marcel/familienarchiv
1
0
Fork 0
Code Issues 119 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

fix(fail2ban): pin polling backend so jail actually reads Caddy access log (#503) #504

Merged
marcel merged 1 commits from fix/issue-503-fail2ban-polling-backend into main 2026-05-11 15:08:59 +02:00
Conversation 0 Commits 1 Files Changed 2 +21

1 Commits

Author SHA1 Message Date
Marcel
e5363913ec fix(fail2ban): pin polling backend so jail actually reads Caddy access log
Some checks failed
CI / Unit & Component Tests (push) Failing after 2m49s
Details
CI / OCR Service Tests (push) Successful in 16s
Details
CI / Backend Unit Tests (push) Successful in 4m8s
Details
CI / fail2ban Regex (push) Successful in 37s
Details
CI / Compose Bucket Idempotency (push) Failing after 53s
Details
CI / Unit & Component Tests (pull_request) Failing after 2m46s
Details
CI / OCR Service Tests (pull_request) Successful in 15s
Details
CI / Backend Unit Tests (pull_request) Successful in 4m14s
Details
CI / fail2ban Regex (pull_request) Successful in 37s
Details
CI / Compose Bucket Idempotency (pull_request) Failing after 50s
Details 
Closes #503.

Debian's fail2ban package ships defaults-debian.conf with
`[DEFAULT] backend = systemd`. Without an explicit override, our
familienarchiv-auth jail inherits the systemd backend at runtime,
reads from journald, and never inspects /var/log/caddy/access.log.
A live login brute-force would not be banned.

Add `backend = polling` to the jail and a CI step that links the jail
into /etc/fail2ban/ and asserts `fail2ban-client -d` resolves it to
the polling backend, not the inherited systemd backend.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-11 14:59:40 +02:00