fail2ban in precise defaults to gamin, does not work

Bug #954453 reported by wdoekes on 2012-03-13
104
This bug affects 20 people
Affects Status Importance Assigned to Milestone
fail2ban (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned

Bug Description

== Relevant config =================================

/etc/fail2ban/jail.conf

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
#backend = auto
backend = polling

== InstallationMedia =================================
Ubuntu-Server 12.04 LTS "Precise Pangolin" - Alpha amd64 (20120312)

== Package =================================
fail2ban 0.8.6-3

== Issue =================================

# date
Tue Mar 13 21:58:18 CET 2012

Polling works:

# grep ^backend /etc/fail2ban/jail.conf
backend = polling
# /etc/init.d/fail2ban restart
 * Restarting authentication failure monitor fail2ban [ OK ]
# tail /var/log/fail2ban.log -n1
2012-03-13 21:58:26,145 fail2ban.actions: WARNING [ssh] Ban 217.21.x.x

Gamin, doesn't work:

# grep ^backend /etc/fail2ban/jail.conf
backend = auto
# /etc/init.d/fail2ban restart
 * Restarting authentication failure monitor fail2ban [ OK ]
# tail /var/log/fail2ban.log -n1
2012-03-13 21:59:30,885 fail2ban.jail : INFO Jail 'ssh' started
# grep ' uses ' /var/log/fail2ban.log | tail -n1
2012-03-13 21:59:30,797 fail2ban.jail : INFO Jail 'ssh' uses Gamin

The comment in jail.conf about Gamin that "doesn't work", still seems
to be true.

This issue doesn't only occur after restarting. Gamin didn't work in
the first place -- which caused me to look into it.

Regards,
Walter Doekes

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in fail2ban (Ubuntu):
status: New → Confirmed
njdove (njdove) wrote :

Exact same experience here - with "backend = polling", as included in fail2ban 0.8.6-3's /etc/fail2ban/jail.conf, fail2ban uses Gamin and does not properly monitor /var/log/auth.log and ban as expected. When I switch this to "backend = polling" fail2ban works as expected.

kevinz (klzhao) wrote :

My observation is a bit different but conclusion is the same: "backend = gamin" should be changed to "backend = polling".

Fail2ban on two of my machines (one local, one EC2) work with initial bootup of the system. But once the service is restarted, it stops receiving events. Changing "backend = polling" solves this problem

alp (atoker) wrote :

This is caused by gamin bug #926862. A correct fix to gamin is available and should be applied to that package in preference to changing fail2ban to use filesystem polling.

As far as I can tell, this is a security issue since fail2ban (and presumably other monitoring daemons) will silently ignore intrusions.

alp (atoker) wrote :

Some background:

RedHat ported fail2ban to use pyinotify instead of gamin which seems the way forward (https://bugzilla.redhat.com/show_bug.cgi?id=658849 and https://bugzilla.redhat.com/show_bug.cgi?id=551895).

Switching to pyinotify is apparently on the fail2ban roadmap for 0.9.0 at http://www.fail2ban.org/wiki/index.php/Features so it's probably not worth backporting this feature at this point.

As such the gamin patch should be a reasonable stopgap measure.

inotify backend had already merged into upstream's master branch post
0.8.6 release but there were no upstream release yet.
There is an issue reported against functionality of this backend:
https://github.com/fail2ban/fail2ban/issues/44
and it would be great if you could give it some testing. I have updated
'Features' page to refer to github's issues page which would have more
information

On Mon, 21 May 2012, alp wrote:

> Some background:

> RedHat ported fail2ban to use pyinotify instead of gamin which seems the
> way forward (https://bugzilla.redhat.com/show_bug.cgi?id=658849 and
> https://bugzilla.redhat.com/show_bug.cgi?id=551895).

> Switching to pyinotify is apparently on the fail2ban roadmap for 0.9.0
> at http://www.fail2ban.org/wiki/index.php/Features so it's probably not
> worth backporting this feature at this point.

> As such the gamin patch should be a reasonable stopgap measure.

