Open sigio opened 3 months ago
mboelen
commented
3 months ago Which specific test is causing it? Then we can check if we can if we can redirect errors to /dev/null.
Still, the warning could also be useful to know about. In this case it is showing you the message because it defaults to 'auto' as you didn't make the setting explicit (by any chance migrated from an older fail2ban? or older template file?).
sigio
commented
3 months ago It's here in the output...
Seems it's not on all my systems, so trying to find what the difference is... This run was from a relatively fresh debian 12 box, we don't change de fail2ban configfile from what's packages (as all changes are in jail.local)
I'm not seeing the message on our ubuntu 22 systems, but they don't have the commented allowipv6 (or anything mentioning allowipv6) in the entire config.
sigio
commented
3 months ago Removing the entire commented block about allowipv6 from the /etc/fail2ban/fail2ban.conf doens't change the printing of the message though:
-# Option: allowipv6
-# Notes.: Allows IPv6 interface:
-# Default: auto
-# Values: [ auto yes (on, true, 1) no (off, false, 0) ] Default: auto
-#allowipv6 = autoand if you set it (and make it explicit): allowipv6 = auto
I guess it is a version thing? Or are both the version on Debian 12 and Ubuntu 22 the exact same version?
sigio
commented
3 months ago Ubuntu 20.04, Fail2ban v0.11.1 no issue Ubuntu 22.04, Fail2ban v0.11.2 no issue Debian 12, Fail2ban v1.0.2, above issue
However, both the debian and the ubuntu (both versions) don't have allowipv6 in their configs.
Adding it to the debian12 config removes the warning, but shouldn't be needed.
sigio
commented
3 months ago And more verbose output:
[DEBUG] Performing test ID TOOL-5104 (Enabled tests in Fail2ban)
2024-04-03 19:23:10,539 fail2ban.configreader [543266]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
- Checking Fail2ban jails [ ENABLED ]It's a feature added not long ago, so it makes sense that with Debian it shows up.
A bit strange that they show the warning instead of just setting it to auto, as that is already the default. For some reason they want you to configure it, otherwise they should not list it as a warning.
We could redirect errors to /dev/null, but then configuration issues would not show up. Sometimes these warnings/errors are a good bonus, even though we can't intercept them.
When you run fail2ban-client -d; echo $? manually (with the warning present), do you get an exit code of 0? We might add a new test that first checks the configuration status for warnings/errors in that case.
sigio
commented
3 months ago Errorcode is 0, and it prints the message to stderr indeed
fail2ban-client -d > /dev/null ; echo $? 2024-04-04 00:50:33,991 fail2ban.configreader [614668]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto' 0
Describe the bug 2024-04-03 13:31:13,490 fail2ban.configreader [223171]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
Running 'lynis audit system' prints the above message to stderr.
I've checked the fail2ban configuration on the host, allowipv6 is only in there in a comment: fail2ban.conf 58:# Option: allowipv6 62:#allowipv6 = auto
Version Lynis 3.0.9
Expected behavior No spurious output