*NethServer release 7.6.1810 **
fail2ban-1.1.2-1.ns7:
Hi all, I noticed on my NethServer release 7.6.1810 that fail2ban-1.1.2-1.ns7 has stopped processing the filter rules. Restarting the service, the system reported “Error fail2ban # 11 exit code”.
Analyzing the fail2ban log I noticed this error "Unable to get stat on /var/log/roundcubemail/errors.log because of: [Errno 2] No such file or directory: ‘/var/log/roundcubemail/errors.log’
I proceeded to disable the roundcube rule, and the service has resumed functioning. I ask if it’s a bug or an error in my configuration!
Thank you.
Version: fail2ban-1.1.2-1.ns7
Do you have roundcubemail installed? If yes why thelog file is no more present
It’s ok we have a bug here, I will fix it
Hello and thanks for the reply.
I am attaching screenshots of the directory, the log file is not there.
What is happening, the log rotated errors.log-20190113 is OK,but at least you must have also a errors.log
.
In fact I tested about /var/log/roundcubemail/errors
and it was a typo :’(
@france I will patch my issue, but you must understand why the log rotation has removed the log file /var/log/roundcubemail/errors.log
, if roundcubemail does not use this logfile, fail2ban won’t ban attackers on roundcubemail
I’m reporting here the comment I did inside the PR.
The /var/log/roundcubemail/errors
contains PHP errors like:
[03-Jan-2019 09:49:47 Europe/Rome] PHP Warning: strtolower() expects parameter 1 to be string, array given in /usr/share/roundcubemail/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php on line 1417
On my machine last entry is dated 03/01/19.
The /var/log/roundcubemail/errors.log
contains invalid logins: fail2ban should watch this.
Example:
[14-Jan-2019 09:17:00 +0100]: <xxx> IMAP Error: Login failed for goofy@nethesis.it from 192.xxx.xxx.xxx. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)
But if no access has been made for more than a week, the file is empty and fail2ban refuse to start.
I can’t figure out a good fix for this rather than disabling the roundcube jail
The fix is already there, we use it for quite all jails, watch the log file exist before to expand the jail and trigger the fail2ban restart. This is how fail2ban works, fails to start if a jail is not working properly rather to disable the failed jail.
In our particular case, when fail2ban is restarted, it comes from a run-level adjust or a settings modification in the panel, which expand all the fail2ban templates and restart the service. In that case we must check if the roundcubemail log exists before to expand the template and restart fail2ban.
Obviously we will have issues from community/customers if we do not do this, the roundcubemail jaill will be started the next time.
That’s the real pity
There are some corner case not covered here.
Let’s start with an assumption: if nobody uses roundcube for more than a week, the errors.log
file is missing after logrotate.
This can happen at least in a couple of situations:
- on boot
- after a yum update
Probably the best fix is changing the logrotate configuration of roundcube to prevent the missing file.
did you mean about this logrotate directive ?
nocreate
http://www.delafond.org/traducmanfr/man/man8/logrotate.8.html
I’d say the create
option but I didn’t try.
