Fail2Ban Module on CentOS 6.6 may be broken

after seeing Eric post a fresh book-page for F2B I decided to try it. As many others know brute force attacks get old in a hurry.

However, the configuration in the module appears broken.
When trying to Enable a jail the folllowing error will occur: “Failed to save jail : All log files must be absolute paths or patterns”

Also the configurations for (example) dovecot are empty, no information of ports, iptables, patterns or protocol, the log path has %(dovecot_log)s.

Any input?

CentOS 6.6 VPS,
Virtualmin GPL

Thanks, Joe

ok sorry for responding to my own post.
The Fail2Ban Module seems to have a problem with virtual server logs.
By using the path /var/log/virtualmin/*error_log the log file error stops.
This explained part of the errors from my previous post, but I still believe the Module is broken, as Enable–>Yes will not give the user a functioning F2B config.


Aha, someone noticed that! I was planning to make a formal announcement about those docs here shortly, I was hoping to do just a tad more testing beforehand. But maybe you can help! :slight_smile:

I’ll go try and reproduce that issue on Debian and Ubuntu, but my CentOS VM is being troublesome at the moment, which has made it hard to test in that environment.

I’ll also take a look at the Dovecot configuration (which I hadn’t tried at all on any distro), and see if we can get some sample configuration to use. Thanks for pointing that out.

So I wanted to ask, while you can’t enable a jail, did the CentOS steps work properly otherwise? If you log in too many times via SSH, is that properly blocking the host you tried to log in from?


Howdy Eric,
yes the install went fine. Also it works as expected, from minutes after install it will blocked ssh attacks.
For the record I made my own jail.local for the time being, but if you need testing i will rename or remove that file.
To help you look closer, when you are in the module most all of the configs in Filter Action Jails are empty…
The Module doesn’t seem to find the default info to populate the FAJ to a useable set-up.



Hmm, where did you end up setting those Virtualmin log files?

As far as the Filter Action Jails go… that is unfortunate! It sounds like that’s how the jail.conf comes with that particular repository. I’m not sure how best to address that at the moment.

I’ll offer that in the jail.conf I have on Ubuntu, the Dovecot section looks like this:


enabled = true
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log

The Postfix section looks like this:


enabled = false
port = smtp,ssmtp,submission
filter = postfix
logpath = /var/log/mail.log

And the pam-generic section looks like this:


enabled = false

pam-generic filter can be customized to monitor specific subset of 'tty’s

filter = pam-generic

port actually must be irrelevant but lets leave it all for some possible uses

port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log

Since it doesn’t sound like those work out of the box, perhaps we ought to describe how to setup those services on CentOS in the documentation you were reading.

Out of curiosity, which services would you like to be able to use?


Hi Eric,
here is what my jail.conf looks like, SSH section:

# SSH servers


port    = ssh
logpath = %(sshd_log)s

# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port    = ssh
logpath = %(sshd_log)s[/code]

At the top of this file it states "YOU SHOULD NOT MODIFY THIS FILE.", as this file could change between updates and suggests to use a jail.local or place a custom file in /jail.d directory. If you go to the
 [code]Module-->Filter Action Jails-->SSH[/code] 
and try to enable this action, the error about paths for log files will occur. Also, per my OP the config is not migrated with ports or actions(iptables), only the non working path.

So what I did is create a custom jail.local with the following to get the SSH to work:

ignoreip =
bantime = 3600
maxretry = 5


enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
#sendmail-whois[name=SSH, dest=root@localhost]
logpath = /var/log/auth.log
maxretry = 5

Hope this helps Eric. Do you think trying a reinstall of F2B could help? Also I noted that the stock jail.conf has a line:


#before = paths-distro.conf
before = paths-fedora.conf

It doesn’t explain why one or the other is needed, CentOS 6.6 is close to Fedora but I wonder if there is a path issue from this include? (Thinking out loud)

Thanks as always for you input Eric,

Hi Eric,
the sample of code from the Ubuntu conf that you supplied doesn’t work. It creates an error:

ERROR Failed to start jail 'postfix' action 'iptables-multiport': Error starting action
ERROR Failed to start jail 'dovecot' action 'iptables-multiport': Error starting action

Distro specific configs I’m guessing?


Same issue on CentOS 7.

The module seems to be enabled correctly as it is found under Networking > Fail2Ban Intrusion Detector.
From the configuration page I can either restart or stop the server, but I can’t enable/disable it on boot (the only way to make it working was via shell systemctl enable fail2ban)

All of the jails are disabled and there is no protection over ssh. When I try to enable a Filter Action Jail it returns “Failed to save jail : All log files must be absolute paths or patterns”.

Editing the file /etc/fail2ban/jail.conf as suggested by BossHog did the trick, but it seems there are some bugs to be fixed with regards to this module.


My advice is to remove fail2ban and then manually install last version for Centos 7 (or you can try to update with yum) and use full path for jails, e.g. for ssh instead of “%(sshd_log)s” use “/var/log/secure” and so on. Next do not make changes into “jail.conf” but instead use “jail.local”. In case you dont have “jail.local” make this file and then use it to apply changes/enable jails/etc…

P.S. Fail2ban works great with Centos 7 but my advice is to forget about Wmin module and make all changes manually using SSH of SFTP.

I am unable to enable jails as well due to the error message “Failed to save jail : All log files must be absolute paths or patterns”.

It seems the module is expecting an absolute log path, while Fail2Ban uses paths like “%(sshd_log)s”