Friday 17 May 2024

Ubuntu 24.04 and Fail2Ban Issue Fix / Workaround

Details
Category: Featured Topics

With the publication of Ubuntu 24.04 LTS end of April 2024 there is an issue with the Fail2Ban version packaged into Ubuntu. If you get an error to run Fail2Ban on Ubuntu 24.04 you may find more details and a workaround in this article.

This article is related to a potential issue with the fail2ban version 1.0.2-3 packaged for Ubuntu 24.04 LTS as of April 2024.

Fail2ban is an intrusion prevention software framework that protects computer servers from brute-force attacks and is part of the AIRIX.NET server setup (see article Intrusion prevention with Fail2Ban).

The cause of the issue is that the in Ubuntu 24.04 bundled version 1.0.2-3 of fail2ban is not compatible with Python 3.12 or later, which is, on the other hand, the Python version packaged with Ubuntu 24.04. Python 3.12 has deprecated a module named asynchat, a prerequisite for fail2ban 1.0.2-3 and earlier.

The issue is resolved with fail2ban 1.1.0 and later (Link to fail2ban releases on Github: Releases · fail2ban/fail2ban · GitHub).

Are you affected by this issue?

You are affected from the issue if you try to run a fail2ban earlier than version 1.1.0 in conjunction with Python 3.12 and later.

After you have installed and started failed2ban, check the status:

sudo systemctl status fail2ban

When the status is "failed" and you see the error [38065]: ERROR   No module named 'asynchat'
fail2ban.service: Main process exited, code=exited, status=255/EXCEPTION
fail2ban.service: Failed with result 'exit-code'

that's the one and you are indeed affected by this issue.

Workaround - fail2ban on Ubuntu 24.04

To run Fail2Ban on Ubuntu 24.04 you need to use fail2ban version 1.1.0 or later.

As a fix / workaround we have installed fail2ban version 1.1.0 on our new Ubuntu 24.04 LTS as per the steps described below.

It is based on the steps described in GitHub How to install or upgrade fail2ban manually · fail2ban/fail2ban Wiki · GitHub. The article on GitHub is not specifically for Ubuntu, but covers Debian in general. The fix described here in our article is specifically for Ubuntu and we have tested it on Ubuntu 24.04 LTS in April 2024. If you are interested in more details, please refer to the GitHub page linked above where you find more details than we are covering here.

How to Apply the Fix / Workaround

In our Ubuntu 24.04 instance we followed the steps for a manual install of Debian upstream-package under Ubuntu 24.04 LTS.

In case you upgraded (not recommended) and had Fail2Ban running previously, you may want to:

  • backup your current configuration /etc/fail2ban and run-time database /var/lib/fail2ban/fail2ban.sqlite3
  • you can also store the dump of your current configuration to be able to compare it later:
    fail2ban-client -d > /tmp/f2b-dump-of-prev-version.txt

If your fail2ban version deviates significantly or you decided install from source, stop and uninstall obsolete version of fail2ban.

Not sure if that is necessary (we may check soon and update the text here), but we installed the fail2Bban from Ubuntu 24.04 bundle first, assuming that this will take care of all dependencies: 

sudo apt install fail2ban

If Ubuntu 24.04 has not fixed the packaged content, this may install the incompatible version.

To install the deb-package manually, the following steps are necessary for Ubuntu 24.04:

The following is an example for 1.1.0:

cd /tmp/
# 1) download deb package and signature:
wget -O fail2ban.deb https://github.com/fail2ban/fail2ban/releases/download/1.1.0/fail2ban_1.1.0-1.upstream1_all.deb
wget -O fail2ban.deb.asc https://github.com/fail2ban/fail2ban/releases/download/1.1.0/fail2ban_1.1.0-1.upstream1_all.deb.asc

# 2) check signature (if you want to be sure file is unmodified):
gpg --verify fail2ban.deb.asc fail2ban.deb

# 3) view details of the package:
dpkg -I fail2ban.deb

# 4) to ensure the upgrade run gentler (protocol of previous version may be incompatible), stop fail2ban before install:
# using service:
sudo service fail2ban stop

# 5a) install package using dpkg (standalone package, don't regard dependencies):
sudo dpkg -i fail2ban.deb
# if the package introduces some "broken" dependencies (I don't think so in case of fail2ban which has few dependencies),
# to fix the unmet dependency issue, run this:
sudo apt -f install

Now you should have the 1.1.0 version of Fail2Ban installed.

# Start the service:
sudo systemctl start fail2ban

# And check the status if the service is running well:
sudo systemctl status fail2ban

Now you should have the compatible 1.1.0 version of Fail2Ban running on your Ubuntu 24.04 LTS.

We also checked the alternative installation using (step 5b, see How to install or upgrade fail2ban manually · fail2ban/fail2ban Wiki · GitHub), but this requires gdebi. gdebi needs to be installed beforehand under Ubuntu 24.04, but we refrained as the tool and its dependencies would have been consumed additional 350 MB.

Related Topics & Articles

Intrusion prevention with Fail2Ban

Configure & Monitor Fail2Ban

Ubuntu 24.04 LTS "Noble Numbat" Long Term Support Release Available

External Link: How to install or upgrade fail2ban manually · fail2ban/fail2ban Wiki · GitHub

External Link: fail2ban Releases · fail2ban/fail2ban · GitHub