Fail2ban unused after system update: Solution: After /etc/init.d/fail2ban status gives unused, check for fail2ban.sock

System: opensuse 11.0 LAMP root server. Always fully updated Software on server.

A few weeks ago, after a system update, my fail2ban stopped working. No fail2ban messages by email is suspicious, if before I had many notifications per day. Hence I searched into the problem today. Here a few typical command lines you would use:

/etc/init.d/fail2ban status ... unused

or on opensuse and other systems often used is:

rcfail2ban status

Result always "unused"

Now a

rcfail2ban restart
Shutting down Fail2ban ... done
wait a minute ...
Starting Fail2Ban ... done

Again a status check

rcfail2ban status unused

The solution to the problem is simple. If you had fail2ban running before and made no changes to the fail2ban nor major changes to the apache or other components. The check for your file fail2ban.sock.

The location is defined in your fail2ban.conf and typically would be at:

/var/run/fail2ban/fail2ban.sock

If your fail2ban is DOWN, then there should be NO fail2ban.sock file left. To start fail2ban is impossible as long as there is an orphaned fail2ban.sock from a previous run. For whatever reason this happened to be left - It happened and was the only reason fail2ban failed to start properly. Hence remove the fail2ban.sock file. Then start fail2ban:

rcfail2ban start

or

/etc/init.d/fail2ban start

Now check status and it should now say

If you are uneasy removing the fail2ban.sock file, then simply rename the file:

mv /var/run/fail2ban/fail2ban.sock /var/run/fail2ban/fail2ban.sock_ORIGINAL

Minutes after the fail2ban was running again, the email notifications started to drop in again - the first half hour or so, already 7 hacker attempts against SSH. The world has changed nothing at all to the better, rather to the worst.

Love and Bliss

hans