Fail2ban wont start

(United States) #61

Just wanted to say thank you, thank you, THANK YOUUUUUU!!!1

This fixed my problem and means I don’t have to start another reinstall from scratch.

(Dan Corwin) #62

This worked for me as well. Thank you!


Hello All,

This doesn’t work for me.
I do have the /etc/fail2ban/filter.d/apache-api.conf

and am running: sysadmin | | Enabled

Should I force down to the versions above are mentioned to work?

(Yois) #64

Your issue is Zulu, not apache. Follow that solution path in this thread.

Edit jail.local and remove the Zulu jail.
Sysadmin is still broken.


As is Fail2ban seriously hamstrung if not technically broken in ‘the distro’ :wink:


Got it, yes, that fixed it as I set it to false, but a little while later it came back and was enabled, so I did end up deleting the zulu entry!

Which is now magically re-entering itself into the file randomly.
I have deleted the section several times. ( for reference Zulu is not installed )

(Bob Reiber) #67

So far I’ve had half a dozen with this issue but I suspect a bunch more will make themselves known. The good news is that every one has been either the issue with the zulu jail or with apache-api.conf missing. So at least we have the repairs documented here.

(Dotcom) #68

I have the exact same issue, F2B not starting…

fwconsole ma list | grep sysadmin
| sysadmin | | Enabled | Commercial |

I don’t find any reference for “zulu” in jail.local.

Any other ideas?

(Bob Reiber) #69

I’ve only had two so far that had the zulu issue, the rest have all been the missing apache-api.conf file.

My procedure is as follows:

  1. verify that sysadmin is upgraded to the latest stable track (anything past .72 seems to work)
  2. run fail2ban-client -x start and look at the error. Mine have all mentioned either the zulu jail or apache-api.
  3. either comment out or delete the zulu jail, or upload a copy of apache-api.conf
  4. run fail2ban-client -x start again.

(Franck Danard) #70
| firewall             | 15.0.19    | Enabled | AGPLv3+     |
| sysadmin             | | Enabled | Commercial  |
| zulu                 | | Enabled | Commercial  |

For my part, all works correctly.
F2B is still alive.


When you set up Fail2Ban, the rules will be added into the ‘chain = xxx’ as defined in your jail.local the default is at the top of the rules (if that is supported in your version of Fail2ban and you have so defined it) this allows you to have your firewall exist nicely with fail2ban and should stop all this Firewall/Fail2ban not working shenanigans we see here. (Yes you need any undefined rogue jails fully defined)

If your ‘chain’ is defined and is previously created in your iptable rules appropriately and you want fail2ban to preempt your firewall, then that chain should be upfront, if you rely on your firewall, then place that chain after your firewall is in place. Either way everything will be copacetic , (it’s just iptables :wink: )

(This you can do with fail2ban aka ‘intrusion detection’ but not possible with the commercial module version which apparently restarts fail2ban at it’s whim without that consideration)

(Moussa) #72

Last night I upgraded my PBX to version 15 (from 14). I also had the same issue, Fail2ban will not start. All installed modules were up to date before upgrade but I had some there were disabled or uninstalled.
I had the ERROR Found no accessible config files for 'filter.d/apache-api' under /etc/fail2ban error and running /var/www/html/admin/modules/sysadmin/hooks/fail2ban-apache-config fixed it to me.


We’ve done two distro installs in the last week. Both had this problem.

They also had an issue where when we went through the initial setup wizard in the GUI, the Responsive Firewall part locked us out at the 2nd or 3rd YES (can’t remember which). In both cases we had to reboot the system from the CLI and use the delay firewall start period to get back into the GUI and adjust the firewall settings. Something is wonky in the automated/wizard setup.

(Defcomllc) #74

I just did a clean install today as well for a client. all modules updated and ran setup wizard. I am also getting fail2ban wont start issue…

System Admin
System Firewall 15.0.19

[[email protected] ~]# fail2ban-client -x start
ERROR Found no accessible config files for ‘filter.d/apache-api’ under /etc/fail2ban
ERROR Unable to read the filter
ERROR Errors in jail ‘apache-api’. Skipping…

[[email protected] ~]# systemctl start fail2ban.service
Job for fail2ban.service failed because the control process exited with error code. See “systemctl status fail2ban.service” and “journalctl -xe” for details.

(Defcomllc) #75

As an update to my issue posted above, support responded to my ticket very quickly and SSH into my deployment. I did 2 fresh installs today, did all the module updates and activated and this issue came up after running sysadmin wizard…

Its now fixed and here is what support said they did

27 fwconsole ma downloadinstall framework
28 fwconsole ma downloadinstall core
29 fwconsole ma downloadinstall firewall
30 fwconsole ma downloadinstall sysadmin
31 fwconsole chown
32 fwconsole r
33 fwconsole restart

(Bob Reiber) #76

Contacting support works too but if you see that error just upload a copy of apache-api.conf to /etc/fail2ban/filter.d and be done with it.


(Somebody at Sangoma needs to fix this debacle, it’s being going on for weeks (but truly fail2ban aka IDS as utilized by FreePBX has been way behind the times for quite some years , I suggest they should RTF F2B M and fix that at the same time :slight_smile: the trick is to add a ‘chain’ for F2B to have F2B’s rules inserted into using F2B’s ‘chain’ declaration and which is copacetic with the FPBX firewall (and of course make sure any jails created have a source to read (duh!) ) . . . )

(Jared Busch) #78

it is a large :poop: show…

(system) closed #79

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.