- Newest
- Most votes
- Most comments
Amazon Linux 2023 uses Python3.9 by default, and some of the old python version feature are abolished in Python3.9, so you need to use the latest Fail2ban source code to install.
- Installation dependency package 2to3:yum install 2to3 -y
- Download the latest fail2ban source code: https://github.com/fail2ban/fail2ban/archive/refs/tags/1.0.2.tar.gz
- execute the under command to install
- tar -xvf 1.0.2.tar.gz
- cd fail2ban-1.0.2/
- ./fail2ban-2to3
- python3.9 setup.py build
- python3.9 setup.py install
- sudo cp ./build/fail2ban.service /etc/systemd/system/fail2ban.service
- sudo systemctl enable fail2ban
For details, please refer to this link:https://github.com/fail2ban/fail2ban/wiki/How-to-install-or-upgrade-fail2ban-manually
I found I also needed to edit /etc/systemd/system/fail2ban.service and set the following env variable under the [Service] section in order to get things working:
Environment="PYTHONPATH=/usr/local/lib/python3.9/site-packages"
Combined with the answer above - works perfectly. Did did not enable without this environment variable! THANK YOU!
For those who tried the above still couldn't work please try : Environment="PYTHONPATH=/usr/bin/python3.9"
It worked. Plus you need to have version 234 of systemd-python in your python3.9 (see @rePost-User-9607719 comments)
Here are the steps updated for version 1.1.0:
sudo dnf install python3-devel
cd
wget https://github.com/fail2ban/fail2ban/archive/refs/tags/1.1.0.tar.gz
tar xzvf 1.1.0.tar.gz
cd fail2ban-1.1.0/
sudo python3 setup.py build
sudo python3 setup.py install
sudo cp ./build/fail2ban.service /etc/systemd/system/fail2ban.service
sudo sed -i '/PYTHONNOUSERSITE/a Environment="PYTHONPATH=/usr/local/lib/python3.9/site-packages"' /etc/systemd/system/fail2ban.service
sudo systemctl enable fail2ban
This worked for me. Fail2ban is working and blocking the IP, but the server is not actually blocking the IP. So now I need to know what firewall to use with fail2ban. What are you using? Iptables, UFW. I tried to install iptables, but still no luck and there doesn't seem to be any way to install ufw on al2023. Any suggestions?
I got this working without the installation of GCC or Git; here's a script I'm executing via Packer that appears to work on the latest Amazon Linux 2023:
cd /tmp
curl -L -o fail2ban.tar.gz https://github.com/fail2ban/fail2ban/archive/refs/tags/1.0.2.tar.gz
tar -xvf fail2ban.tar.gz
cd fail2ban-1.0.2/
# This is needed or the 2to3 command used by the ./fail2ban-2to3 script won't work
yum install -y python3-devel
./fail2ban-2to3
python3 setup.py build
python3 setup.py install
cp ./build/fail2ban.service /etc/systemd/system/fail2ban.service
# Need to append the PYTHONPATH as an Environment variable in the systemctl config
sed -i '/PYTHONNOUSERSITE/a Environment="PYTHONPATH=/usr/local/lib/python3.9/site-packages"' /etc/systemd/system/fail2ban.service
systemctl enable fail2ban
fail2ban is now available in amazon linux 2023 as the package "fail2ban"
# dnf search fail2ban
Last metadata expiration check: 0:06:04 ago on Wed May 14 16:23:48 2025.
============================================================================================= Name Exactly Matched: fail2ban =============================================================================================
fail2ban.noarch : Daemon to ban hosts that cause multiple authentication errors
============================================================================================ Name & Summary Matched: fail2ban ============================================================================================
fail2ban-all.noarch : Install all Fail2Ban packages and dependencies
fail2ban-firewalld.noarch : Firewalld support for Fail2Ban
fail2ban-mail.noarch : Mail actions for Fail2Ban
fail2ban-selinux.noarch : SELinux policies for Fail2Ban
fail2ban-sendmail.noarch : Sendmail actions for Fail2Ban
fail2ban-server.noarch : Core server component for Fail2Ban
fail2ban-systemd.noarch : Systemd journal configuration for Fail2Ban
fail2ban-tests.noarch : Fail2Ban testcases
Thanks Eugenio, I will have to check. PS can you tell me what firewall you are using? I got fail2ban to work using python, but it is not blocking the IP on the server. I tried to install IPTables, but that was not working and UFW was not available. Thanks.
I followed this procedure on a fresh AL2023. I confirm that adding PYTHONPATH in the unit file is also needed. Although fail2ban exit immediately with an error after being started. I got this from my journald
Oct 27 12:34:40 ip-172-31-46-118.eu-west-1.compute.internal fail2ban-server[28036]: Server ready
Oct 27 12:34:40 ip-172-31-46-118.eu-west-1.compute.internal systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/EXCEPTION
Oct 27 12:34:40 ip-172-31-46-118.eu-west-1.compute.internal systemd[1]: fail2ban.service: Failed with result 'exit-code'.
