Fail2ban inactive when controlled by dietpi-services

I noticed that when a ran dietpi-services the fail2ban service was ‘inactive’.
It starts without issues.
today I took the time to see what could be the cause of the inactive fail2ban service and it turned out that when fail2ban service mode is set to be controlled by dietpi (recommended) and setting for Include = included fail2ban fails to start after a reboot.

So I needed to start it manually.

now when I set the mode to controlled by systemd (and included = included), the fail2ban startup okay after a reboot.

Not sure if that is a bug or a combination of other services I have that conflict on startup (e.g. I use UFW as firewall).

So just posting here as i have fixed this with the settings above and maybe somebody else runs into this

Can you share the error log for F2B service after reboot?

systemctl status fail2ban.service

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; disabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:fail2ban(1)

this is the only thing I can find: no reference to fail2ban in journalctl / dmesg

and when I do
dietpi-services start

I see that fail2ban (although set as dietpi-controlled) is not in the list of started services

 Mode: start 

[  OK  ] DietPi-Services | start : nfs-kernel-server
[  OK  ] DietPi-Services | start : mariadb
[  OK  ] DietPi-Services | start : php7.4-fpm
[  OK  ] DietPi-Services | start : apache2
[  OK  ] DietPi-Services | start : mosquitto
[  OK  ] DietPi-Services | start : home-assistant
[  OK  ] DietPi-Services | start : cron

My fail2ban service is set to Systemd controlled by default and auto starts fine.

1 Like

And I think that fail2ban cannot be controleld by dietpi-services as it is listed in an array with the following comment (in /boot/dietpi/dietpi-services)

# Non-controlled services: Only show in menu and/or status mode!

so although you can set it as dietpi controlled, that setting has no effect. It should be systemd controlled (So maybe that is the default setting when installing, no idea: have been playing with these settings to much I think :))

Did a quick test install. That’s how default settings looks like

┌─────────────────────────────────────────────────┤ DietPi-Services ├──────────────────────────────────────────────────┐
│ Please select an option for fail2ban:                                                                                │
│                                                                                                                      │
│                                               ●─ Service Control ───────────────────────────●                        │
│                       State                   : [active]                                                             │
│                       Mode                    : [Systemd controlled]                                                 │
│                       Include/Exclude         : [included]                                                           │
│                       Status                  : Display systemd status log                                           │
│                       Edit                    : [/lib/systemd/system/fail2ban.service]                               │
│                                               ●─ Process Tool ──────────────────────────────●                        │

BTW: not related but I found a small issue during install process. Can you check if following file is existing

cat /etc/fail2ban/fail2ban.d/97_dietpi.conf

Background of the confusion around DietPi controlled vs systemd controlled, and the aim to eliminate it, is here: DietPi-Services | Do not "disable" controlled services · Issue #5470 · MichaIng/DietPi · GitHub

1 Like

Nope, that file is not there, there is no file at all in the /etc/fail2ban/fail2ban.d directory

ok following will create the log file configuration.

mkdir -p /etc/fail2ban/fail2ban.d
cat << '_EOF_' > /etc/fail2ban/fail2ban.d/97_dietpi.conf
logtarget = SYSOUT
systemctl restart fail2ban.service

Logging should be done towards journalctl now.

1 Like

Yes, when adding this it now correctly logs to journalctl

Is this a bug (the missing of that file I mean)?

yes, I already submit a fix. DietPi-Software | Fail2ban: Fix moving logs to systemd journal by Joulinar · Pull Request #6243 · MichaIng/DietPi · GitHub
But this is not related to your initial issue. It was more a side effect. :slight_smile:


but it all started (at least for me) with changing the startup for fail2ban to dietpi controlled where that should not be possible.

An improvement would be to only show the valid options in the dropdown.

So for fail2ban, the dietpi controlled option should not be there to avoid confusion / issues (like fail2ban not starting)

This is currently not possible. We show all options for all services. There is no function to distinguish between the individual services.