had to hand-tune configuration to get fail2ban run on the services above. On EL it also works due to the `paths-fedora.conf`-file. #### Steps to reproduce * Install Ubuntu 20.04 * Observe that the OS installation comes without any rsyslog/syslog package installed (I suppose YMMV, dependent on how it's installed) * Install fail2ban (`sudo apt-get install fail2ban`) * Enable the sshd jail: `echo -e "[sshd]\nenabled=true" | sudo tee /etc/fail2ban/jail.local` * Start up fail2ban: `sudo systemctl start fail2ban` * Observe that it's not running: `sudo systemctl status fail2ban` - the error message looks like `ERROR Failed during configuration: Have not found any log file for sshd jail`. #### Suggestion I suggest creating a `/etc/fail2ban/paths-systemd` containing only the lines `*_backend = systemd`, and make sure it's run from any operating system having systemd installed. ### Configuration, dump and another helpful excerpts #### Any customizations done to /etc/fail2ban/ configuration ``` $ sudo cat /etc/fail2ban/jail.local [sshd] enabled=true ```

/etc/fail2ban/jail.local :

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
# backend = %(sshd_backend)s
backend=systemd
enabled=true

Commented "backend = %(sshd_backend)s and uncommented “enabled=true” and then :

╭─x@frambo ~  
╰─➤ sudo fail2ban-client -vv start

╭─x@frambo ~  
╰─➤ sudo systemctl restart fail2ban

╭─x@frambo ~  
╰─➤  sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
     Active: active (running) since Wed 2024-09-11 12:22:33 AWST; 7min ago
       Docs: man:fail2ban(1)
   Main PID: 1401 (fail2ban-server)
      Tasks: 0 (limit: 9259)
        CPU: 81ms
     CGroup: /system.slice/fail2ban.service
             ‣ 1401 /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.>

Sep 11 12:22:33 frambo systemd[1]: Started fail2ban.service - Fail2Ban Service.
Sep 11 12:22:33 frambo fail2ban-server[1415]: 2024-09-11 12:22:33,666 fail2ban                [1415]: ERROR   Server already running
Sep 11 12:22:33 frambo fail2ban-server[1415]: 2024-09-11 12:22:33,666 fail2ban                [1415]: ERROR   Async configuration of serve

So enabling my NAT rule (doesn’t listen on port 22!).