Eventlog filling with fail2ban jail component logs since latest stable update

efelon · 2 April 2019 15:04

Version	1.50 - Mon Apr 01 2019 05:44:01 GMT+0200
DB Schema	2019_02_10_220000_add_dates_to_fdb (132)
Web Server	nginx/1.14.2
PHP	7.3.3-1
MySQL	10.1.37-MariaDB-0+deb9u1
RRDtool	1.6.0

The output of ./validate.php
All ok (console and web)
Log entries repeating every 5 Minutes on localhost

Timestamp	Type	Message	User
2019-04-02 17:00:13	component	Component: (2). Attribute: jails, was modified from: , to: [“sasl”,“ip-blacklist”,“dovecot”,“sshd”,“postfix”]	System
2019-04-02 16:55:10	component	Component: (2). Attribute: jails, was modified from: , to: [“sshd”,“postfix”,“ip-blacklist”,“dovecot”,“sasl”]	System
2019-04-02 16:50:10	component	Component: (2). Attribute: jails, was modified from: , to: [“postfix”,“dovecot”,“ip-blacklist”,“sasl”,“sshd”]

Other than that the data itself seems to be ok:

This behavior started (see first occurrence below), I assume with the update to 1.50:

Timestamp	Type	Message	User
2019-04-02 00:35:10	component	Component: (2). Attribute: jails, was modified from: , to: [“ip-blacklist”,“sshd”,“dovecot”,“sasl”,“postfix”]	System
2019-04-02 00:25:09	component	Component: (2). Attribute: jails, was modified from: , to: [“ip-blacklist”,“postfix”,“sshd”,“sasl”,“dovecot”]	System
2019-04-02 00:20:11	component	Component 2 has been modified: label => Fail2ban Jails	System
2019-04-02 00:20:11	component	Component: (2). Attribute: jails, was added with value: [“postfix”,“ip-blacklist”,“sshd”,“sasl”,“dovecot”]

I hope someone can help me keeping my logs clean again. Everything else works perfectly.

Thanks in advance.

murrant · 2 April 2019 18:45

Try this: https://github.com/librenms/librenms/pull/10061

efelon · 2 April 2019 21:48

Unfortunately it just added more information, but the lines still occur every 5 minutes. (I squeezed in some manual polls below, in case you’re wondering about the timestamps). Since it always says “modified from:” (empty) “, to:” (something) is it possible it cannot save some information to the data base?

Timestamp	Type	Message	User
2019-04-02 23:42:24	component	Component: (2). Attribute: jails, was modified from: , to: {“2”:“dovecot”,“3”:“ip-blacklist”,“1”:“postfix”,“4”:“sasl”,“0”:“sshd”}	System
2019-04-02 23:40:10	component	Component: (2). Attribute: jails, was modified from: , to: {“0”:“dovecot”,“3”:“ip-blacklist”,“1”:“postfix”,“4”:“sasl”,“2”:“sshd”}	System
2019-04-02 23:38:00	component	Component: (2). Attribute: jails, was modified from: , to: {“1”:“dovecot”,“2”:“ip-blacklist”,“0”:“postfix”,“3”:“sasl”,“4”:“sshd”}	System
2019-04-02 23:30:12	component	Component: (2). Attribute: jails, was modified from: , to: [“postfix”,“sasl”,“dovecot”,“sshd”,“ip-blacklist”]	System
2019-04-02 23:25:10	component	Component: (2). Attribute: jails, was modified from: , to: [“postfix”,“sshd”,“ip-blacklist”,“sasl”,“dovecot”]	System

murrant · 3 April 2019 02:58

Silly, that sort function preserves the keys… I’ll use a different one.

efelon · 3 April 2019 07:29

I tried the following workaround which looks good at the moment (no event logs but data is updated):

$tempArray = array_keys($f2b['jails']);
asort($tempArray));
$fsbc[$id]['jails'] = json_encode(array_values($tempArray));

If there are two or more identical elements the sorting is undefined, which wouldn’t be worse than what we have now. So I skipped the return value check.

murrant · 3 April 2019 12:36

That’s exactly was I was going to do

efelon · 4 April 2019 20:13

this raises my confidence to put in a pull request next time i find something.

The validate tells me now that “this could prevent automatic updates”. Would it actually prevent it? And what could I do not to run into problems on the next stable update?

murrant · 8 April 2019 13:50

@efelon you need to remove the code modifications before the next release. (If you forget to it can be fixed but might be more of a mess).

efelon · 9 April 2019 10:54

Uh, ok. Since the releases are automatic, and I don’t know the exact time, it will be difficult. They are done in the daily cron script, am I right?! Not calling this at all wouldn’t be the best idea I assume. Do you have any advice?

murrant · 10 April 2019 15:39

Last Sunday of every month… You can see the scheduled date on github too.

efelon · 30 April 2019 21:04

I still get the error with 1.51. What I need to do is adding only the array_values():

/opt/librenms/includes/polling/applications# diff fail2ban.inc.php fail2ban.inc.php.ori 
97c97
<     $f2bc[$id]['jails'] = json_encode(array_values($jails));
---
>     $f2bc[$id]['jails'] = json_encode($jails);

efelon · 14 May 2019 11:15

Pull request for this solution:

github.com/librenms/librenms

Prevent fail2ban from filling eventlog on every poll

librenms:master ← efelon:efelon-fail2ban-patch

opened 08:14AM - 14 May 19 UTC

efelon

+1 -1

Either the jails in the array or the respective indexes get rearranged on every …poll. Adding only the values (jail names) without the indexes solves the issue. I tried also asort() which gives the same behavior. Details: https://community.librenms.org/t/eventlog-filling-with-fail2ban-jail-component-logs-since-latest-stable-update/7902/10 DO NOT DELETE THIS TEXT #### Please note > Please read this information carefully. You can run `./scripts/pre-commit.php` to check your code before submitting. - [ ] Have you followed our [code guidelines?](http://docs.librenms.org/Developing/Code-Guidelines/) #### Testers If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926` After you are done testing, you can remove the changes with `./scripts/github-remove`. If there are schema changes, you can ask on discord how to revert.