> ** Bug watch added: Red Hat Bugzilla #658849
> https://bugzilla.redhat.com/show_bug.cgi?id=658849

> ** Bug watch added: Red Hat Bugzilla #551895
> https://bugzilla.redhat.com/show_bug.cgi?id=551895
--
Yaroslav O. Halchenko
Postdoctoral Fellow, Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik

Download full text (4.5 KiB)

I'm not sure what you want tested.
I briefly tried gamin with ssh, and it worked, at least for a bit.
Another friend tried it and reports that his postfix rules
did not result in a ban as expected, though.

I then put it back to 'polling', and that failed to be effective
until I rebooted and restarted the fail2ban service.
At that point, it seemed to work (with polling) again.

-----
Mark Schroeder

--- On Mon, 5/21/12, Yaroslav Halchenko <email address hidden> wrote:

> From: Yaroslav Halchenko <email address hidden>
> Subject: Re: [Bug 954453] Re: fail2ban in precise defaults to gamin, does not work
> To: <email address hidden>
> Date: Monday, May 21, 2012, 8:37 AM
> inotify backend had already merged
> into upstream's master branch post
> 0.8.6 release but there were no upstream release yet.
> There is an issue reported against functionality of this
> backend:
> https://github.com/fail2ban/fail2ban/issues/44
> and it would be great if you could give it some
> testing.  I have updated
> 'Features' page to refer to github's issues page which would
> have more
> information
>
> On Mon, 21 May 2012, alp wrote:
>
> > Some background:
>
> > RedHat ported fail2ban to use pyinotify instead of
> gamin which seems the
> > way forward (https://bugzilla.redhat.com/show_bug.cgi?id=658849 and
> > https://bugzilla.redhat.com/show_bug.cgi?id=551895).
>
> > Switching to pyinotify is apparently on the fail2ban
> roadmap for 0.9.0
> > at http://www.fail2ban.org/wiki/index.php/Features so it's
> probably not
> > worth backporting this feature at this point.
>
> > As such the gamin patch should be a reasonable stopgap
> measure.
>
>
> > ** Bug watch added: Red Hat Bugzilla #658849
> >    https://bugzilla.redhat.com/show_bug.cgi?id=658849
>
> > ** Bug watch added: Red Hat Bugzilla #551895
> >    https://bugzilla.redhat.com/show_bug.cgi?id=551895
> --
> Yaroslav O. Halchenko
> Postdoctoral Fellow,   Department of
> Psychological and Brain Sciences
> Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover,
> NH 03755
> Phone: +1 (603) 646-9834
>              Fax: +1
> (603) 646-1419
> WWW:   http://www.linkedin.com/in/yarik
>
> --
> You received this bug notification because you are
> subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/954453
>
> Title:
>   fail2ban in precise defaults to gamin, does not work
>
> Status in “fail2ban” package in Ubuntu:
>   Confirmed
>
> Bug description:
>   == Relevant config =================================
>
>   /etc/fail2ban/jail.conf
>
>   # "backend" specifies the backend used to get files
> modification. Available
>   # options are "gamin", "polling" and "auto".
>   # yoh: For some reason Debian shipped python-gamin
> didn't work as expected
>   #      This issue left ToDo, so
> polling is default backend for now
>   #backend = auto
>   backend = polling
>
>   == InstallationMedia
> =================================
>   Ubuntu-Server 12.04 LTS "Precise Pangolin" - Alpha
> amd64 (20120312)
>
>   == Package =================================
>   fail2ban 0.8.6-3
>
>   == Issue =================================
>
>   # date
>   Tue Mar 13 21:58:18 CET 2012
>
>  ...

Read more...

DEXTER (mydexterid) wrote :

I honestly did not expect that upgrading from an LTS release to a newer LTS means that some services that was working before, will not work after.

This should be fixed asap!

Yaroslav Halchenko (yarikoptic) wrote :

On Tue, 22 May 2012, Mark Schroeder wrote:

> I'm not sure what you want tested.

I know that polling is guaranteed to work ;) sorry if I wasn't clear
-- I wondered if you could test current development version which
is in git which should use inotify by default (to replace gamin)... but
I guess it might be not that trivial, so nevermind -- thanks for the
feedback anyways.

> I briefly tried gamin with ssh, and it worked, at least for a bit.
> Another friend tried it and reports that his postfix rules
> did not result in a ban as expected, though.

> I then put it back to 'polling', and that failed to be effective
> until I rebooted and restarted the fail2ban service.
> At that point, it seemed to work (with polling) again.

