duplicate port declaration for pam-generic jail definition at jail.conf.erb template

[jurim76]

OS: Debian 8 Jessie

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport <= Duplicate option
logpath = /var/log/auth.log
maxretry = 6

/etc/init.d/fail2ban start fail2ban-client[49999]: ERROR Failed during configuration: While reading from '/etc/fail2ban/jail.conf' [line 164]: option 'port' in section 'pam-generic' already exists

[dhoppe]

I am not able to reproduce this issue.

vagrant@debian-8:/etc/fail2ban$ sudo /etc/init.d/fail2ban status
● fail2ban.service - LSB: Start/stop fail2ban
   Loaded: loaded (/etc/init.d/fail2ban)
   Active: active (running) since Mon 2016-11-07 16:11:08 CET; 1min 44s ago
  Process: 2571 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
  Process: 2585 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/fail2ban.service
           └─2595 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid

Nov 07 16:11:08 debian-8 systemd[1]: Starting LSB: Start/stop fail2ban...
Nov 07 16:11:08 debian-8 fail2ban[2585]: Starting authentication failure monitor: fail2ban.
Nov 07 16:11:08 debian-8 systemd[1]: Started LSB: Start/stop fail2ban.

Are you sure that you did not place any files under /etc/fail2ban/jail.d/?

[JoeMcGrath]

We have also just started seeing this issue - but not on all hosts that we are responsible for - difference is that on servers with no issue fail2ban is v0.8.11 and on affected servers its v0.9.3

Exactly the same error as above

[bensonarokiadoss]

Use the correct desired configuration template, should fix this issue.

fail2ban::config_file_template: "fail2ban/%{::lsbdistcodename}/etc/fail2ban/jail.conf.erb"

[github-jeff]

I too can confirm the duplicate port error on pam-generic. Fail2Ban is managed by puppet, who was reporting the error. In Jail.local, under pam-generic port is actually in there twice. Once as "all", and once as "anyport". I commented out anyport, and the system came back fine.

[dhoppe]

I know that the port has been defined twice, but I still can not reproduce this issue. Debian 8 (Jessie) provides Fail2ban 0.8.13-1 and I used the default config to create the template.

This configuration is generated by the following Puppet / Hiera code and the Fail2ban service starts without any error message.

...
[pam-generic]

enabled  = true
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter   = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port     = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6
...

class { 'fail2ban':
  config_file_template => "fail2ban/${::lsbdistcodename}/etc/fail2ban/jail.conf.erb"
}

---
fail2ban::jails:
  'pam-generic':

Fail2ban 0.9.6-1 is provided by Debian Testing (Stretch), which is not supported by this module.

[ordinatous]

Hello, we are some people how had this issue, on bug.debian bug #860387 , they suggest :

Commenting out "port = anyport" lets fail2ban cleanly restart again.