Hello, i did upgrade from debian 10 to 11, all works fine, but i can not start fail2 ban - does not work - no ban IP in log í can see Code: root@:~# /etc/init.d/fail2ban status ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2021-08-15 11:48:35 CEST; 7s ago Docs: man:fail2ban(1) Process: 25577 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 25578 (fail2ban-server) Tasks: 3 (limit: 9510) Memory: 13.4M CPU: 410ms CGroup: /system.slice/fail2ban.service └─25578 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Aug 15 11:48:35 systemd[1]: Starting Fail2Ban Service... Aug 15 11:48:35 systemd[1]: Started Fail2Ban Service. Aug 15 11:48:35 fail2ban-server[25578]: 2021-08-15 11:48:35,737 fail2ban.configreader [25578]: ERROR Found no accessible config files for 'filter.d/postfix-sasl' … /etc/fail2ban Aug 15 11:48:35 fail2ban-server[25578]: 2021-08-15 11:48:35,738 fail2ban.jailreader [25578]: ERROR Unable to read the filter 'postfix-sasl' Aug 15 11:48:35 fail2ban-server[25578]: 2021-08-15 11:48:35,738 fail2ban.jailsreader [25578]: ERROR Errors in jail 'postfix-sasl'. Skipping... Aug 15 11:48:35 fail2ban-server[25578]: Server ready Hint: Some lines were ellipsized, use -l to show in full. Code: 2021-08-15 11:48:35,907 fail2ban.filter [25578]: ERROR No failure-id group in '(?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*' 2021-08-15 11:48:35,907 fail2ban.transmitter [25578]: WARNING Command ['server-stream', [['set', 'syslogsocket', 'auto'], ['set', 'loglevel', 'INFO'], ['set', 'logtarget', '/var/log/fail2ban.log'], ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'], ['set', 'dbmaxmatches', 10], ['set', 'dbpurgeage', '1d'], ['add', 'sshd', 'auto'], ['set', 'sshd', 'usedns', 'warn'], ['set', 'sshd', 'prefregex', '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$'], ['set', 'sshd', 'maxlines', 1], ['multi-set', 'sshd', 'addfailregex', ['^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^Failed (?:<F-NOFAIL>publickey</F-NOFAIL>|\\S+) for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>', '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because listed in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because not in any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^refused connect from \\S+ \\(<HOST>\\)', '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because a group is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', "^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$", '^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> not allowed because account is locked(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*Change of username or service not allowed:\\s*.*\\[preauth\\]\\s*$', '^Disconnecting: Too many authentication failures(?: for <F-USER>\\S+|.*?</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*11:', '^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)(?: (?:invalid|authenticating) user <F-USER>\\S+|.*?</F-USER>)? <HOST>(?:(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*|\\s*)$', '^<F-MLFFORGET><F-MLFGAINED>Accepted \\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from <HOST>(?:\\s|$)', '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>']], ['set', 'sshd', 'datepattern', '{^LN-BEG}'], ['set', 'sshd', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd'], ['set', 'sshd', 'maxretry', 5], ['set', 'sshd', 'maxmatches', 5], ['set', 'sshd', 'findtime', '10m'], ['set', 'sshd', 'bantime', '10m'], ['set', 'sshd', 'ignorecommand', ''], ['set', 'sshd', 'logencoding', 'auto'], ['set', 'sshd', 'addlogpath', '/var/log/auth.log', 'head'], ['set', 'sshd', 'addaction', 'iptables-multiport'], ['multi-set', 'sshd', 'action', 'iptables-multiport', [['actionstart', '<iptables> -N f2b-sshd\n<iptables> -A f2b-sshd -j RETURN\n<iptables> -I INPUT -p tcp -m multiport --dports ssh -j f2b-sshd'], ['actionstop', '<iptables> -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd\n<iptables> -F f2b-sshd\n<iptables> -X f2b-sshd'], ['actionflush', '<iptables> -F f2b-sshd'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-sshd[ \\t]'"], ['actionban', '<iptables> -I f2b-sshd 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-sshd -s <ip> -j <blocktype>'], ['port', 'ssh'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['name', 'sshd'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['config-error', "Jail 'postfix-sasl' skipped, because of wrong configuration: Unable to read the filter 'postfix-sasl'"], ['add', 'dovecot-pop3imap', 'auto'], ['set', 'dovecot-pop3imap', 'usedns', 'warn'], ['set', 'dovecot-pop3imap', 'addfailregex', '(?