> -----
> Mark Schroeder

--
Yaroslav O. Halchenko
Postdoctoral Fellow, Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik

Download full text (4.5 KiB)

I'm a developer and at least aware that there is additional
complexity to wrap a standard "tar" source into an Ubuntu .deb.
I see these:

  http://packages.ubuntu.com/precise/fail2ban (standard, ubuntu wrapped)
  https://github.com/fail2ban/fail2ban (development)

But I'm not sure of the precise (no pun intended) steps to
get the source from the git (as tar.gz?), get all the Ubuntu
patches applied, not sure if I have all the build dependencies, etc.
And are the Ubuntu patches correct for the development version?

If you can confirm the URLs above are the right starting points
for the development version, and outline the steps to build a
package .deb for Ubuntu, I'll try it if I have time.
It will take a while. Polling is working and it isn't a priority
for me right now.

-----
Mark Schroeder

--- On Wed, 6/6/12, Yaroslav Halchenko <email address hidden> wrote:

> From: Yaroslav Halchenko <email address hidden>
> Subject: Re: [Bug 954453] Re: fail2ban in precise defaults to gamin, does not work
> To: <email address hidden>
> Date: Wednesday, June 6, 2012, 4:02 PM
> On Tue, 22 May 2012, Mark Schroeder
> wrote:
>
> > I'm not sure what you want tested.
>
> I know that polling is guaranteed to work ;)  sorry if
> I wasn't clear
> -- I wondered if you could test current development version
> which
> is in git which should use inotify by default (to replace
> gamin)... but
> I guess it might be not that trivial, so nevermind -- thanks
> for the
> feedback anyways.
>
> > I briefly tried gamin with ssh, and it worked, at least
> for a bit.
> > Another friend tried it and reports that his postfix
> rules
> > did not result in a ban as expected, though.
>
> > I then put it back to 'polling', and that failed to be
> effective
> > until I rebooted and restarted the fail2ban service.
> > At that point, it seemed to work (with polling) again.
>
> > -----
> > Mark Schroeder
>
> --
> Yaroslav O. Halchenko
> Postdoctoral Fellow,   Department of
> Psychological and Brain Sciences
> Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover,
> NH 03755
> Phone: +1 (603) 646-9834
>              Fax: +1
> (603) 646-1419
> WWW:   http://www.linkedin.com/in/yarik
>
> --
> You received this bug notification because you are
> subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/954453
>
> Title:
>   fail2ban in precise defaults to gamin, does not work
>
> Status in “fail2ban” package in Ubuntu:
>   Confirmed
>
> Bug description:
>   == Relevant config =================================
>
>   /etc/fail2ban/jail.conf
>
>   # "backend" specifies the backend used to get files
> modification. Available
>   # options are "gamin", "polling" and "auto".
>   # yoh: For some reason Debian shipped python-gamin
> didn't work as expected
>   #      This issue left ToDo, so
> polling is default backend for now
>   #backend = auto
>   backend = polling
>
>   == InstallationMedia
> =================================
>   Ubuntu-Server 12.04 LTS "Precise Pangolin" - Alpha
> amd64 (20120312)
>
>   == Package =================================
>   fail2ban 0.8.6-3
>
>   == Issue =================================
>
>   # date
>   Tue...

Read more...

On Thu, 07 Jun 2012, Mark Schroeder wrote:

> I'm a developer and at least aware that there is additional
> complexity to wrap a standard "tar" source into an Ubuntu .deb.
> I see these:

> http://packages.ubuntu.com/precise/fail2ban (standard, ubuntu wrapped)
> https://github.com/fail2ban/fail2ban (development)

yes -- correct git url

> patches applied, not sure if I have all the build dependencies, etc.

