Centos6

Fail2ban 無法編寫 iptables 規則

  • August 20, 2019

在 Centos 6.3 ,fail2ban 0.9.6 版上工作,fail2ban 在啟動後無法寫入 iptables 規則,並且在 iptables -L 中沒有看到與 f2b 鏈相關的任何內容,我已經在本地 VM 上配置了它,它就像一個魅力,但是在這個伺服器,它生成的日誌現在讓我發瘋了 2 天,請查看日誌,在我看來好像它無法在 iptables 中編寫規則,想知道如何解決這個問題:O PS 監獄已經過測試和驗證。在這方面的任何幫助將不勝感激。提前致謝

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

服務 fail2ban 狀態

fail2ban-server (pid  30663) is running...
Status
|- Number of jail:      2
`- Jail list:   opensips, ssh-iptables

fail2ban 日誌

Feb 20 19:14:05 server-1 fail2ban.server[21215]: INFO Changed logging target to SYSLOG (/dev/log) for Fail2ban v0.9.6
Feb 20 19:14:05 server-1 fail2ban.database[21215]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Creating new jail 'ssh-iptables'
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'ssh-iptables' uses pyinotify {}
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Initiated 'pyinotify' backend
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Added logfile = /var/log/secure
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set maxRetry = 2
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set jail log file encoding to UTF-8
Feb 20 19:14:05 server-1 fail2ban.actions[21215]: INFO Set banTime = 60
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set findtime = 600
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set maxlines = 10
Feb 20 19:14:05 server-1 fail2ban.server[21215]: INFO Jail ssh-iptables is not a JournalFilter instance
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Creating new jail 'opensips'
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'opensips' uses pyinotify {}
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Initiated 'pyinotify' backend
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Added logfile = /var/log/messages
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set maxRetry = 2
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set jail log file encoding to UTF-8
Feb 20 19:14:05 server-1 fail2ban.actions[21215]: INFO Set banTime = 60
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set findtime = 600
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'ssh-iptables' started
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'opensips' started
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables  -N f2b-SSH#012iptables  -A f2b-SSH -j RETURN#012iptables  -I INPUT -p tcp -j f2b-SSH -- stdout: ''
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables  -N f2b-SSH#012iptables  -A f2b-SSH -j RETURN#012iptables  -I INPUT -p tcp -j f2b-SSH -- stderr: "iptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\n"
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables  -N f2b-SSH#012iptables  -A f2b-SSH -j RETURN#012iptables  -I INPUT -p tcp -j f2b-SSH -- returned 3
Feb 20 19:14:06 server-1 fail2ban.actions[21215]: ERROR Failed to start jail 'ssh-iptables' action 'iptables-allports': Error starting action
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables  -N f2b-opensips#012iptables  -A f2b-opensips -j RETURN#012iptables  -I INPUT -p all -j f2b-opensips -- stdout: ''
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables  -N f2b-opensips#012iptables  -A f2b-opensips -j RETURN#012iptables  -I INPUT -p all -j f2b-opensips -- stderr: "iptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\n"
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables  -N f2b-opensips#012iptables  -A f2b-opensips -j RETURN#012iptables  -I INPUT -p all -j f2b-opensips -- returned 3
Feb 20 19:14:06 server-1 fail2ban.actions[21215]: ERROR Failed to start jail 'opensips' action 'iptables-allports': Error starting action

問題出在python版本中。我在頂行編輯了 /usr/bin/fail2ban-client 和 /usr/bin/fail2ban-server 的正確路徑(“whereis python”為您提供了路徑)

!/usr/bin/python2.6 -是

這是以前

!/usr/bin/python -Es(舊版本的python),

由於這個舊版本的編譯,fail2ban 無法編寫 iptables 規則。使用命令啟動fail2ban:fail2ban-client start

現在它正在執行並阻止不需要的 IP

引用自:https://serverfault.com/questions/833927