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed|Aborted login \\(\\d+ authentication attempts).*rip=(?P<host>\\S*),.*'], ['set', 'dovecot-pop3imap', 'maxretry', 5], ['set', 'dovecot-pop3imap', 'maxmatches', 5], ['set', 'dovecot-pop3imap', 'findtime', '10m'], ['set', 'dovecot-pop3imap', 'bantime', '10m'], ['set', 'dovecot-pop3imap', 'ignorecommand', ''], ['set', 'dovecot-pop3imap', 'logencoding', 'auto'], ['set', 'dovecot-pop3imap', 'addlogpath', '/var/log/mail.log', 'head'], ['set', 'dovecot-pop3imap', 'addaction', 'iptables-multiport'], ['multi-set', 'dovecot-pop3imap', 'action', 'iptables-multiport', [['actionstart', '<iptables> -N f2b-dovecot-pop3imap\n<iptables> -A f2b-dovecot-pop3imap -j RETURN\n<iptables> -I INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j f2b-dovecot-pop3imap'], ['actionstop', '<iptables> -D INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j f2b-dovecot-pop3imap\n<iptables> -F f2b-dovecot-pop3imap\n<iptables> -X f2b-dovecot-pop3imap'], ['actionflush', '<iptables> -F f2b-dovecot-pop3imap'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-dovecot-pop3imap[ \\t]'"], ['actionban', '<iptables> -I f2b-dovecot-pop3imap 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-dovecot-pop3imap -s <ip> -j <blocktype>'], ['name', 'dovecot-pop3imap'], ['port', 'pop3,pop3s,imap,imaps'], ['protocol', 'tcp'], ['actname', 'iptables-multiport'], ['chain', 'INPUT'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['add', 'pureftpd', 'auto'], ['set', 'pureftpd', 'usedns', 'warn'], ['set', 'pureftpd', 'addfailregex', '.*pure-ftpd: \\(.*@<HOST>\\) \\[WARNING\\] Authentication failed for user.*'], ['set', 'pureftpd', 'maxretry', 3], ['set', 'pureftpd', 'maxmatches', 3], ['set', 'pureftpd', 'findtime', '10m'], ['set', 'pureftpd', 'bantime', '10m'], ['set', 'pureftpd', 'ignorecommand', ''], ['set', 'pureftpd', 'logencoding', 'auto'], ['set', 'pureftpd', 'addlogpath', '/var/log/syslog', 'head'], ['set', 'pureftpd', 'addaction', 'iptables-multiport'], ['multi-set', 'pureftpd', 'action', 'iptables-multiport', [['actionstart', '<iptables> -N f2b-pureftpd\n<iptables> -A f2b-pureftpd -j RETURN\n<iptables> -I INPUT -p tcp -m multiport --dports ftp -j f2b-pureftpd'], ['actionstop', '<iptables> -D INPUT -p tcp -m multiport --dports ftp -j f2b-pureftpd\n<iptables> -F f2b-pureftpd\n<iptables> -X f2b-pureftpd'], ['actionflush', '<iptables> -F f2b-pureftpd'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-pureftpd[ \\t]'"], ['actionban', '<iptables> -I f2b-pureftpd 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-pureftpd -s <ip> -j <blocktype>'], ['port', 'ftp'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['name', 'pureftpd'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]], ['start', 'sshd'], ['start', 'dovecot-pop3imap'], ['start', 'pureftpd']]] has failed. Received RegexException("No failure-id group in '(?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed|Aborted login \\(\\d+ authentication attempts).*rip=(?P<host>\\S*),.*'") 2021-08-15 11:48:35,908 fail2ban [25578]: ERROR NOK: ("No failure-id group in '(?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed|Aborted login \\(\\d+ authentication attempts).*rip=(?P<host>\\S*),.*'",) 2021-08-15 11:49:25,883 fail2ban.transmitter [25578]: WARNING Command ['status', 'postfix-sasl'] has failed. Received UnknownJailException('postfix-sasl') Any idea please?
Probably solved with Code: service fail2ban stop rm -r /etc/fail2ban/ apt-get purge fail2ban apt-get install fail2ban
