By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Fail2Ban MIA for Amazon Linux 2023?

0

Why is Fail2Ban completely missing from AL2023 repos? Are there instructions, including dependencies for hand installation on AL2023? Why would Amazon leave this standard component of basic hacker prevention and security out of the stack?

Topics
ComputeDeveloper ToolsAWS Well-Architected Framework
Tags
Linux ProvisioningDeveloper ToolsComputeSecurity
Language
English
ChrisK
asked a year ago2244 views
4 Answers
1
Accepted Answer

Amazon Linux 2023 uses Python3.9 by default, and some of the old python version feature are abolished in Python3.9, so you need to use the latest Fail2ban source code to install.

  1. Installation dependency package 2to3:yum install 2to3 -y
  2. Download the latest fail2ban source code: https://github.com/fail2ban/fail2ban/archive/refs/tags/1.0.2.tar.gz
  3. execute the under command to install
  • tar -xvf 1.0.2.tar.gz
  • cd fail2ban-1.0.2/
  • ./fail2ban-2to3
  • python3.9 setup.py build
  • python3.9 setup.py install
  • sudo cp ./build/fail2ban.service /etc/systemd/system/fail2ban.service
  • sudo systemctl enable fail2ban

For details, please refer to this link:https://github.com/fail2ban/fail2ban/wiki/How-to-install-or-upgrade-fail2ban-manually

AWS
Chunming
answered a year ago
  • ChrisK
    a year ago

    Kudos to Randy Palmer for this final - critical - piece to the puzzle. It works! Randy's Post: I found I also needed to edit /etc/systemd/system/fail2ban.service and set the following env variable under the [Service] section in order to get things working:

    Environment="PYTHONPATH=/usr/local/lib/python3.9/site-packages"

  • Michael T
    2 months ago

    It seems the AMI has changed in-between. On step "./fail2ban-2to3", we run into a failure : [root@ip-10-52-11-249 fail2ban-1.0.2]# ./fail2ban-2to3 RefactoringTool: Skipping optional fixer: buffer RefactoringTool: Skipping optional fixer: idioms RefactoringTool: Skipping optional fixer: set_literal RefactoringTool: Skipping optional fixer: ws_comma RefactoringTool: No changes to bin/fail2ban-client Traceback (most recent call last): File "/usr/bin/2to3", line 5, in <module> sys.exit(main("lib2to3.fixes")) File "/usr/lib64/python3.9/lib2to3/main.py", line 263, in main rt.refactor(args, options.write, options.doctests_only, File "/usr/lib64/python3.9/lib2to3/refactor.py", line 690, in refactor ... File "/usr/lib64/python3.9/lib2to3/refactor.py", line 286, in refactor self.refactor_file(dir_or_file, write, doctests_only) File "/usr/lib64/python3.9/lib2to3/refactor.py", line 731, in refactor_file return super(MultiprocessRefactoringTool, self).refactor_file( File "/usr/lib64/python3.9/lib2to3/refactor.py", line 326, in refactor_file input, encoding = self._read_python_source(filename) File "/usr/lib64/python3.9/lib2to3/refactor.py", line 322, in _read_python_source return f.read(), encoding File "/usr/lib64/python3.9/codecs.py", line 322, in decode (result, consumed) = self._buffer_decode(data, self.errors, final) UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd8 in position 96: invalid continuation byte

1

I found I also needed to edit /etc/systemd/system/fail2ban.service and set the following env variable under the [Service] section in order to get things working:

Environment="PYTHONPATH=/usr/local/lib/python3.9/site-packages"

Randy Palmer
answered a year ago
  • ChrisK
    a year ago

    Combined with the answer above - works perfectly. Did did not enable without this environment variable! THANK YOU!

  • yllow89
    5 months ago

    For those who tried the above still couldn't work please try : Environment="PYTHONPATH=/usr/bin/python3.9"

    It worked. Plus you need to have version 234 of systemd-python in your python3.9 (see @rePost-User-9607719 comments)

0

I followed this procedure on a fresh AL2023. I confirm that adding PYTHONPATH in the unit file is also needed. Although fail2ban exit immediately with an error after being started. I got this from my journald

Oct 27 12:34:40 ip-172-31-46-118.eu-west-1.compute.internal fail2ban-server[28036]: Server ready
Oct 27 12:34:40 ip-172-31-46-118.eu-west-1.compute.internal systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/EXCEPTION
Oct 27 12:34:40 ip-172-31-46-118.eu-west-1.compute.internal systemd[1]: fail2ban.service: Failed with result 'exit-code'.

Same happens when I try to run fail2ban in foreground from the command-line:

[ec2-user@ip-172-31-46-118 fail2ban-1.0.2]$ sudo /usr/local/bin/fail2ban-server -xf -v start
2023-10-27 12:40:47,647 fail2ban.configreader   [28703]: INFO    Loading configs for fail2ban under /etc/fail2ban 
2023-10-27 12:40:47,648 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
2023-10-27 12:40:47,649 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
2023-10-27 12:40:47,649 fail2ban                [28703]: INFO    Using socket file /var/run/fail2ban/fail2ban.sock
2023-10-27 12:40:47,649 fail2ban                [28703]: INFO    Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
2023-10-27 12:40:47,650 fail2ban.configreader   [28703]: INFO    Loading configs for jail under /etc/fail2ban 
2023-10-27 12:40:47,651 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/jail.conf']
2023-10-27 12:40:47,656 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/paths-fedora.conf']
2023-10-27 12:40:47,657 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf']
2023-10-27 12:40:47,657 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/paths-overrides.local']
2023-10-27 12:40:47,658 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/jail.d/ssh.local']
2023-10-27 12:40:47,658 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-fedora.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/ssh.local']
2023-10-27 12:40:47,659 fail2ban.configreader   [28703]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
2023-10-27 12:40:47,659 fail2ban.configreader   [28703]: INFO    Loading configs for filter.d/sshd under /etc/fail2ban 
2023-10-27 12:40:47,659 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/filter.d/sshd.conf']
2023-10-27 12:40:47,660 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf']
2023-10-27 12:40:47,661 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.local']
2023-10-27 12:40:47,661 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/sshd.conf']
2023-10-27 12:40:47,664 fail2ban.configreader   [28703]: INFO    Loading configs for action.d/iptables-multiport under /etc/fail2ban 
2023-10-27 12:40:47,664 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-multiport.conf']
2023-10-27 12:40:47,665 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables.conf']
2023-10-27 12:40:47,666 fail2ban.configparserinc[28703]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables.conf', '/etc/fail2ban/action.d/iptables-multiport.conf']
Server ready
[ec2-user@ip-172-31-46-118 fail2ban-1.0.2]$ echo $?
255

Any hint on what might be the problem here? Thanks

rePost-User-9607719
answered 6 months ago
0

I found the missing step to get it working:

# yum install gcc git
# pip3 uninstall systemd
# pip3 install 'git+https://github.com/systemd/python-systemd.git#egg=systemd-python'
rePost-User-9607719
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content