fail2ban with action = %(action_mwl)s not including log lines

drankinatty · 2024-08-15 21:45:41

fail2ban has been working great, but it hasn't been including the log-lines triggering a ban in the e-mail it sends. It does include whois data, but not the log-lines when configured in /etc/fail2ban/jail.local with

# same as action_mw but also send relevant log lines
action = %(action_mwl)s

I've searched and cannot figure out why this is so. Digging in the code, this seems like it is supposed to happen in /etc/fail2ban/action.d/mail-whois-lines.conf when the following is run:

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#

_ban_mail_content = ( printf %%b "Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here is more information about <ip> :\n"
            %(_whois_command)s;
            printf %%b "\nLines containing failures of <ip> (max <grepmax>)\n";
            %(_grep_logs)s;
            printf %%b "\n
            Regards,\n
            Fail2Ban" )

actionban = %(_ban_mail_content)s | <mailcmd> "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>

It seems that the line %(_grep_logs)s; is failing? I'm no expert on how the daisy-chain of conf-files is supposed to chain together, but setting the action = %(action_mwl)s line in jail.local is supposed to make sure the relevant log lines are included.

How do we fix this?

drankinatty · 2024-08-30 21:17:44

The Solution

The initial problem with fail2ban capturing the log lines from the journal has to do with the fact that the fail2ban regexes and log-queries were developed prior to systemd. Trying to provide support for both non-systemd and systemd setups takes a bit more user configuration for fail2ban to retrieve log-lines from the systemd journal.

There are two ways to accomplish configuration fail2ban to include log lines from the journal. (1) configure it to retrieve the matches used to ban a particular IP for all jails, or (2) simply changing the action= line to grep the journal on a per-jail basis.

Configuring to Retrieve Matches for All IPs Banned

You can simply change the action_mwl= action from using %(mta)s-whois-lines to use %(mta)s-whois-matches in the [DEFAULT] entry of jail.local to tell fail2ban to report the matches used to ban an IP instead of grepping for log lines (which does not work by default with the systemd journal), e.g.

[DEFAULT]
destemail = david@mydomain.tld
sender = david@mydomain.tld
action_mwl = %(action_)s
             %(mta)s-whois-matches[sender="%(sender)s", dest="%(destemail)s", chain="%(chain)s"]
...

Configuring Log Line Retrieval on a Per-Jail Basis

Alternatively, if you wish to grep the lines from the journal on a per-jail basis, you can simply replace the action command in jail.local on a per-jail basis, e.g.

[sshd]
enabled = true
action=%(action_mwl)s[_grep_logs='journalctl -u sshd -n 1000 | grep -m 1000 -wF "<ip>"']

[dovecot]
enabled = true
action=%(action_mwl)s[_grep_logs='journalctl -u dovecot -n 1000 | grep -m 1000 -wF "<ip>"']

[postfix]
enabled = true
action=%(action_mwl)s[_grep_logs='journalctl -u postfix -n 1000 | grep -m 1000 -wF "<ip>"']

The benefit to this method is that it captures all journal entries for the offending IP, not just those matches leading to the current ban. Either way works fine, but with the first method manually banning an IP with fail2ban-client from the command line will not have any associated "matches" (it's just a command-line ban), whereas if the IP has prior log entries, using the action= to grep the journal will include those lines in the e-mail sent.

Detailed Discussion with Maintainer

github issue - no log lines in email, but why?

(following link referred to from above issue as solution before extended discussion)

_grep_logs and action_mwl with systemd

Arch Linux

#1 2024-08-15 21:45:41

fail2ban with action = %(action_mwl)s not including log lines

#2 2024-08-30 21:17:44

Re: fail2ban with action = %(action_mwl)s not including log lines

Board footer