fail2ban not working on fresh install of ubuntu 14.04, why?

apache-2.2 ubuntu iptables fail2ban

not sure if related but I deleted and recreated /var/log/auth.log, because I needed to empty it, to debug the situation

This could well be the problem. It's likely that the syslog daemon is still writing to the original fd. You should try restarting the syslog daemon to see if it starts to log to the correct file.

service rsyslog restart

Once you have messages going to the auth.log it should start working.


Sometimes this is because the __bsd_syslog_verbose is wrong. fail2ban expects /var/log/auth.log to start with YYYY.MM.DD (ie: 2014.10.15) yet the logs read MMM DD (ie: Oct 15)

To fix this you will need to do the following:

cp /etc/fail2ban/filter.d/common.conf /etc/fail2ban/filter.d/common.local

Edit common.local and set:

__bsd_syslog_verbose = (<[^.]+ [^.]+>)

Restart fail2ban :

Ubuntu (don't use restart):

sudo service fail2ban stop
sudo service fail2ban start

Issue in pyinotify:

https://github.com/fail2ban/fail2ban/issues/878

in /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local

I changed "backend = auto" to "backend = polling" and everything works as expected ;)

service fail2ban stop
service fail2ban start

Related

Failed to start nagios.service: Unit nagios.service failed to load: No such file or directory
How do I set a password on an Ubuntu cloud image?
How can I chown a file to a subuid without sudo
Explain Microsoft Licensing [duplicate]
Is there a way to import a scheduled task from windows 2003 (.job) to windows 2008 (.xml)?
How do you access Webmin? [closed]
SQL Server slow in production environment
Is there a flag I can pass to either `df` or `mount` to make them display results for only locally-mounted filesystems?
Is it secure to run older Linux distros like CentOS 4.4?
How to find out who rebooted LINUX server
postfix: aliases will be ignored
HP ProLiant DL365 G5 fan noise