Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restart fail2ban using systemd condrestart #120

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

WilliamDEdwards
Copy link

@WilliamDEdwards WilliamDEdwards commented Sep 21, 2022

The previous code does two things:

  1. Restart fail2ban ONLY if it's running with fail2ban-client ping
  2. Re-add the fail2ban chain that was removed due to the ferm restart using fail2ban-client

However, using fail2ban-client reload does not re-add the f2b-* chains for me. MRE:

~# iptables -nvL | grep f2b
   15  1124 f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
Chain f2b-sshd (1 references)
~# systemctl start ferm
~# iptables -nvL | grep f2b
~# fail2ban-client reload
OK
~# iptables -nvL | grep f2b

Restarting the fail2ban service does re-add these chains:

~# systemctl restart fail2ban
~# iptables -nvL | grep f2b
    3   236 f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
Chain f2b-sshd (1 references)

Aside from this, the current fail2ban-client ping logic can be simplified by using systemd condrestart, which restarts the service only when it's running. This does mean that this commit assumes fail2ban runs as a systemd service.

I do not use your project, so I am not interested in maintaining or updating this PR. In case losing support for non-systemd systems is unacceptable, feel free to close it.

The previous code does two things:

1. Restart fail2ban ONLY if it's running with `fail2ban-client ping`
2. Re-add the fail2ban chain that was removed due to the ferm restart using `fail2ban-client`

However, using `fail2ban-client reload` does not re-add the `f2b-*` chains for me. MRE:

```
~# iptables -nvL | grep f2b
   15  1124 f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
Chain f2b-sshd (1 references)
~# systemctl start ferm
~# iptables -nvL | grep f2b
~# fail2ban-client reload
OK
~# iptables -nvL | grep f2b
```

Restarting the fail2ban service does re-add these chains:

```
~# systemctl restart fail2ban
~# iptables -nvL | grep f2b
    3   236 f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
Chain f2b-sshd (1 references)
```

Aside from this, the current `fail2ban-client ping` logic can be simplified by using systemd `condrestart`, which restarts the service only when it's running. This does mean that this commit assumes fail2ban runs as a systemd service.

I do not use your project, so I am not interested in maintaining or updating this PR. In case losing support for non-systemd systems is unacceptable, feel free to close it.
@WilliamDEdwards WilliamDEdwards force-pushed the fix/fail2ban-restart-ferm branch from 3f32c9f to c849c66 Compare September 21, 2022 08:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant