Fail2Ban won't start

FreePBX 17 on Debian 12

After running updates fail2ban will not run.

I try to reinstall it and I get this error:

root@pbx1:/home/administrator# apt reinstall fail2ban
The following packages were automatically installed and are no longer required:
g+±12 libavutil57 libfuse2 libnsl-dev libpython3.11-minimal libtirpc-dev perl-modules-5.36
libabsl20220623 libcbor0.8 libglapi-mesa libpaper1 libpython3.11-stdlib libunwind8 python3-pycurl
libappstream4 libcodec2-1.0 libjxl0.7 libpcre3 librav1e0 libutempter0 python3-pysimplesoap
libassuan0 libdav1d6 libkdb5-10 libperl5.36 libssh-gcrypt-4 libutf8proc2 python3-six
libavcodec59 libdaxctl1 libllvm15 libplacebo208 libstdc+±12-dev libvpx7 python3.11
libavdevice59 libdrm-nouveau2 liblua5.3-0 libpmem1 libsvtav1enc1 libx265-199 python3.11-dev
libavfilter8 libdrm-radeon1 libmbedcrypto7 libpostproc56 libswresample4 libxcb-dri2-0 python3.11-minimal
libavformat59 libepoxy0 libmfx1 libpython3.11 libswscale6 linux-image-6.1.0-30-amd64
libavif15 libflac12 libndctl6 libpython3.11-dev libtheora0 lua-lpeg
Use ‘apt autoremove’ to remove them.

Summary:
Upgrading: 0, Installing: 0, Reinstalling: 1, Removing: 0, Not Upgrading: 7
Download size: 0 B / 451 kB
Space needed: 0 B / 236 GB available

(Reading database … 177773 files and directories currently installed.)
Preparing to unpack …/fail2ban_1.0.2-2_all.deb …
Unpacking fail2ban (1.0.2-2) over (1.0.2-2) …
dpkg: error processing archive /var/cache/apt/archives/fail2ban_1.0.2-2_all.deb (–unpack):
trying to overwrite ‘/etc/fail2ban/action.d/iptables-allports.conf’, which is also in package sangoma-pbx17 (2408-1.sng12)
/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py:224: SyntaxWarning: invalid escape sequence ‘\s’
“1490349000 test failed.dns.ch”, “^\stest \S+"
/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py:435: SyntaxWarning: invalid escape sequence ‘\S’
‘^’+prefix+‘User \S+ not allowed\n’
/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py:443: SyntaxWarning: invalid escape sequence ‘\S’
‘^’+prefix+‘User \S+ not allowed\n’
/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py:444: SyntaxWarning: invalid escape sequence ‘\d’
‘^’+prefix+‘Received disconnect from port \d+’
/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py:451: SyntaxWarning: invalid escape sequence ‘\s’
_test_variants(‘common’, prefix="\s\S+ sshd[\d+]:\s+”)
/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py:537: SyntaxWarning: invalid escape sequence ‘[’
‘common[prefregex=“^svc[\d+] connect .+$”’
/usr/lib/python3/dist-packages/fail2ban/tests/servertestcase.py:1375: SyntaxWarning: invalid escape sequence ‘\s’
“{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do”,
/usr/lib/python3/dist-packages/fail2ban/tests/servertestcase.py:1378: SyntaxWarning: invalid escape sequence ‘\s’
“{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do”,
/usr/lib/python3/dist-packages/fail2ban/tests/servertestcase.py:1421: SyntaxWarning: invalid escape sequence ‘\s’
“{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do”,
/usr/lib/python3/dist-packages/fail2ban/tests/servertestcase.py:1424: SyntaxWarning: invalid escape sequence ‘\s’
“{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do”,
Errors were encountered while processing:
/var/cache/apt/archives/fail2ban_1.0.2-2_all.deb
Error: Sub-process /usr/bin/dpkg returned an error code (1)
root@pbx1:/home/administrator#

I’d be more concerned about why your system wants to remove all those packages first, that’s rather strange.

A pitfall of debian, try remove one thing they deem important and it wants to remove your entire OS.

Try to remove this file and make a apt update then try to re-install f2ban

i noticed my fail2ban fails to start on freepbx17/debian13 (yes yes, in theory 13 isnt supported) due to an unsupported python version, which was fixed in fail2ban, but cannot be installed onto the machine.

the error (when trying to install through apt or dpkg) is the same as above, and the important part to note is which is also in package sangoma-pbx17 (2408-1.sng12)

so, sangoma is bundling (part of) fail2ban with its packages, which apt doesn’t like when you try to upgrade fail2ban itself.
to me, this is a sangoma fault (if they provide a configuration, they should instead create a file such as sangoma-iptables.conf or something else which would not interfere with the normal operation of the fail2ban package.

the no longer needed packages doesn’t mean much and certainly isn’t an error or anything which will happen (it just tells you that -in theory- you can remove those packages),
and the syntaxwarnings for the tests are just that: warnings

so, the only thing keeping the installation from succeeding, is the fact that sangoma is bundling default files for fail2ban with their packaging.

so, getting this error would happen on debian 12 and 13, as in both cases the cause is the same (sangoma’s packaging)

in any case, i’m not sure about debian 12, but on 13 fail2ban does not run,
so i would advise everyone to just verify if their fail2ban is actually working:

systemctl status fail2ban.service
(if you see an “ERROR No module named ‘asynchat’”, this means that fail2ban fails due to an unsupported python version, which was fixed by fail2ban 20!! months ago

You doing this out of scope and spec is Sangoma’s fault? I don’t think so. FreePBX v17 is designed for Debian 12 which the specific dependencies the install script installs and in some cases locks the system to.

Anyone using another OS and dependencies that are not supported by Sagnoma for FreePBX v17 falls under the “expert manual install” realm and you are left to support your own choices of it.

if you read OPs post, he is using debian 12 and has the same issue, which is the only reason i responded….
in my case, yes, i’m on 13, and i’m not asking for anything from sangoma (i’ll handle stuff myself if i need to, i know that 13 isn’t supported - although, regardless of that, this is bad practice on sangoma’s part imho)

i mean: preventing the ability to upgrade fail2ban (which they installed through the normal apt way, meaning it is also going to try to upgrade when you do apt upgrade) because sangoma decided to ship config files in their package with the same name as in the actual fail2ban package, instead of using something sangoma-named, and then failing to provide (timely) upgrades to fail2ban is a sangoma issue in my book, and one that’s extremely easily fixed, even.

You are talking about “dependencies” but there ARE NO dependencies in the case of fail2ban,
it is just a matter of “sangoma packaged files with the exact same filename as fail2ban files and put them in the exact same spot the fail2ban package expects them”

so this means if sangoma named their fail2ban config files differently (like prefixing them with SNG for example), nothing would be wrong, fail2ban would be able to be updated, and apt wouldn’t die trying (which will also happen on debian 12 if the fail2ban package isn’t held)

or, if they would just provide the entire fail2ban (and not have the OS install the fail2ban deb package), then it would also be another matter (but that would be doing additional work that’s not required, so, not a good option).

having the fail2ban apt installed, and then preventing apt from correctly running (because apt upgrade, if the repo has an updated fail2ban, and fail2ban isnt held, will also fail due to (and only to) this naming issue)

don’t get me wrong, sangoma is doing good work keeping freepbx alive and open source at it’s core, and i’m happy that they moved to debian (i’m more of a deb guy than rpm guy) and i’m just using freepbx for non-important stuff…. but they could have easily prevented this imho

that being said, OP says it happened after updating - perhaps somehow he also upgraded sources to trixie (or even just updated python, not sure which version is current on 12), causing the issue, because i’m quite sure he’ll see in the fail2ban logs the ‘asynchat’ error, indicating that the python version on the system is the issue preventing fail2ban from starting)
generally, trying to reinstall the package could then help, but like i’ve said, this is impossible due to sangoma including the same files in their .deb

Perhaps the OP should actually show the issues with fail2ban not starting and not just how they tried to update it because it didn’t start.

@datacare How about some actual details and output from attempting to start fail2ban on the system? Let’s actually look at why it doesn’t start.

@datacare : i’m attaching a .deb for fail2ban (latest version) which has the sangoma-overwritten files removed (i.e: the sangoma version remains, the newer fail2ban version in this file will not replace them). there are a total of 4:

etc/fail2ban/action.d/iptables-allports.conf
etc/fail2ban/action.d/iptables-multiport.conf
etc/fail2ban/filter.d/asterisk.conf
etc/fail2ban/jail.conf

the only change to fixed.deb vs the original fail2ban deb (as provided on Release 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-36267km · fail2ban/fail2ban · GitHub ) is the removal of the above 4 files from both the actual data and the DEBIAN/conffiles in order to not prevent apt from being able to install.

YMMV, but normally you should be able to install this just fine (dpkg -i fixed.deb ) and have a working fail2ban again, without any other changes to your system.

fixed.tgz (308.0 KB)

Note: rename .tgz to .deb (.deb could not be uploaded directly),
and ofcourse, doublecheck that the reason for not starting is indeed as i’m assuming the python version (systemctl status fail2ban.service should show a failed with an error about asynchat)