Excalibur and fail2ban

nixer · Yesterday 16:36:55

I like to be made aware of any pending problems before they bite me, so, I recently tested a daedalus dist-upgrade to excalibur of a snapshot of my production server within virtualbox.

The dist-upgrade went fine, or so I thought, then upon rebooting I saw that fail2ban was broken. This is the output in the terminal:

root@fc-vm:/home/user# service fail2ban start
Starting Authentication failure monitor: fail2ban2025-08-20 12:24:03,728 fail2ban [4719]: ERROR NOK: (38, 'Function not implemented')
failed!

I checked the fail2ban.log and it contained the same error. I then did an "apt info fail2ban" command on both the daedalus and excalibur versions of fail2ban to see what could have changed. The only thing that I noticed was that the package "python3-systemd" is listed as a suggested package in daedalus whereas it is now listed as a dependency in excalibur. The dist-upgrade did pull in this package python3-systemd so it is installed. But the program will not start. The fail2ban homepage specifically says that systemd is not a dependency.

I then tested this on an excalibur preview release from here: https://dev1galaxy.org/viewtopic.php?pid=57204#p57204 and I got the same result, so I know that it is not something on my system or its configuration that is causing a problem.

Has anyone else had this issue? I consider this the most important program on any system that is open to the internet, so this is important to me. Any help and/or suggestions are welcome.

g4sra · Yesterday 16:53:56

Re dist-upgrade to excalibur

open to the internet

Suggestion: DONT, Trixie is broken, wait for it to be fixed!
The broken 'fail2ban' thing is well known and all over the internet.

nixer · Yesterday 18:45:37

The broken 'fail2ban' thing is well known and all over the internet.

Thank you for this bit of info. I did do a web search and a search on the debian forums a couple days ago and found nothing that looked familiar. I will try again later.

Thank you again.

g4sra · Yesterday 18:51:55

Trixie has forced dependency on newer versions of python modules which have dropped depreciated API's.
Of greater concern is the list of faults in trixie, prohibiting it's use in any mission critical role.

https://www.debian.org/releases/trixie/ … ssues.html

Credit to golinux for first posting of the link

Altoid · Yesterday 20:53:48

Hello:

g4sra wrote:

Credit to golinux for first posting of the link ...

Indeed ...

And then, there's also this bit:

uncredited wrote:

## Old Business
- Debian Trixie has been released
- And what a cluster-f*** it is!

Right on the dot. 8^)

Best,

A.

golinux · Yesterday 21:06:36

Hmmmm . . . I wonder who that might be . . . LOL!!

zapper · Today 00:59:35

@g4sra which package has that awful license change? LXD?

g4sra · Today 08:27:07

@zapper, API = Application Program Interface, the resources that a python module (in this case) provides to your program to call on.

What is coming down the line....
https://docs.python.org/3/deprecations/index.html

Someone needs to port fail2ban to the newer python version forced on it by trixie.

steve_v · Today 09:49:34

Someone needs to port fail2ban to the newer python version

Upstream fail2ban already has compatibility with python 3.13 (inc. bundling the async modules removed with python 3.12), said upstream version (1.1.0) is in trixie, and there appear to be no relevant reports on the Debian BTS...

If you're going to claim "well known and all over the internet", perhaps provide some examples?

Given that the only hits I can get for that exact error are 1: this thread, and 2: an artix user from 5 years ago, and there's no noise about this at all over on FDN, I'm far more inclined to think this has to do with python-systemd and Devuan packaging / shipped configs than anything else.

Ed. Yup, sure enough, again:

$ diff fail2ban_1.0.2-2_all/data/etc/fail2ban/paths-debian.conf fail2ban_1.1.0-8_all/data/etc/fail2ban/paths-debian.conf 
30a31,41
> 
> # In Debian, these services will log to the journal via syslog, so use the
> # journal by default.
> syslog_backend = systemd
> sshd_backend = systemd
> dropbear_backend = systemd
> proftpd_backend = systemd
> pureftpd_backend = systemd
> wuftpd_backend = systemd
> postfix_backend = systemd
> dovecot_backend = systemd

$ diff fail2ban_1.0.2-2_all/data/etc/fail2ban/jail.d/defaults-debian.conf fail2ban_1.1.0-8_all/data/etc/fail2ban/jail.d/defaults-debian.conf
0a1,4
> [DEFAULT]
> banaction = nftables
> banaction_allports = nftables[type=allports]
> 
1a6,7
> backend = systemd
> journalmatch = _SYSTEMD_UNIT=ssh.service + _COMM=sshd

That's not going to work, now is it? Nice job Devuan ~~packaging team~~ merging stuff from debian without testing it bot, great catch. Definitely fixing all the systemd things for this premiere systemd-free distro.

@OP, make sure all your jails are using the 'polling', 'pyinotify' (if you have that installed) or 'auto' backends. This might not be your problem, but I suspect it is based on where that error appears to be coming from...
Either way though: Blindingly obvious excalibur packaging fail. If it doesn't cause problems here, it will later.

Last edited by steve_v (Today 11:22:10)

ralph.ronnquist · Today 11:42:37

It looks like there you have a task to volunteer for.

The officially official Devuan Forum!

#1 Yesterday 16:36:55

Excalibur and fail2ban

#2 Yesterday 16:53:56

Re: Excalibur and fail2ban

#3 Yesterday 18:45:37

Re: Excalibur and fail2ban

#4 Yesterday 18:51:55

Re: Excalibur and fail2ban

#5 Yesterday 20:53:48

Re: Excalibur and fail2ban

#6 Yesterday 21:06:36

Re: Excalibur and fail2ban

#7 Today 00:59:35

Re: Excalibur and fail2ban

#8 Today 08:27:07

Re: Excalibur and fail2ban

#9 Today 09:49:34

Re: Excalibur and fail2ban

#10 Today 11:42:37

Re: Excalibur and fail2ban

Board footer