Package: fail2ban
Version: 1.1.0-7
Severity: grave
Since we upgraded a server to trixie, fail2ban completely fails to
start:
root@submit-01:~# /usr/bin/fail2ban-server -xf start
Server ready
root@submit-01:~# echo $?
255
What's confusing is it doesn't actually show the error message on
startup. The logs do tell the story though:
2025-05-06 13:57:47,549 fail2ban.server [10131]: INFO --------------------------------------------------
2025-05-06 13:57:47,549 fail2ban.server [10131]: INFO Starting Fail2ban v1.1.0
2025-05-06 13:57:47,550 fail2ban.observer [10131]: INFO Observer start...
2025-05-06 13:57:47,553 fail2ban.database [10131]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2025-05-06 13:57:47,554 fail2ban.jail [10131]: INFO Creating new jail 'postfix-sasl'
2025-05-06 13:57:47,554 fail2ban.jail [10131]: ERROR Backend 'systemd' failed to initialize due to No module named 'distutils'
2025-05-06 13:57:47,554 fail2ban.jail [10131]: ERROR Failed to initialize any backend for Jail 'postfix-sasl'
2025-05-06 13:57:47,554 fail2ban.transmitter [10131]: ERROR Command ['server-stream', [['set', 'thread', {'stacksize': 0}], ['set', 'syslogsocket', 'auto'], ['set', 'loglevel', 'INFO'], ['set', 'logtarget', '/var/log/fail2ban.log'], ['set', '
allowipv6', 'auto'], ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'], ['set', 'dbmaxmatches', 10], ['set', 'dbpurgeage', '86400'], ['add', 'postfix-sasl', 'systemd'], ['set', 'postfix-sasl', 'usedns', 'warn'], ['set', 'postfix-sasl', 'prefregex',
'^\\s*(?:\\S+\\s+)?(?:postfix(-\\w+)?/[^/\\[:\\s]+(?:/smtp[ds])?(?:\\[\\d+\\])?:?\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?warning: <F-CONTENT>.+</F-CONTENT>$'], ['set', 'postfix-sasl', 'addfailregex', '^[^[]*\\[<HOST>\\](?::\\d+)?: SASL ((?i)LOGIN|
PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)'], ['set', 'postfix-sasl', 'datepattern', '{^LN-BEG}'], ['set', 'postfix-sasl', 'addjournalmatch', '_SYSTEMD_UNIT=postfix.
service', '_SYSTEMD_UNIT=
postfix@-.service'], ['set', 'postfix-sasl', 'maxretry', 5], ['set', 'postfix-sasl', 'maxmatches', 5], ['set', 'postfix-sasl', 'findtime', '3m'], ['set', 'postfix-sasl', 'bantime', '10m'], ['set', 'postfix-sasl', 'ignorecommand',
''], ['set', 'postfix-sasl', 'ignoreself', True], ['set', 'postfix-sasl', 'addignoreip', '127.0.0.1'], ['set', 'postfix-sasl', 'logencoding', 'auto'], ['set', 'postfix-sasl', 'addaction', 'iptables-multiport'], ['multi-set', 'postfix-sasl', 'action', '
iptables-multiport', [['actionstart', "{ <iptables> -C f2b-postfix-sasl -j RETURN >/dev/null 2>&1; } || { <iptables> -N f2b-postfix-sasl || true; <iptables> -A f2b-postfix-sasl -j RETURN; }\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\n{ <iptables> -C
INPUT -p $proto -m multiport --dports 0:65535 -j f2b-postfix-sasl >/dev/null 2>&1; } || { <iptables> -I INPUT -p $proto -m multiport --dports 0:65535 -j f2b-postfix-sasl; }\ndone"], ['actionstop', "for proto in $(echo 'tcp' | sed 's/,/ /g'); do\n<
iptables> -D INPUT -p $proto -m multiport --dports 0:65535 -j f2b-postfix-sasl\ndone\n<iptables> -F f2b-postfix-sasl\n<iptables> -X f2b-postfix-sasl"], ['actionflush', '<iptables> -F f2b-postfix-sasl'], ['actioncheck', "for proto in $(echo 'tcp' | sed 's/
,/ /g'); do\n<iptables> -C INPUT -p $proto -m multiport --dports 0:65535 -j f2b-postfix-sasl\ndone"], ['actionban', '<iptables> -I f2b-postfix-sasl 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-postfix-sasl -s <ip> -j <blocktype>'], ['
port', '0:65535'], ['protocol', 'tcp'], ['chain', 'INPUT'], ['name', 'postfix-sasl'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <
lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['start', 'postfix-sasl']]] has failed. Received RuntimeError("Failed to initialize any backend for Jail '
postfix-sasl'")
2025-05-06 13:57:47,554 fail2ban [10131]: ERROR NOK: ("Failed to initialize any backend for Jail 'postfix-sasl'",)
2025-05-06 13:57:47,554 fail2ban.server [10131]: INFO Shutdown in progress...
2025-05-06 13:57:47,554 fail2ban.observer [10131]: INFO Observer stop ... try to end queue 5 seconds
2025-05-06 13:57:47,575 fail2ban.observer [10131]: INFO Observer stopped, 0 events remaining.
2025-05-06 13:57:47,615 fail2ban.server [10131]: INFO Stopping all jails
2025-05-06 13:57:47,615 fail2ban.database [10131]: INFO Connection to database closed.
2025-05-06 13:57:47,615 fail2ban.asyncserver [10131]: WARNING Accept socket error: cannot unpack non-iterable NoneType object
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/fail2ban/server/asyncserver.py", line 218, in handle_accept
conn, addr = self.accept()
^^^^^^^^^^
TypeError: cannot unpack non-iterable NoneType object
2025-05-06 13:57:47,817 fail2ban.server [10131]: INFO Exiting Fail2ban
The `postfix-sasl` jail looks like:
```
[postfix-sasl]
enabled = true
mode = auth
backend = %(postfix_backend)s
filter = postfix[mode=%(mode)s]
logpath = %(postfix_log)s
maxretry = 5
findtime = 3m
```
and postfix_backend is:
paths-debian.conf:postfix_backend = systemd
... which is where that systemd comes from. I bet it's this line in filtersystemd.py that's causing trouble:
from distutils.version import LooseVersion
This was fixed upstream in:
https://github.com/fail2ban/fail2ban/commit/a763fbbdfd6486e372965b4009eb3fe5db346718
... shortly *after* the last release, which is present in Debian.
I applied parts of the above patch here and things seem to go back to normal.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)