[CentOS] Fail2ban & logrotate [was: Update on spam, postfix, fail2ban, centos 6]

Mon Jun 18 13:53:17 UTC 2012
Leonard den Ottolander <leonard at den.ottolander.nl>

Hello Bob,

On Sun, 2012-06-17 at 23:41 -0400, Bob Hoffman wrote:
> /etc/fail2ban/jail.conf
> change line 39 to
> backend = gamin
> 
> Without this fail2ban will ignore log rotations by logrotate and stay on 
> the old file in your jails.

Polling doesn't work with python >= 2.6. I haven't tested if you will
actually get a warning when using backend = polling, but there's some
code in asyncserver.py disables polling. Using backend = auto will fall
back to using pyInotify. This backend causes the issue with fail2ban not
noticing the log files having been rotated. Might be an issue with too
few events being passed to fail2ban. Couldn't quite work it out yet.

I have reported the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=833056

> with more than one jail you can (and will) get chances of errors when 
> starting fail2ban. Some people seem to attribute it centos 6
> having an older version of netfilter. The program goes to fast for 
> iptables and chokes setting up the chains.

This issue is known in Debian's bug tracker which also provides a
reference to a patch that you might want to check out.

I have reported the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=833046

> You have to have debug with at least 'info' to see these errors.

They are reported as errors, so I think you might be mistaken here. If
not then there's a bug with the error reporting :p .

> When 
> stopping you will get a ton of these errors too, but they seem
> to have no effect on anything.

Those errors are caused by the chains to be removed not actually being
there.

> add sleep command into the following

That won't work with the current version. The code has changed
significantly. See the patch mentioned in the bugzilla entry above.

> The whole log thing is borked.
> if you try to use fail2ban.log, fail2ban itself will choke on it.

Haven't run into this one yet. Perhaps you can report that via
https://bugzilla.redhat.com/ (you can find EPEL under Fedora).

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research