Fail2Ban: Failed to access sock path

JaredBusch

My fail2ban jail file for my jump boxes.

[jbusch@jump ~]$ cat /etc/fail2ban/jail.d/bundy_jump_jail.local 
[DEFAULT]
backend = systemd
#
# ACTIONS
#

# Some options used for actions

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = [email protected]

# Sender email address used solely for some actions
sender = [email protected]

# "bantime" is the number of seconds that a host is banned.
bantime  = -1

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 120m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5


#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
mode   = ddos
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
action = %(action_mw)s

BTW, running on Fedora 33.

[jbusch@jump ~]$ cat /etc/fedora-release 
Fedora release 33 (Thirty Three)

JaredBusch

@gjacobse said in Fail2Ban: Failed to access sock path:

Research was done.

I'm sure you found hits on StackExchange, etc.

You found such workable information that you still didn't solve it.

Using abbrevations is bad form pretty much 100% of the time when troubleshooting.
All you are doing is adding complication.

gjacobse

@JaredBusch

Okay - had not considered that;

[root@NYNJ-AdGuard fail2ban]# rm jail.local fail2ban.local
rm: remove regular file 'jail.local'? y
rm: cannot remove 'fail2ban.local': No such file or directory

[root@NYNJ-AdGuard fail2ban]# sudo systemctl restart fail2ban
[root@NYNJ-AdGuard fail2ban]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2020-12-07 14:56:29 UTC; 7s ago
       Docs: man:fail2ban(1)
    Process: 1365 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 1366 (f2b/server)
      Tasks: 3 (limit: 518)
     Memory: 10.8M
        CPU: 164ms
     CGroup: /system.slice/fail2ban.service
             └─1366 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf start

Dec 07 14:56:29 NYNJ-AdGuard systemd[1]: Starting Fail2Ban Service...
Dec 07 14:56:29 NYNJ-AdGuard systemd[1]: Started Fail2Ban Service.
Dec 07 14:56:29 NYNJ-AdGuard fail2ban-server[1366]: Server ready
[root@NYNJ-AdGuard fail2ban]#

So it is running now. Thank you, Ill make a note of that for the future.

So, now to deal with why it doesn’t seemingly kill attempts at sshd.

Dashrender

I have no idea what the default setup is, but you did delete your jail file...so any customization you made is now gone.

JaredBusch

@gjacobse said in Fail2Ban: Failed to access sock path:

So, now to deal with why it doesn’t seemingly kill attempts at sshd.

Use the jail I posted. It only looks at sshd

Most likely you need to set it to systemd as I use.

JaredBusch

@JaredBusch said in Fail2Ban: Failed to access sock path:

@gjacobse said in Fail2Ban: Failed to access sock path:

So, now to deal with why it doesn’t seemingly kill attempts at sshd.

Use the jail I posted. It only looks at sshd

Most likely you need to set it to systemd as I use.

if you do not have mail and whois setup, change the action from aciton_mw to action_

These are the actions:
From jail.conf

gjacobse

@JaredBusch

[root@NYNJ-AdGuard ~]# cat /etc/fedora-release 
Fedora release 33 (Thirty Three)
[root@NYNJ-AdGuard ~]#

JaredBusch

@gjacobse said in Fail2Ban: Failed to access sock path:

[root@NYNJ-AdGuard fail2ban]# rm jail.local fail2ban.local
rm: remove regular file 'jail.local'? y
rm: cannot remove 'fail2ban.local': No such file or directory

Those two files do not belong in the same location.

gjacobse

@JaredBusch

Since that is a screen shot, it appears that some parts of the code is cut off.

I guess since I don't send emails, the only portion that is relevant is the first one...

JaredBusch

@gjacobse said in Fail2Ban: Failed to access sock path:

Since that is a screen shot, it appears that some parts of the code is cut off.

You are not listening. I said previously posted.

Thus, you need to look before that.

There in the actual .local file I did post, you will see an action listed. In the settings of said action is one of those options.

I posted that screenshot of with the intentional size because it contains the comment regarding what each does as well as the format.

gjacobse

@JaredBusch said in Fail2Ban: Failed to access sock path:

@gjacobse said in Fail2Ban: Failed to access sock path:

Since that is a screen shot, it appears that some parts of the code is cut off.

You are not listening. I said previously posted.

Thus, you need to look before that.

There in the actual .local file I did post, you will see an action listed. In the settings of said action is one of those options.

I posted that screenshot of with the intentional size because it contains the comment regarding what each does as well as the format.

Actually, I was and am listening. When I you are working from a 6.5” diagonal screen as I have been, you likely miss a bit of information.

That said - not that it likely makes any difference.

# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 24
|  |- Total failed:     92
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   (IPs)