fail2ban.configreader prints warning to stderr (allowipv6)

[sigio]

Describe the bug
2024-04-03 13:31:13,490 fail2ban.configreader [223171]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'

Running 'lynis audit system' prints the above message to stderr.

I've checked the fail2ban configuration on the host, allowipv6 is only in there in a comment:
fail2ban.conf
58:# Option: allowipv6
62:#allowipv6 = auto

Version
Lynis 3.0.9

Expected behavior
No spurious output

[mboelen]

Which specific test is causing it? Then we can check if we can if we can redirect errors to /dev/null.

Still, the warning could also be useful to know about. In this case it is showing you the message because it defaults to 'auto' as you didn't make the setting explicit (by any chance migrated from an older fail2ban? or older template file?).

[sigio]

It's here in the output...

[+] Software: System tooling

• Checking automation tooling
  • Ansible artifact [ FOUND ]
• Automation tooling [ FOUND ]
• Checking presence of Fail2ban [ FOUND ]
  2024-04-03 15:54:31,829 fail2ban.configreader [362534]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
  • Checking Fail2ban jails [ ENABLED ]
• Checking for IDS/IPS tooling [ FOUND ]

Seems it's not on all my systems, so trying to find what the difference is...
This run was from a relatively fresh debian 12 box, we don't change de fail2ban configfile from what's packages (as all changes are in jail.local)

I'm not seeing the message on our ubuntu 22 systems, but they don't have the commented allowipv6 (or anything mentioning allowipv6) in the entire config.

[sigio]

Removing the entire commented block about allowipv6 from the /etc/fail2ban/fail2ban.conf doens't change the printing of the message though:

-# Option: allowipv6
-# Notes.: Allows IPv6 interface:
-#         Default: auto
-# Values: [ auto yes (on, true, 1) no (off, false, 0) ] Default: auto
-#allowipv6 = auto

[mboelen]

and if you set it (and make it explicit): allowipv6 = auto

I guess it is a version thing? Or are both the version on Debian 12 and Ubuntu 22 the exact same version?

[sigio]

Ubuntu 20.04, Fail2ban v0.11.1 no issue
Ubuntu 22.04, Fail2ban v0.11.2 no issue
Debian 12, Fail2ban v1.0.2, above issue

However, both the debian and the ubuntu (both versions) don't have allowipv6 in their configs.

Adding it to the debian12 config removes the warning, but shouldn't be needed.

[sigio]

And more verbose output:

[DEBUG] Performing test ID TOOL-5104 (Enabled tests in Fail2ban)
2024-04-03 19:23:10,539 fail2ban.configreader   [543266]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
    - Checking Fail2ban jails                                 [ ENABLED ]

[mboelen]

It's a feature added not long ago, so it makes sense that with Debian it shows up.

A bit strange that they show the warning instead of just setting it to auto, as that is already the default. For some reason they want you to configure it, otherwise they should not list it as a warning.

We could redirect errors to /dev/null, but then configuration issues would not show up. Sometimes these warnings/errors are a good bonus, even though we can't intercept them.

When you run fail2ban-client -d; echo $? manually (with the warning present), do you get an exit code of 0? We might add a new test that first checks the configuration status for warnings/errors in that case.

[sigio]

Errorcode is 0, and it prints the message to stderr indeed

fail2ban-client -d > /dev/null ; echo $?
2024-04-04 00:50:33,991 fail2ban.configreader [614668]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
0