FreeBSD 10.3, amd64 and i386. Package versions installed:
py27-fail2ban-0.10.3.1 Scans log files and bans IP that makes too many password failures
python27-2.7.14_1 Interpreted object-oriented programming language
# tail -1 /etc/hosts.deny
Reverting this commit fixes the problem and will have IP addresses appended to /etc/hosts.deny agan, though it may re-break syntax for IPv6:
I will have a look into it.
I don't like to rush out a change which will break IPv6 if the error may be upstream. In the meantime affected people could create an action.d/hostsdeny.local file with the reverted actionban and actionunban lines in.
I got a fix from upstream and will submit a patch later.
Thanks! I can confirm that upstream commit bba7a6c fixes the problem.
I indeed had to replace 'sed' with '/usr/local/bin/gsed' in hostsdeny.conf (and install textproc/gsed) before entries would get deleted upon shutdown or timeout.
Created attachment 192619 [details]
Attached is a patch.
Problem was that variables used in the fail2ban actions my not start with an "_". This was fixed upstream.
Other problems are differences between stock FreeBSD "sed" and Linux GNU "sed": they differ in the way arguments are applied and in regular expressions. Some of them could be solved upstream, some of them cannot. To make things more complicated FreeBSD ports have a GNU sed people may have installed. In order to avoid a dependency on ports gsed and avoid conflicts between stock and ports versions I changed "sed" to "/usr/bin/sed". If that is not the proper way to enforce using stock sed please tell me.
Since the GNU sed port installs /usr/local/bin/gsed, there's no strict need for putting the full /usr/bin path in. Also, /usr/local/bin is probably not in $PATH when the daemon is started. So it's probably not necessary.
Maybe I was too cautious to pick the correct sed:
/usr/local/bin is in the PATH, but it comes after /usr/bin so stock sed would be picked before ports sed.
Just wanted to report back that the latest version of the patch also works for me. Thanks again for your support!
Just a ping :)
If someone from FreeBSD could pick the patch for checkin. Or am I still missing something?
A commit references this bug:
Date: Wed Jul 25 19:09:50 UTC 2018
New revision: 475327
security/py-fail2ban: Fix writing /etc/hosts.deny entries
Submitted by: email@example.com (maintainer)
Reported by: Niels Bakker <firstname.lastname@example.org>