Fail2Ban error: findFailure failed to parse timeText

Created:

2017-02-15 16:35:57 UTC

Modified:

2017-08-16 17:30:30 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Fail2Ban error: findFailure failed to parse timeText

Applicable to:

  • Plesk 12.5 for Linux

Symptoms

  • Huge count of records like the following appear in the /var/log/fail2ban.log :

2017-02-15 17:19:01,953 fail2ban.filter [1385]: ERROR findFailure failed to parse         timeText: Feb 13 03:40:46 12345

  • Server hostname starts from digits:

# hostname
12345.example.com

Cause

Using a log format like Aug 8 11:25:50 hostname ... causes the date parsing to fail if the hostname begins with digits.

This issue has been considered as Plesk bug #PPPM-5807 and will be fixed in future product updates.

Resolution

Workaround I

Rename the server, so its hostname does not start with digits.

Workaround II

Apply the following patch:

1. Login to the server over SSH

2. Back up the original file:

# cp /usr/lib/python2.6/site-packages/fail2ban/server/datetemplate.py{,.back}

Note: Different version of python can be installed on the server. It can be verified by python -V command.

3. Download a patch and unpack it:

# wget https://support.plesk.com/hc/en-us/article_attachments/115001426734/fail2ban.patch.tar.gz 
# tar zxvf fail2ban.patch.tar.gz

4. Apply the patch:

# patch /usr/lib/python2.6/site-packages/fail2ban/server/datetemplate.py fail2ban.patch

Workaround III

Is for the case when the hostname starts with four digits.

1. Find all jails that monitor /var/log/maillog and /var/log/secure logs.

2. Back up current filters for that jails (e.g. Plesk default set of jails is used):

# cp /etc/fail2ban/filter.d/plesk-courierlogin.conf{,.orig}
# cp /etc/fail2ban/filter.d/plesk-dovecot.conf{,.orig}
# cp /etc/fail2ban/filter.d/plesk-qmail.conf{,.orig}
# cp /etc/fail2ban/filter.d/postfix-sasl.conf{,.orig}
# cp /etc/fail2ban/filter.d/proftpd.conf{,.orig}
# cp /etc/fail2ban/filter.d/sshd.conf{,.orig}

3. Add datepattern option under [Init] section of every configuration file listed above:

[Init]
datepattern = %%b %%d %%H:%%M:%%S

In case the error still appears, most probably it is caused by old records in /var/log/fail2ban.log found by "recidive" jail. Clean this log.

Attachments:

Have more questions? Submit a request
Please sign in to leave a comment.