Fail2Ban: Failed to access sock path
-
Immediately after installing fail2ban, would it start? If so, that makes me think one of two things.
- Some configuration did change, which broke it.
- There's a permissions issue with that directory.
If I have some time, I'll spin up a VM, install fail2ban and see what "normal" looks like.
-
My
fail2ban
jail file for my jump boxes.[jbusch@jump ~]$ cat /etc/fail2ban/jail.d/bundy_jump_jail.local [DEFAULT] backend = systemd # # ACTIONS # # Some options used for actions # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. destemail = [email protected] # Sender email address used solely for some actions sender = [email protected] # "bantime" is the number of seconds that a host is banned. bantime = -1 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 120m # "maxretry" is the number of failures before a host get banned. maxretry = 5 # # JAILS # # # SSH servers # [sshd] # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. mode = ddos port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s enabled = true action = %(action_mw)s
BTW, running on Fedora 33.
[jbusch@jump ~]$ cat /etc/fedora-release Fedora release 33 (Thirty Three)
-
@gjacobse said in Fail2Ban: Failed to access sock path:
Research was done.
I'm sure you found hits on StackExchange, etc.
You found such workable information that you still didn't solve it.
Using abbrevations is bad form pretty much 100% of the time when troubleshooting.
All you are doing is adding complication. -
Okay - had not considered that;
[root@NYNJ-AdGuard fail2ban]# rm jail.local fail2ban.local rm: remove regular file 'jail.local'? y rm: cannot remove 'fail2ban.local': No such file or directory [root@NYNJ-AdGuard fail2ban]# sudo systemctl restart fail2ban [root@NYNJ-AdGuard fail2ban]# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2020-12-07 14:56:29 UTC; 7s ago Docs: man:fail2ban(1) Process: 1365 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 1366 (f2b/server) Tasks: 3 (limit: 518) Memory: 10.8M CPU: 164ms CGroup: /system.slice/fail2ban.service └─1366 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf start Dec 07 14:56:29 NYNJ-AdGuard systemd[1]: Starting Fail2Ban Service... Dec 07 14:56:29 NYNJ-AdGuard systemd[1]: Started Fail2Ban Service. Dec 07 14:56:29 NYNJ-AdGuard fail2ban-server[1366]: Server ready [root@NYNJ-AdGuard fail2ban]#
So it is running now. Thank you, Ill make a note of that for the future.
So, now to deal with why it doesn’t seemingly kill attempts at sshd.
-
I have no idea what the default setup is, but you did delete your jail file...so any customization you made is now gone.
-
@gjacobse said in Fail2Ban: Failed to access sock path:
So, now to deal with why it doesn’t seemingly kill attempts at sshd.
Use the jail I posted. It only looks at
sshd
Most likely you need to set it to
systemd
as I use. -
@JaredBusch said in Fail2Ban: Failed to access sock path:
@gjacobse said in Fail2Ban: Failed to access sock path:
So, now to deal with why it doesn’t seemingly kill attempts at sshd.
Use the jail I posted. It only looks at
sshd
Most likely you need to set it to
systemd
as I use.if you do not have mail and
whois
setup, change the action fromaciton_mw
toaction_
These are the actions:
Fromjail.conf
-
[root@NYNJ-AdGuard ~]# cat /etc/fedora-release Fedora release 33 (Thirty Three) [root@NYNJ-AdGuard ~]#
-
@gjacobse said in Fail2Ban: Failed to access sock path:
[root@NYNJ-AdGuard fail2ban]# rm jail.local fail2ban.local rm: remove regular file 'jail.local'? y rm: cannot remove 'fail2ban.local': No such file or directory
Those two files do not belong in the same location.
-
Since that is a screen shot, it appears that some parts of the code is cut off.
I guess since I don't send emails, the only portion that is relevant is the first one...
-
@gjacobse said in Fail2Ban: Failed to access sock path:
Since that is a screen shot, it appears that some parts of the code is cut off.
You are not listening. I said previously posted.
Thus, you need to look before that.
There in the actual
.local
file I did post, you will see an action listed. In the settings of said action is one of those options.I posted that screenshot of with the intentional size because it contains the comment regarding what each does as well as the format.
-
@JaredBusch said in Fail2Ban: Failed to access sock path:
@gjacobse said in Fail2Ban: Failed to access sock path:
Since that is a screen shot, it appears that some parts of the code is cut off.
You are not listening. I said previously posted.
Thus, you need to look before that.
There in the actual
.local
file I did post, you will see an action listed. In the settings of said action is one of those options.I posted that screenshot of with the intentional size because it contains the comment regarding what each does as well as the format.
Actually, I was and am listening. When I you are working from a 6.5” diagonal screen as I have been, you likely miss a bit of information.
That said - not that it likely makes any difference.
# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 24 | |- Total failed: 92 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 2 |- Total banned: 2 `- Banned IP list: (IPs)