Fail2ban doesn't clean up a stale socket file after a system crash. If fail2ban doesn't shutdown cleanly, this file is left behind and the init.d startup scripts do not remove it. This caues fail2ban to be unable to restart on next boot. Reproducible: Always Steps to Reproduce: 1. Power failure 2. Attempt to restart fail2ban manually or via rc scripts. Actual Results: There is no error message on a normal start: * Starting fail2ban ... * Failed to start fail2ban [ !! ] Starting it directly with the following command: /usr/bin/fail2ban-client start Gives the following results: 2010-12-02 07:21:31,114 fail2ban.server : INFO Starting Fail2ban v0.8.4 2010-12-02 07:21:31,115 fail2ban.server : INFO Starting in daemon mode ERROR Could not start server. Maybe an old socket file is still present. Try to remove /var/run/fail2ban/fail2ban.sock. If you used fail2ban-client to start the server, adding the -x option will do it Expected Results: There should be a warning that the lock file exists without fail2ban running and it should be removed automatically. If the fail2ban directory in /var/run doesn't exist, it also fails to start. This directory needs to recreated if it doesn't exist.
Which version? How about -r1?
This was tested with 0.8.4. The -r1 makes no difference since the init.d script is part of the official package (it has a gentoo init.d). Start code for gentoo: start() { ebegin "Starting fail2ban" ${FAIL2BAN} start &> /dev/null eend $? "Failed to start fail2ban" } Start code for redhat: start() { echo -n $"Starting fail2ban: " getpid if [ -z "$pid" ]; then rm -rf /var/run/fail2ban/fail2ban.sock # in case of unclean shutdown $FAIL2BAN start > /dev/null RETVAL=$? fi if [ $RETVAL -eq 0 ]; then touch /var/lock/subsys/fail2ban echo_success else echo_failure fi echo return $RETVAL } I can quickly come up with a simple fix just by turning it into this: start() { ebegin "Starting fail2ban" [[ ! -d /var/run/fail2ban ]] && mkdir var/run/fail2ban [[ -z /var/run/fail2ban/fail2ban.sock ]] && rm -f /var/run/fail2ban/fail2ban.sock ${FAIL2BAN} start &> /dev/null eend $? "Failed to start fail2ban" }
Fixed a missing slash: start() { ebegin "Starting fail2ban" [[ ! -d /var/run/fail2ban ]] && mkdir /var/run/fail2ban [[ -z /var/run/fail2ban/fail2ban.sock ]] && rm -f /var/run/fail2ban/fail2ban.sock ${FAIL2BAN} start &> /dev/null eend $? "Failed to start fail2ban" } Should also have some variables for the PID and PID directory to make it cleaner.
(In reply to comment #3) > Fixed a missing slash: > > start() { > ebegin "Starting fail2ban" > [[ ! -d /var/run/fail2ban ]] && mkdir /var/run/fail2ban > [[ -z /var/run/fail2ban/fail2ban.sock ]] && rm -f > /var/run/fail2ban/fail2ban.sock > ${FAIL2BAN} start &> /dev/null > eend $? "Failed to start fail2ban" > } > > Should also have some variables for the PID and PID directory to make it > cleaner. > I'd say that -z /var/run/fail2ban/fail2ban.sock is not correct. It should be -e /var/run/fail2ban/fail2ban.sock
Oops, I stand corrected. Haven't done any shell scripting for a while. -z is for strings, -e makes a lot more sense :)
Fixed in -r2 Please test and reopen this bug if needed +*fail2ban-0.8.4-r2 (02 Dec 2010) + + 02 Dec 2010; Markos Chandras <hwoarang@gentoo.org> +fail2ban-0.8.4-r2.ebuild, + +files/gentoo-initd_create_run_dir.patch, metadata.xml: + Create /var/run/fail2ban on runtime and remove stalled sock file in case of + system crash. Thanks to Michael Lorant <mikel@mlvision.com.au>. Bug #347477. + Taking over maintainership +