[BR]: Filter apache-fakegooglebot prevents start of fail2ban

[jejo86]

Environment:

• Fail2Ban version : Fail2Ban v1.0.2
• OS, including release name/version : AlmaLinux 8.7 (Stone Smilodon)
• Fail2Ban installed via OS/distribution mechanisms
• You have not applied any additional foreign patches to the codebase
• Some customizations were done to the configuration (provide details below is so)

The issue:

Since 2023-04-12 fail2ban does not work anymore (noticed due to missing entries in Abuse Ipdb). When (re)starting via systemd it shows error:

Apr 19 22:28:13 my.server.com systemd[1]: Starting Fail2Ban Service...
Apr 19 22:28:13 my.server.com systemd[1]: Started Fail2Ban Service.
Apr 19 22:28:14 my.server.com fail2ban-server[3016]: 2023-04-19 22:28:14,125 fail2ban                [3016]: ERROR   Failed during configuration: Bad value substitution: option 'ignorecommand' in section 'apache-fakegooglebot' contains an interpolation key 'ignorecommands_dir' which is not a valid option name. Raw value: '%(ignorecommands_dir)s/apache-fakegooglebot <ip>'
Apr 19 22:28:14 my.server.com fail2ban-server[3016]: 2023-04-19 22:28:14,136 fail2ban                [3016]: ERROR   Async configuration of server failed
Apr 19 22:28:14 my.server.com systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/n/a
Apr 19 22:28:14 my.server.com systemd[1]: fail2ban.service: Failed with result 'exit-code'.

Steps to reproduce

systemctl restart fail2ban
systemctl status fail2ban

Expected behavior

It should start.

Observed behavior

It does not start.

Any additional information

I did not change any settings lately regarding fail2ban, but I have setup my server to automatically install updates.

There is no change in behavior after restarting the server.

Configuration, dump and another helpful excerpts

Any customizations done to /etc/fail2ban/ configuration

Only file changed is action.d/abuseipdb.conf

abuseipdb_apikey =  ...

Relevant parts of /var/log/fail2ban.log file:

Log file is empty, as the application never started!

Relevant lines from monitored log files:

[sebres]

Banned by google?

The cause for that is a243115.
Newest version of fail2ban doesn't use such path interpolation variable in config/paths-common.conf anymore (fixes gh-3005).

Just replace it like here:

- ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
+ ignorecommand = %(fail2ban_confpath)s/filter.d/ignorecommands/apache-fakegooglebot <ip>

But...
Guessing you previously copied jail.conf into jail.local (so it still contains old value in jail.local which overrides it in upgraded jail.conf) or changing jail.conf directly (so an update didn't take place due to conflicts and local modification)... what is not recommended.
So you can remove that line from jail.local (as well as all other lines that was previously copied from jail.conf without modification). Normally jail.local must contains only lines you want overwrite, see wiki :: Proper fail2ban configuration.

[jejo86]

I did copy the entire jail.conf file, yes. I will have a closer look at the documentation in the wiki in order to minimize this problem in the future.