Sorry, I would not arg but something I do not understand, you stated that the roundcubemail error.log is removed each week, and not created if there is no errors
but when I look my log folder
# ll /var/log/roundcubemail/
total 56
-rw-r--r-- 1 apache apache 374 Dec 13 16:26 errors
-rw-r--r-- 1 apache apache 11137 Nov 9 11:24 errors.log
-rw-r--r-- 1 apache apache 5961 Jan 4 16:10 sendmail.log
-rw-r--r-- 1 apache apache 31013 Sep 5 11:02 sendmail.log-20180906
and inside the log file errors.log
[08-Sep-2018 20:06:59 +0200]: <s8dvbvuc> IMAP Error: Login failed for gaele@xxxx.fr from 2.10.2.169. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)
[08-Sep-2018 20:07:22 +0200]: <s8dvbvuc> IMAP Error: Login failed for gaele@xxxxx.fr from 2.10.2.169. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)
[27-Sep-2018 19:12:07 +0200]: <po6i442g> IMAP Error: Login failed for stephane@xxxxx.fr from 90.55.162.107. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)
[27-Sep-2018 19:12:26 +0200]: <po6i442g> IMAP Error: Login failed for stephane@xxxxx.fr from 90.55.162.107. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)
[27-Sep-2018 19:12:48 +0200]: <po6i442g> IMAP Error: Login failed for stephane@xxxxx.fr from 90.55.162.107. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)
[24-Oct-2018 15:50:18 +0200]: <nl7frctd> PHP Error: Request security check failed (GET /webmail/?_task=logout&_token=cfa983aa90ed53782a5468ba77c64e64)
[24-Oct-2018 15:50:23 +0200]: <nl7frctd> PHP Error: Request security check failed (GET /webmail/?_task=logout)
[24-Oct-2018 15:50:30 +0200]: <nl7frctd> PHP Error: Request security check failed (GET /webmail/?_task=logout&_token=cfa983aa90ed53782a5468ba77c64e64)
[09-Nov-2018 11:24:06 +0100]: <vlrq53ag> PHP Error: Request security check failed (GET /webmail/?_task=logout&_token=cfa983aa90ed53782a5468ba77c64e64)
[16-Jan-2019 14:37:16 +0100]: <u0k4iamo> IMAP Error: Login failed for gaele@xxxxxx.fr from 92.184.108.105. AUTHENTICATE PLAIN: Password: in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /roundcubemail/?_task=login?_task=login&_action=login)
my log rotate configuration is
# cat /etc/logrotate.d/roundcubemail
/var/log/roundcubemail/*.log {
missingok
su root apache
notifempty
size 30k
nocreate
}
so it seems that my log file is not rotated since really a long time, however it is less than 30KB (so it seems normal), and even if I have not much entries, the last one of today (done by myself) was done without restarted a service. Of course , I do not upgrade or restart my server often
# uptime
14:51:07 up 144 days, 5:45, 2 users, load average: 0.14, 0.15, 0.17
@all can you provide stats on the roundcubemail log
Because your errors.log
has never been rotated since its smaller than 30K.
If the size is bigger, the file is rotated and no empty log file will be created since there is the nocreate
option inside the logrotate config.
So the only way is to create a template for roundcube logrotate and remove the nocreate
option.
But IMO this is not a good solution: we shouldn’t change roundcube because fail2ban is buggy.
So in the end, what can we do? /cc @dev_team
IIUC the issue is fixed in newer versions of fail2ban. If only one jail is working fail2ban just starts, even if there are other misconfigured jails (like missing logfiles). epel actually provides 0.9.7-1.
Nice to hear this, but IMO we already does this by testing the log file.
I would be pragmatic on this case and do not modify the logrotate file of roundcubemail.
I would propose to test the errors.log, if exist then we expand and start the jail, if not the jail is not created.
For what I tested if the log files errors.log
is removed manually, we just warn inside the fail2ban log file, all other jails are active. When the file errors.log is created again, the jail is up without human actions.
I prefer to miss one jail, rather to put fail2ban down.
Other idea could be to modify the logrotate.d/roundcubemail
configuration, manually with sed, or by a template, logrotate file configuration are built as noreplace
, roudcubemail won’t replace them if modified…BUT we still need to test if the roundcubemail errors.log file exists
I agree.
As reported before, it will not fix all scenarios (like the reboot after the log rotation).
If someone has Roundcube installed and not really used, the real fix is to disable the jail from the web interface.
I’m willing to close this as “wontfix” or “worksforme” for now.
Edit:
I’ve changed my mind: the fix is better than nothing, merged and ready for QA
I started the QA and I come here with an enhancement proposal.
As the new f2b package is late to come we can implement a workaround in the existing systemd configuration file:
[root@vm5 ~]# rpm -ql nethserver-fail2ban | grep systemd
/etc/systemd/system/fail2ban.service.d/nethserver.conf
There we can plug the expansion of fail2ban configuration files in an ExecStartPre=
job, to ensure the file existence tests are always run before f2b starts and the config files are always up-to-date with the system state.
This should also prevent failures due to logrotate concurrency with fail2ban.
Really great idea!