Eventlog filling with fail2ban jail component logs since latest stable update


#1
Version 1.50 - Mon Apr 01 2019 05:44:01 GMT+0200
DB Schema 2019_02_10_220000_add_dates_to_fdb (132)
Web Server nginx/1.14.2
PHP 7.3.3-1
MySQL 10.1.37-MariaDB-0+deb9u1
RRDtool 1.6.0
  • The output of ./validate.php
    All ok (console and web)

  • Log entries repeating every 5 Minutes on localhost

Timestamp Type Message User
2019-04-02 17:00:13 component Component: (2). Attribute: jails, was modified from: , to: [“sasl”,“ip-blacklist”,“dovecot”,“sshd”,“postfix”] System
2019-04-02 16:55:10 component Component: (2). Attribute: jails, was modified from: , to: [“sshd”,“postfix”,“ip-blacklist”,“dovecot”,“sasl”] System
2019-04-02 16:50:10 component Component: (2). Attribute: jails, was modified from: , to: [“postfix”,“dovecot”,“ip-blacklist”,“sasl”,“sshd”]
  • Other than that the data itself seems to be ok:

  • This behavior started (see first occurrence below), I assume with the update to 1.50:
Timestamp Type Message User
2019-04-02 00:35:10 component Component: (2). Attribute: jails, was modified from: , to: [“ip-blacklist”,“sshd”,“dovecot”,“sasl”,“postfix”] System
2019-04-02 00:25:09 component Component: (2). Attribute: jails, was modified from: , to: [“ip-blacklist”,“postfix”,“sshd”,“sasl”,“dovecot”] System
2019-04-02 00:20:11 component Component 2 has been modified: label => Fail2ban Jails System
2019-04-02 00:20:11 component Component: (2). Attribute: jails, was added with value: [“postfix”,“ip-blacklist”,“sshd”,“sasl”,“dovecot”]

I hope someone can help me keeping my logs clean again. Everything else works perfectly.

Thanks in advance.


#2

Try this: https://github.com/librenms/librenms/pull/10061


#3

Unfortunately it just added more information, but the lines still occur every 5 minutes. (I squeezed in some manual polls below, in case you’re wondering about the timestamps). Since it always says “modified from:” (empty) “, to:” (something) is it possible it cannot save some information to the data base?

Timestamp Type Message User
2019-04-02 23:42:24 component Component: (2). Attribute: jails, was modified from: , to: {“2”:“dovecot”,“3”:“ip-blacklist”,“1”:“postfix”,“4”:“sasl”,“0”:“sshd”} System
2019-04-02 23:40:10 component Component: (2). Attribute: jails, was modified from: , to: {“0”:“dovecot”,“3”:“ip-blacklist”,“1”:“postfix”,“4”:“sasl”,“2”:“sshd”} System
2019-04-02 23:38:00 component Component: (2). Attribute: jails, was modified from: , to: {“1”:“dovecot”,“2”:“ip-blacklist”,“0”:“postfix”,“3”:“sasl”,“4”:“sshd”} System
2019-04-02 23:30:12 component Component: (2). Attribute: jails, was modified from: , to: [“postfix”,“sasl”,“dovecot”,“sshd”,“ip-blacklist”] System
2019-04-02 23:25:10 component Component: (2). Attribute: jails, was modified from: , to: [“postfix”,“sshd”,“ip-blacklist”,“sasl”,“dovecot”] System

#4

Silly, that sort function preserves the keys… I’ll use a different one.


#5

I tried the following workaround which looks good at the moment (no event logs but data is updated):

$tempArray = array_keys($f2b['jails']);
asort($tempArray));
$fsbc[$id]['jails'] = json_encode(array_values($tempArray));

If there are two or more identical elements the sorting is undefined, which wouldn’t be worse than what we have now. So I skipped the return value check.


#6

That’s exactly was I was going to do :slight_smile:


#7

:relaxed: this raises my confidence to put in a pull request next time i find something.

The validate tells me now that “this could prevent automatic updates”. Would it actually prevent it? And what could I do not to run into problems on the next stable update?


#8

@efelon you need to remove the code modifications before the next release. (If you forget to it can be fixed but might be more of a mess).


#9

Uh, ok. Since the releases are automatic, and I don’t know the exact time, it will be difficult. They are done in the daily cron script, am I right?! Not calling this at all wouldn’t be the best idea I assume. Do you have any advice?


#10

Last Sunday of every month… You can see the scheduled date on github too.


#11

I still get the error with 1.51. What I need to do is adding only the array_values():

/opt/librenms/includes/polling/applications# diff fail2ban.inc.php fail2ban.inc.php.ori 
97c97
<     $f2bc[$id]['jails'] = json_encode(array_values($jails));
---
>     $f2bc[$id]['jails'] = json_encode($jails);

#12

Pull request for this solution: