Fail2ban inactive when controlled by dietpi-services

Ruud · 12 March 2023 10:07

Hi,
I noticed that when a ran dietpi-services the fail2ban service was ‘inactive’.
It starts without issues.
today I took the time to see what could be the cause of the inactive fail2ban service and it turned out that when fail2ban service mode is set to be controlled by dietpi (recommended) and setting for Include = included fail2ban fails to start after a reboot.

So I needed to start it manually.

now when I set the mode to controlled by systemd (and included = included), the fail2ban startup okay after a reboot.

Not sure if that is a bug or a combination of other services I have that conflict on startup (e.g. I use UFW as firewall).

So just posting here as i have fixed this with the settings above and maybe somebody else runs into this

Joulinar · 12 March 2023 10:38

Can you share the error log for F2B service after reboot?

Ruud · 13 March 2023 08:08

systemctl status fail2ban.service

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; disabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:fail2ban(1)

this is the only thing I can find: no reference to fail2ban in journalctl / dmesg

and when I do
dietpi-services start

I see that fail2ban (although set as dietpi-controlled) is not in the list of started services

 DietPi-Services
─────────────────────────────────────────────────────
 Mode: start 

[  OK  ] DietPi-Services | start : nfs-kernel-server
[  OK  ] DietPi-Services | start : mariadb
[  OK  ] DietPi-Services | start : php7.4-fpm
[  OK  ] DietPi-Services | start : apache2
[  OK  ] DietPi-Services | start : mosquitto
[  OK  ] DietPi-Services | start : home-assistant
[  OK  ] DietPi-Services | start : cron

Jappe · 13 March 2023 08:27

My fail2ban service is set to Systemd controlled by default and auto starts fine.

Ruud · 13 March 2023 08:29

And I think that fail2ban cannot be controleld by dietpi-services as it is listed in an array with the following comment (in /boot/dietpi/dietpi-services)

# Non-controlled services: Only show in menu and/or status mode!

so although you can set it as dietpi controlled, that setting has no effect. It should be systemd controlled (So maybe that is the default setting when installing, no idea: have been playing with these settings to much I think :))

Joulinar · 13 March 2023 09:27

Did a quick test install. That’s how default settings looks like

┌─────────────────────────────────────────────────┤ DietPi-Services ├──────────────────────────────────────────────────┐
│ Please select an option for fail2ban:                                                                                │
│                                                                                                                      │
│                                               ●─ Service Control ───────────────────────────●                        │
│                       State                   : [active]                                                             │
│                       Mode                    : [Systemd controlled]                                                 │
│                       Include/Exclude         : [included]                                                           │
│                       Status                  : Display systemd status log                                           │
│                       Edit                    : [/lib/systemd/system/fail2ban.service]                               │
│                                               ●─ Process Tool ──────────────────────────────●                        │

BTW: not related but I found a small issue during install process. Can you check if following file is existing

cat /etc/fail2ban/fail2ban.d/97_dietpi.conf

MichaIng · 13 March 2023 13:48

Background of the confusion around DietPi controlled vs systemd controlled, and the aim to eliminate it, is here: DietPi-Services | Do not "disable" controlled services · Issue #5470 · MichaIng/DietPi · GitHub

Ruud · 13 March 2023 15:16

Nope, that file is not there, there is no file at all in the /etc/fail2ban/fail2ban.d directory

Joulinar · 13 March 2023 16:04

ok following will create the log file configuration.

mkdir -p /etc/fail2ban/fail2ban.d
cat << '_EOF_' > /etc/fail2ban/fail2ban.d/97_dietpi.conf
[Definition]
logtarget = SYSOUT
_EOF_
systemctl restart fail2ban.service

Logging should be done towards journalctl now.

Ruud · 14 March 2023 09:02

Yes, when adding this it now correctly logs to journalctl

Is this a bug (the missing of that file I mean)?

Joulinar · 14 March 2023 19:56

yes, I already submit a fix. DietPi-Software | Fail2ban: Fix moving logs to systemd journal by Joulinar · Pull Request #6243 · MichaIng/DietPi · GitHub
But this is not related to your initial issue. It was more a side effect.

Ruud · 15 March 2023 08:25

Cool!

but it all started (at least for me) with changing the startup for fail2ban to dietpi controlled where that should not be possible.

An improvement would be to only show the valid options in the dropdown.

So for fail2ban, the dietpi controlled option should not be there to avoid confusion / issues (like fail2ban not starting)

Joulinar · 15 March 2023 08:38

This is currently not possible. We show all options for all services. There is no function to distinguish between the individual services.