ansible-role-security icon indicating copy to clipboard operation
ansible-role-security copied to clipboard
verified publisher icon geerlingguy

Missing fail2ban dependency on Debian

Open oltdaniel opened this issue 8 months ago • 4 comments

In the commit https://github.com/geerlingguy/ansible-role-security/commit/0b9a774f875ff3c175fc4f16a6d2b5b479d17e45 the backend for the SSH Jail for Fail2Ban on Debian 12 and higher is set to systemd. However, this requires an additional python package called python3-systemd in order to work (listed here fail2ban/fail2ban/README.md). Currently, on very minimal Debian Default Setups, this causes the fail2ban service to fail on start.

Related Issue and PR: https://github.com/geerlingguy/ansible-role-security/issues/121 , https://github.com/geerlingguy/ansible-role-security/pull/122

My proposal for a fix would be introducing a new variable called security_fail2ban_optional_dependencies:

security_fail2ban_optional_dependencies:
  - python3-systemd

Used by the following additional task at a good position:

- name: Install fail2ban optional dependencies.
  ansible.builtin.package:
    name: "{{ security_fail2ban_optional_dependencies }}"
    state: present
  notify:
    - reload fail2ban

If the proposal meets your expectations, I'm happy to open a corresponding Pull Request.

oltdaniel avatar Mar 28 '25 19:03 oltdaniel

Also the defined logtarget for debian >= 12 seems to not do what it seems to wish:

In templates/fail2ban.local.j2:

[Definition]
logtarget = SYSTEMD-JOURNAL

should be:

[Definition]
logtarget = SYSOUT

since fail2ban is running as a systemd service.

(Solution found in this issue)

EDIT: I submitted a separate PR since this can be applied independently.

MaxValue avatar Apr 24 '25 09:04 MaxValue

I am encountering the same problem that the python3 systemd module missing, and the error message is subtle - "No module named 'systemd'"。I have to search on internet and find out it's python module related issue and corresponding solution.

I were raising issue on the problem and found this link.

from my point of view, I would like to sugguest that the playbook should check the OS version and python version and install the systemd module automatically if neccessary. then user could avoid encountering the problem again with subtle error message and the search around and find out the solution is to set up a varible.

and another point is the module systemd is not an optional dependency any more for debian 12+. it could be mandatory dependency from the following point of view. because without the dependency, the fail2ban service could not be up.

I am looking forward to hear the opinion from your side.

guoapeng avatar Jul 04 '25 01:07 guoapeng

another point is that the playbook might be run on multiple hosts on the same time. and the varible should be host specific variable and if we define a global varible to contol the dependency, that could make the problem more complicated.

if we can check the OS version and python version and install the dependencies automatically, that could save a variable. that could be so called less is more :).

guoapeng avatar Jul 04 '25 01:07 guoapeng

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

github-actions[bot] avatar Nov 07 '25 09:11 github-actions[bot]