fail2ban is broken in 24.04 Noble

asynchat was removed in python 3.12, which just became the default python3 in 24.04

Relevant upstream issue https://github.com/fail2ban/fail2ban/issues/3487

So whilst in Ubuntu we do have python-pyasyncore which provides asyncore, we don't have asynchat so this might need to be packaged separately OR vendored into fail2ban

Status changed to 'Confirmed' because the bug affects multiple users.

I wish people wouldn't use languages like python which changes it's packages and syntax weekly, but since they do the obvious question, is anyone going to work on this? It is a rather important security tool.

As of this commit from 12 Dec 2023: https://github.com/fail2ban/fail2ban/commit/1024452fe1befeb5a0a014386a81ec183cd45bb5
....upstream ships its source with the missing async* libraries embedded, which solves the issue for now.

Here is a suggested workaround for Noble until the fix hopefully finds its way into the repos.

DISCLAMER: Try at your own risk. I am not an Ubuntu/Debian developer. Next time you receive a proper package update of fail2ban via apt, any of the manually-downloaded files below may cause conflicts and break your system.

mkdir -m 0755 /usr/lib/python3/dist-packages/fail2ban/compat
wget -O /usr/lib/python3/dist-packages/fail2ban/compat/asynchat.py https://github.com/fail2ban/fail2ban/raw/1024452fe1befeb5a0a014386a81ec183cd45bb5/fail2ban/compat/asynchat.py
wget -O /usr/lib/python3/dist-packages/fail2ban/compat/asyncore.py https://github.com/fail2ban/fail2ban/raw/1024452fe1befeb5a0a014386a81ec183cd45bb5/fail2ban/compat/asyncore.py
cp -p /usr/lib/python3/dist-packages/fail2ban/server/asyncserver.py{,.original}
wget -O /usr/lib/python3/dist-packages/fail2ban/server/asyncserver.py https://github.com/fail2ban/fail2ban/raw/1024452fe1befeb5a0a014386a81ec183cd45bb5/fail2ban/server/asyncserver.py
chmod 0644 /usr/lib/python3/dist-packages/fail2ban/{compat/async{hat,ore}.py,server/asyncserver.py}

The fail2ban package does not have 'python3-setuptools' listed under "Depends" in its control file, although it requires distutils (provided by the setuptools package) for its default sshd jail and thus for fail2ban to be able to run at all. So, unless you have already installed it, you will need to install it now:

apt install python3-setuptools

Once done, fail2ban should start successfully.

      This does make it run. Thank you.

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Sun, 10 Mar 2024, Åka Sikrom wrote:

> Date: Sun, 10 Mar 2024 12:30:18 -0000
> From: Åka Sikrom <email address hidden>
> To: <email address hidden>
> Subject: [Bug 2055114] Re: fail2ban is broken in 24.04 Noble
>
> As of this commit from 12 Dec 2023: https://github.com/fail2ban/fail2ban/commit/1024452fe1befeb5a0a014386a81ec183cd45bb5
> ....upstream ships its source with the missing async* libraries embedded, which solves the issue for now.
>
>
> Here is a suggested workaround for Noble until the fix hopefully finds its way into the repos.
>
> DISCLAMER: Try at your own risk. I am not an Ubuntu/Debian developer.
> Next time you receive a proper package update of fail2ban via apt, any
> of the manually-downloaded files below may cause conflicts and break
> your system.
>
> mkdir -m 0755 /usr/lib/python3/dist-packages/fail2ban/compat
> wget -O /usr/lib/python3/dist-packages/fail2ban/compat/asynchat.py https://github.com/fail2ban/fail2ban/raw/1024452fe1befeb5a0a014386a81ec183cd45bb5/fail2ban/compat/asynchat.py
> wget -O /usr/lib/python3/dist-packages/fail2ban/compat/asyncore.py https://github.com/fail2ban/fail2ban/raw/1024452fe1befeb5a0a014386a81ec183cd45bb5/fail2ban/compat/asyncore.py
> cp -p /usr/lib/python3/dist-packages/fail2ban/server/asyncserver.py{,.original}
> wget -O /usr/lib/python3/dist-packages/fail2ban/server/asyncserver.py https://github.com/fail2ban/fail2ban/raw/1024452fe1befeb5a0a014386a81ec183cd45bb5/fail2ban/server/asyncserver.py
>
> My custom-boostrapped Noble test system is also missing the required
> 'distutils' Python module by default. The fail2ban package does not have
> 'python3-setuptools' listed under "Depends" in its control file, which
> it possibly should at this point. Official Ubuntu images may already
> have it installed via other packages, but if not, you will need to
> install it as well:
>
> apt install python3-setuptools
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2055114
>
> Title:
> fail2ban is broken in 24.04 Noble
>
> Status in fail2ban package in Ubuntu:
> Confirmed
>
> Bug description:
> Was working in 22.04, but after upgrading to 24.04 I get this:
>
> × fail2ban.service - Fail2Ban Service
> Loaded: loaded (/etc/systemd/system/fail2ban.service; enabled; preset: enabled)
> Active: failed (Result: exit-code) since Sun 2024-02-25 02:27:29 PST; 1 day 18h ago
> Duration: 2.330s
> Docs: man:fail2ban(1)
> Process: 1130 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
> Process: 1133 ExecStart=/usr/local/bin/fail2ban-server -xf start (code=exited, status=255/EXCEPTION)
> Main PID: 1133 (code=exited, status=255/EXCEPTION)
> CPU: 660ms
>
> Feb 25 02:27:26 mx1 systemd[1]: Starting fail2ban.service - Fail2Ban...

