Comments (8)
mboelen
commented on June 12, 2024
Which specific test is causing it? Then we can check if we can if we can redirect errors to /dev/null.
Still, the warning could also be useful to know about. In this case it is showing you the message because it defaults to 'auto' as you didn't make the setting explicit (by any chance migrated from an older fail2ban? or older template file?).
from lynis.
sigio
commented on June 12, 2024
It's here in the output...
[+] Software: System tooling
- Checking automation tooling
- Ansible artifact [ FOUND ]
- Automation tooling [ FOUND ]
- Checking presence of Fail2ban [ FOUND ]
2024-04-03 15:54:31,829 fail2ban.configreader [362534]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'- Checking Fail2ban jails [ ENABLED ]
- Checking for IDS/IPS tooling [ FOUND ]
Seems it's not on all my systems, so trying to find what the difference is...
This run was from a relatively fresh debian 12 box, we don't change de fail2ban configfile from what's packages (as all changes are in jail.local)
I'm not seeing the message on our ubuntu 22 systems, but they don't have the commented allowipv6 (or anything mentioning allowipv6) in the entire config.
from lynis.
sigio
commented on June 12, 2024
Removing the entire commented block about allowipv6 from the /etc/fail2ban/fail2ban.conf doens't change the printing of the message though:
-# Option: allowipv6
-# Notes.: Allows IPv6 interface:
-# Default: auto
-# Values: [ auto yes (on, true, 1) no (off, false, 0) ] Default: auto
-#allowipv6 = auto
from lynis.
mboelen
commented on June 12, 2024
and if you set it (and make it explicit): allowipv6 = auto
I guess it is a version thing? Or are both the version on Debian 12 and Ubuntu 22 the exact same version?
from lynis.
sigio
commented on June 12, 2024
Ubuntu 20.04, Fail2ban v0.11.1 no issue
Ubuntu 22.04, Fail2ban v0.11.2 no issue
Debian 12, Fail2ban v1.0.2, above issue
However, both the debian and the ubuntu (both versions) don't have allowipv6 in their configs.
Adding it to the debian12 config removes the warning, but shouldn't be needed.
from lynis.
sigio
commented on June 12, 2024
And more verbose output:
[DEBUG] Performing test ID TOOL-5104 (Enabled tests in Fail2ban)
2024-04-03 19:23:10,539 fail2ban.configreader [543266]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
- Checking Fail2ban jails [ ENABLED ]
from lynis.
mboelen
commented on June 12, 2024
It's a feature added not long ago, so it makes sense that with Debian it shows up.
A bit strange that they show the warning instead of just setting it to auto, as that is already the default. For some reason they want you to configure it, otherwise they should not list it as a warning.
We could redirect errors to /dev/null, but then configuration issues would not show up. Sometimes these warnings/errors are a good bonus, even though we can't intercept them.
When you run fail2ban-client -d; echo $? manually (with the warning present), do you get an exit code of 0? We might add a new test that first checks the configuration status for warnings/errors in that case.
from lynis.
sigio
commented on June 12, 2024
Errorcode is 0, and it prints the message to stderr indeed
fail2ban-client -d > /dev/null ; echo $?
2024-04-04 00:50:33,991 fail2ban.configreader [614668]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
0
from lynis.
Related Issues (20)
- Cryptography tests get stuck on Debian 12 HOT 2
- Consider to add MFA checking on Lynis HOT 4
- Consider to add checks for some more kernel and memory hardenig HOT 1
- Firewalls [x] but nftables HOT 2
- Error message on debian 12 HOT 4
- Exception found! [KRNL-5730] _ReportException_ should have _GREPTOOL_ passed in and not _GREPBINARY_ HOT 1
- Unraid /boot Function/test: [KRNL-5830:2] Can not find any vmlinuz or kernel files in
- SSH daemon is running - Exception Found HOT 3
- Unknown OS found - Neon KDE HOT 1
- Lynis on OpenBSD HOT 9
- Download area cannot be listed anymore HOT 7
- [INSE-8000] The inetd service is not detected HOT 1
- [PKGS-7410] Does not detect the package containing the kernel. HOT 1
- PKGS-7392 - Found one or more vulnerable package right after dist-upgrade HOT 10
- NETW-3200 and FILE-6430 do no longer detect blacklisted modules HOT 2
- Function/test: [SSH-7404:01], Exception found!
- Unknown OS found - gardenlinux
- JBD2 is mistakenly undetected as a missing module in kernel while being built-in to it
- [PKGS-7398] NixOS: Add package audit tool vulnnix
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lynis.