fail2ban configuration ambiguous

Marked as a security vulnerability. Someone could change an option in /etc/fail2ban.conf to tighten security, but perhaps fail2ban only reads /etc/fail2ban/*.conf. This would result in the user having lower security than expected.

fail2ban doesn't read /etc/fail2ban.conf at all. The default fail2ban.conf only configures loglevel, logtarget and the socket path, so if you don't read the manual how to configure the jails (in fail2ban.jail) then I'm not sure how it can be a bug.

The "dpkg -L fail2ban" gives me "/etc/fail2ban.conf" on Ubuntu 8.04.1. If a configuration file is shipped with a package but not used by that package, then it's a bug. fail2ban.jail doesn't exist on my system, /etc/fail2ban/jail.conf does. It can list all sorts of information, but that's worthless if it is contradicted by the information in /etc/fail2ban.conf. Since both are shipped with the same package, it is impossible for an outsider to decide which information is valid and which can be discarded.

I don't see how this is *not* a bug.

dpkg -L on hardy doesn't list /etc/fail2ban.conf here. Don't know where you got it.

The information in fail2ban.conf is not contradicting, the default files have nothing in common (fail2ban.conf and jail.conf), and surely users need to read the manual before trying to configure something like this..

This is what I have:

sybren@zebra:~$ apt-cache show fail2ban
Package: fail2ban
Priority: optional
Section: universe/net
Installed-Size: 600
Maintainer: Ubuntu MOTU Developers <email address hidden>
Original-Maintainer: Yaroslav Halchenko <email address hidden>
Architecture: all
Version: 0.8.2-2
Depends: lsb-base (>= 2.0-7), python (>= 2.4), python-central (>= 0.6.1)
Recommends: iptables, whois
Suggests: mailx, python-gamin
Filename: pool/universe/f/fail2ban/fail2ban_0.8.2-2_all.deb
Size: 82390
MD5sum: aef235514f893bcfe2314410c5a2c069
SHA1: 915dc6d4b956e27b7565b5b0be91eadda461b10f
SHA256: 2dd2523aee82b90d8c0900314caf8110b24eb39e778eb202ba1ed3dd5520d780
Description: bans IPs that cause multiple authentication errors
 Monitors log files (e.g. /var/log/auth.log,
 /var/log/apache/access.log) and temporarily or persistently bans
 failure-prone addresses by updating existing firewall rules. The
 software was completely rewritten at version 0.7.0 and now allows
 easy specification of different actions to be taken such as to ban an
 IP using iptables or hostsdeny rules, or simply to send a
 notification email. Currently, by default, supports ssh/apache/vsftpd
 but configuration can be easily extended for monitoring any other ASCII
 file. All filters and actions are given in the config files, thus
 fail2ban can be adopted to be used with a variety of files and
 firewalls.
Homepage: http://www.fail2ban.org
Python-Version: current
Bugs: mailto:<email address hidden>
Origin: Ubuntu

sybren@zebra:~$ sudo apt-get install fail2ban
Reading package lists... Done
Building dependency tree
Reading state information... Done
fail2ban is already the newest version.

It's strange, as http://packages.ubuntu.com/hardy/all/fail2ban/filelist doesn't list /etc/fail2ban.conf but my local package does, and both have the same version. I've cleared all packages from /var/cache/apt/archives and reinstalled:

root@zebra:/etc# apt-get install --reinstall fail2ban
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 23 not upgraded.
Need to get 82.4kB of archives.
After this operation, 0B of additional disk space will be used.
Do you want to continue [Y/n]? y
Get: 1 http://uk.archive.ubuntu.com hardy/universe fail2ban 0.8.2-2 [82.4kB]
Fetched 82.4kB in 0s (165kB/s)
(Reading database ... 120575 files and directories currently installed.)
Preparing to replace fail2ban 0.8.2-2 (using .../fail2ban_0.8.2-2_all.deb) ...
Unpacking replacement fail2ban ...
Setting up fail2ban (0.8.2-2) ...

root@zebra:/etc# dpkg -L fail2ban | grep fail2ban.conf
/etc/fail2ban/fail2ban.conf
/etc/fail2ban.conf

But still it lists /etc/fail2ban.conf as part of the fail2ban package. Removing and purging the package, then installing it again solved the problem. It's a mystery to me how this file could still be listed as part of the package.

maybe you dist-upgraded from an earlier version where it used to be as /etc/fail2ban.conf. /usr/share/doc/fail2ban/README.Debian.gz probably has what you are looking for:

Upgrade from 0.6 versions:
-------------------------

* New Config Files Format:

If you had introduced your own sections in /etc/fail2ban.conf, you
would need manually to convert them into a new format. At minimum you
need to create /etc/fail2ban/filter.d/NAME.local (leave .conf files
for me and upstream please to avoid any conflicts -- introduce your
changes in .local) with failregex in [Definition] section. And provide
appropriate jail definition in /etc/fail2ban/jail.local