Problems with fail2ban on openSUSE 13.2

English Network/Internet
1

I’m trying to get a very simple fail2ban setup working on 13.2 but I can’t get it to work. Are the fail2ban packages broken on 13.2 (I did the exact same thing on CentOS 7 and it worked fine) ?

Copied the jail.conf and fail2ban.conf to .local corresponding files (jail.local and fail2ban.local)

jail.local only has this in it:
[DEFAULT]

ignoreip = 127.0.0.1/8
backend = systemd

I created a new sshd.conf in /etc/fail2ban/jail.d/sshd.conf:

fail2ban SSH

block ssh after 3 unsuccessful login attempts for 10 minutes

[sshd]
enabled = true
action = iptables[chain=INPUT, protocol=tcp, port=22, name=sshd]
maxretry = 3
findtime = 600
bantime = 600
port = 22

But when I start fail2ban, systemctl status fail2ban returns this error:
Feb 09 13:50:56 li135-39 fail2ban-client[4074]: ERROR NOK: (‘sshd’,)

and fail2ban-client status returns this:
fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:

Any ideas? Thanks in advance

2

It means the jail isn’t setup.

on my 13.1 my backend is auto

here is my jail for ssh (OpenSUSE 13.1):

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=email@domain.com sender=send@domain.com, sendername="Fail2Ban"]
logpath  = /var/log/messages
maxretry = 4

-check your action setting. action.d/ipconfig.conf should have a port listed for ssh. i’ve never declared a port number. i’ve always used what’s listed in this file. Your action statement, for iptables, should reflect the iptables.conf. Your parameters probably don’t match.
-i don’t see a filter listed in your jail declaration. Without a filter it cannot match the correct log entries.

i installed via zypper, only opensuse repos no packman, and it’s always worked.

hope that helps!

3

I finally got it working!
For some reasons, fail2ban on OpenSUSE 13.2 isn’t parsing anything in journald. I installed rsyslog, changed the backend line to auto in jail.local (instead of systemd) added the line “logpath = /var/log/messages” in my ssh-iptables.conf file, restarted fail2ban and it started working immediately.

4

Congrats on getting it figured out.

Actually your problem and solution is very common.
There are a multitude of legacy log analysis tools that “since forever” have analyzed legacy logfiles in /var/log/ which don’t read the systemd journal.

TSU