I don't think there is any build-dependencies besides run dependencies
which is pretty much just python ;)

> And are the Ubuntu patches correct for the development version?

dunno -- I am not tracking them that closely and in Debian I have not
that many patches:

$> quilt series
deb_manpages_reportbug

... and that one could be dropped (it would conflict since I also changed those
manpages in the master branch)

well... what if I simply generate a package for you to try... damn
github refuses to accept my lovely file so here you go:
http://www.onerussian.com/tmp/fail2ban_0.8.6~+git69-gb4099da-1_all.deb
and then gpg signature to verify authenticity
http://www.onerussian.com/tmp/fail2ban_0.8.6~+git69-gb4099da-1_all.deb.asc

no guarantees though... didn't even test it anyhow

I have made it versioned 0.8.6~ (which is before 0.8.6) so it would then
automatically upgraded to 0.8.6 happen you decide to upgrade your system

> If you can confirm the URLs above are the right starting points
> for the development version, and outline the steps to build a
> package .deb for Ubuntu, I'll try it if I have time.
> It will take a while. Polling is working and it isn't a priority
> for me right now.
--
Yaroslav O. Halchenko
Postdoctoral Fellow, Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik

Richard Hansen (rhansen) wrote :

A fixed version of gamin is in precise-proposed (see bug #926862)

security vulnerability: no → yes
Richard Hansen (rhansen) wrote :

I tried the new gamin-0.1.10-4ubuntu0.1 in precise-proposed and fail2ban freezes during startup for me.

Richard Hansen (rhansen) wrote :

I killed /usr/lib/gamin/gam_server and now fail2ban is starting OK with gamin-0.1.10-4ubuntu0.1. We'll see if fail2ban detects log file changes like it should.

Jeremy Bicha (jbicha) wrote :

This bug was fixed in the package fail2ban - 0.8.7.1-1

---------------
fail2ban (0.8.7.1-1) experimental; urgency=low

  * Minor upstream bugfix release

 -- Yaroslav Halchenko <email address hidden> Tue, 31 Jul 2012 21:46:19 -0400

fail2ban (0.8.7-1) experimental; urgency=low

  * New upstream release:
    - inotify backend is supported (and the default if pyinotify is present).
      It should bring number of wakeups to minimum (Closes: #481265)
    - usedns jail.conf parameter to disable reverse DNS mapping to
      avoid of DoS (see #588431, #514239 for related discussions)
    - enforces non-unicode logging (Closes: #657286)
    - new jail "recidive" to ban repeated offenders (Closes: #333557)
    - catch failed ssh logins due to being listed in DenyUsers (Closes: #669063)
    - document in config/*.conf on how to inline comments (Closes: #676146)
    - match possibly present "pam_unix(sshd:auth):" portion for sshd
      (Closes: #648020)
    - wu-ftpd: added failregex for use against syslog. Switch to monitor syslog
      (instead of auth.log) by default (Closes: #514239)
    - anchor chain name in actioncheck's for iptables actions (Closes: #672228)
  * debian/jail.conf:
    - adopted few jails from "upstreams" jail.conf: asterisk, recidive,
      lighttpd, php-url-open
    - provide instructions in jail.conf on how to comment (Closes: #676146)
      Thanks Stefano Forli for a report
  * debian/fail2ban.init:
    - Should-(start|stop): iptables-persistent (Closes: #598109),
      ferm (Closes: #604843)
    - 'status' exits with code 3 if fail2ban is not running (Closes: #653074)
      Thanks Glenn Aaldering for the patch
  * debian/source:
    - switch to 3.0 (quilt) format
  * debian/control,rules:
    - switch to use dh_python2 (Closes: #616803)
    - boost policy compliance to 3.9.3
    - recommend python-pyinotify and only suggest python-gamin

 -- Yaroslav Halchenko <email address hidden> Tue, 31 Jul 2012 16:51:40 -0400

Changed in fail2ban (Ubuntu):
status: Confirmed → Fix Released
Jeremy Bicha (jbicha) wrote :

This isn't actually a security bug as it doesn't directly allow an attacker privileged access to a computer system.

See https://wiki.ubuntu.com/SecurityTeam

security vulnerability: yes → no
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in fail2ban (Ubuntu Precise):
status: New → Confirmed

I just stumbled across this bug trying to diagnose a non-functioning fail2ban. #15 indicates that a fix is released, but my Precise server still has 0.8.6-3. Adding the -proposed repository didn't provide a newer version, although I see that 0.8.7.1-1 is in Quanal. Will this be made available for Precise?

Full name (j-launchpad-d) wrote :

Ubuntu releases hardly get any support even when they're new. Now that a newer LTS is available, there's no hope.

Support until 2017... yeah, right. Fuck this, once again.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.