Same happens when I try to run fail2ban in foreground from the command-line:
[ec2-user@ip-172-31-46-118 fail2ban-1.0.2]$ sudo /usr/local/bin/fail2ban-server -xf -v start
2023-10-27 12:40:47,647 fail2ban.configreader [28703]: INFO Loading configs for fail2ban under /etc/fail2ban
2023-10-27 12:40:47,648 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2023-10-27 12:40:47,649 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2023-10-27 12:40:47,649 fail2ban [28703]: INFO Using socket file /var/run/fail2ban/fail2ban.sock
2023-10-27 12:40:47,649 fail2ban [28703]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
2023-10-27 12:40:47,650 fail2ban.configreader [28703]: INFO Loading configs for jail under /etc/fail2ban
2023-10-27 12:40:47,651 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/jail.conf']
2023-10-27 12:40:47,656 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/paths-fedora.conf']
2023-10-27 12:40:47,657 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/paths-common.conf']
2023-10-27 12:40:47,657 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/paths-overrides.local']
2023-10-27 12:40:47,658 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/jail.d/ssh.local']
2023-10-27 12:40:47,658 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-fedora.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/ssh.local']
2023-10-27 12:40:47,659 fail2ban.configreader [28703]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
2023-10-27 12:40:47,659 fail2ban.configreader [28703]: INFO Loading configs for filter.d/sshd under /etc/fail2ban
2023-10-27 12:40:47,659 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/filter.d/sshd.conf']
2023-10-27 12:40:47,660 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf']
2023-10-27 12:40:47,661 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/filter.d/common.local']
2023-10-27 12:40:47,661 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/sshd.conf']
2023-10-27 12:40:47,664 fail2ban.configreader [28703]: INFO Loading configs for action.d/iptables-multiport under /etc/fail2ban
2023-10-27 12:40:47,664 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-multiport.conf']
2023-10-27 12:40:47,665 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/action.d/iptables.conf']
2023-10-27 12:40:47,666 fail2ban.configparserinc[28703]: INFO Loading files: ['/etc/fail2ban/action.d/iptables.conf', '/etc/fail2ban/action.d/iptables-multiport.conf']
Server ready
[ec2-user@ip-172-31-46-118 fail2ban-1.0.2]$ echo $?
255
Any hint on what might be the problem here? Thanks
I found the missing step to get it working:
# yum install gcc git
# pip3 uninstall systemd
# pip3 install 'git+https://github.com/systemd/python-systemd.git#egg=systemd-python'
With fail2ban now supporting Python3 natively is it possible for this to get packaged up and included in the provided repositories for Amazon Linux 2023? Would be a major boost to easily being able to secure deployed instances without adding wrappers to get it hooked in.
Relevant content
- asked a year ago
- asked a year ago
- asked 2 years ago
- asked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 4 days ago
Kudos to Randy Palmer for this final - critical - piece to the puzzle. It works! Randy's Post: I found I also needed to edit /etc/systemd/system/fail2ban.service and set the following env variable under the [Service] section in order to get things working:
Environment="PYTHONPATH=/usr/local/lib/python3.9/site-packages"
It seems the AMI has changed in-between. On step "./fail2ban-2to3", we run into a failure : [root@ip-10-52-11-249 fail2ban-1.0.2]# ./fail2ban-2to3 RefactoringTool: Skipping optional fixer: buffer RefactoringTool: Skipping optional fixer: idioms RefactoringTool: Skipping optional fixer: set_literal RefactoringTool: Skipping optional fixer: ws_comma RefactoringTool: No changes to bin/fail2ban-client Traceback (most recent call last): File "/usr/bin/2to3", line 5, in <module> sys.exit(main("lib2to3.fixes")) File "/usr/lib64/python3.9/lib2to3/main.py", line 263, in main rt.refactor(args, options.write, options.doctests_only, File "/usr/lib64/python3.9/lib2to3/refactor.py", line 690, in refactor ... File "/usr/lib64/python3.9/lib2to3/refactor.py", line 286, in refactor self.refactor_file(dir_or_file, write, doctests_only) File "/usr/lib64/python3.9/lib2to3/refactor.py", line 731, in refactor_file return super(MultiprocessRefactoringTool, self).refactor_file( File "/usr/lib64/python3.9/lib2to3/refactor.py", line 326, in refactor_file input, encoding = self._read_python_source(filename) File "/usr/lib64/python3.9/lib2to3/refactor.py", line 322, in _read_python_source return f.read(), encoding File "/usr/lib64/python3.9/codecs.py", line 322, in decode (result, consumed) = self._buffer_decode(data, self.errors, final) UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd8 in position 96: invalid continuation byte