EDIT: attachment removed as the patch did not include a fix for the missing python3-setuptools dependency. New suggestion will be provided/attached in a new comment.

Maintainers: Here is a suggested source patch for Noble. It is based on commit no. 1024452 [1] in upstream. This would be my first-ever patch made for a deb package, so please inspect it carefully for mistakes if/before you even consider applying it.

Thank you.

[1] https://github.com/fail2ban/fail2ban/commit/1024452fe1befeb5a0a014386a81ec183cd45bb5

The attachment "fail2ban-noble-add-bundled-async-python3.12.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Maintainers: please find attached a new version of my suggested source patch.

Changes:
* Bundle asyncore.py, asynchat.py and updated asyncserver.py (manual cherry-pick of upstream commit 1024452)
* Add 'python3-setuptools' to Depends

I have deliberately *not* inserted anything into the changelog as I believe this should all be checked and signed off by somebody who knows what they are doing.

Regarding Debian, trixie still ships python3.11 as of today, so this issue does not apply to them yet.

Thanks.

FWIW, this is what we did in Fedora: https://src.fedoraproject.org/rpms/fail2ban/c/24c973f252f6d1b4231ee49ee4d5efac785a2fe8?branch=rawhide

i.e., we depend on packages of the asynchat and asyncore libs that were added to pypi for this kind of purpose - https://pypi.org/project/pyasynchat/ and https://pypi.org/project/pyasyncore/ - and we also had to disable a couple of tests. I don't know if Ubuntu/Debian packaged the split-out asynchat and asyncore libs yet.

Upstream have release a new version which fixes Python 3.12+ compatibility. https://github.com/fail2ban/fail2ban/releases/tag/1.1.0

I see a patch has been added - so I've subscribed ubuntu sponsors.

However, please can the following template be used to describe the patch, how to test, understand the risks etc. https://wiki.ubuntu.com/SponsorshipProcess

Thanks fossfreedom,

I have tried to go through the documentation you linked to, but its links to specific processes are either dead or redirect to a new WIP readthedocs page where the info I need has not been addded yet. Since this would be my first-ever Ubuntu patch, I need a bit more specific information in order to improve my process and patch content.

If there is anything specific missing in my patch and/or its description above, please feel free to point it out, and I will do what I can.

Again, I have deliberately refrained from including a changelog entry / version bump, and the patch is not in quilt format since it is unclear to me whether it should be. If these are the only missing bits, I would be happy to add them and upload a revised patch.

I uploaded the new version in Debian:
https://tracker.debian.org/news/1524869/accepted-fail2ban-110-1-source-into-unstable/
if someone wants to sync it into Ubuntu, most welcome :)

New version is in oracular-proposed[1]:

fail2ban (1.1.0-1) unstable; urgency=medium

  * New upstream release
    (LP: #2055114)
  * Block ssh invalid keys too (Closes: #1038779)
  * Follow upstream advice
    https://github.com/fail2ban/fail2ban/issues/3292#issuecomment-2078361360
    to only have sshd as enabled = true in jail.d_defaults-debian.conf
  * Update lintian override info format in d/source/lintian-overrides on line 1-2.
  * Update standards version to 4.6.2, no changes needed.

 -- Sylvestre Ledru <email address hidden> Thu, 02 May 2024 13:57:06 +0200

Nothing needs to be sponsored for the ubuntu devel release now. I'll mark it as fix committed, since it was uploaded.

Noble is still affected, so I'm adding a noble task. This then needs to become an SRU, following [2], before anything can be uploaded to noble.

1. https://launchpad.net/ubuntu/+source/fail2ban/1.1.0-1
2. https://wiki.ubuntu.com/StableReleaseUpdates

@ahasenack thank you very much.

In the meantime as a workaround for noble you can install the oracular-proposed deb file "fail2ban_1.1.0-1_all.deb".

@fprietog workaround works like a charm ! thank you

wget https://launchpad.net/ubuntu/+source/fail2ban/1.1.0-1/+build/28291332/+files/fail2ban_1.1.0-1_all.deb
sudo dpkg -i fail2ban_1.1.0-1_all.deb

This bug was fixed in the package fail2ban - 1.1.0-1

---------------
fail2ban (1.1.0-1) unstable; urgency=medium

  * New upstream release
    (LP: #2055114)
  * Block ssh invalid keys too (Closes: #1038779)
  * Follow upstream advice
    https://github.com/fail2ban/fail2ban/issues/3292#issuecomment-2078361360
    to only have sshd as enabled = true in jail.d_defaults-debian.conf
  * Update lintian override info format in d/source/lintian-overrides on line 1-2.
  * Update standards version to 4.6.2, no changes needed.

 -- Sylvestre Ledru <email address hidden> Thu, 02 May 2024 13:57:06 +0200

Marking the Noble task incomplete and unsubscribing ubuntu-sponsors for now.