Centos6
Fail2ban 無法編寫 iptables 規則
在 Centos 6.3 ,fail2ban 0.9.6 版上工作,fail2ban 在啟動後無法寫入 iptables 規則,並且在 iptables -L 中沒有看到與 f2b 鏈相關的任何內容,我已經在本地 VM 上配置了它,它就像一個魅力,但是在這個伺服器,它生成的日誌現在讓我發瘋了 2 天,請查看日誌,在我看來好像它無法在 iptables 中編寫規則,想知道如何解決這個問題:O PS 監獄已經過測試和驗證。在這方面的任何幫助將不勝感激。提前致謝
iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
服務 fail2ban 狀態
fail2ban-server (pid 30663) is running... Status |- Number of jail: 2 `- Jail list: opensips, ssh-iptables
fail2ban 日誌
Feb 20 19:14:05 server-1 fail2ban.server[21215]: INFO Changed logging target to SYSLOG (/dev/log) for Fail2ban v0.9.6 Feb 20 19:14:05 server-1 fail2ban.database[21215]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Creating new jail 'ssh-iptables' Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'ssh-iptables' uses pyinotify {} Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Initiated 'pyinotify' backend Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Added logfile = /var/log/secure Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set maxRetry = 2 Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set jail log file encoding to UTF-8 Feb 20 19:14:05 server-1 fail2ban.actions[21215]: INFO Set banTime = 60 Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set findtime = 600 Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set maxlines = 10 Feb 20 19:14:05 server-1 fail2ban.server[21215]: INFO Jail ssh-iptables is not a JournalFilter instance Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Creating new jail 'opensips' Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'opensips' uses pyinotify {} Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Initiated 'pyinotify' backend Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Added logfile = /var/log/messages Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set maxRetry = 2 Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set jail log file encoding to UTF-8 Feb 20 19:14:05 server-1 fail2ban.actions[21215]: INFO Set banTime = 60 Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set findtime = 600 Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'ssh-iptables' started Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'opensips' started Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables -N f2b-SSH#012iptables -A f2b-SSH -j RETURN#012iptables -I INPUT -p tcp -j f2b-SSH -- stdout: '' Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables -N f2b-SSH#012iptables -A f2b-SSH -j RETURN#012iptables -I INPUT -p tcp -j f2b-SSH -- stderr: "iptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\n" Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables -N f2b-SSH#012iptables -A f2b-SSH -j RETURN#012iptables -I INPUT -p tcp -j f2b-SSH -- returned 3 Feb 20 19:14:06 server-1 fail2ban.actions[21215]: ERROR Failed to start jail 'ssh-iptables' action 'iptables-allports': Error starting action Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables -N f2b-opensips#012iptables -A f2b-opensips -j RETURN#012iptables -I INPUT -p all -j f2b-opensips -- stdout: '' Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables -N f2b-opensips#012iptables -A f2b-opensips -j RETURN#012iptables -I INPUT -p all -j f2b-opensips -- stderr: "iptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\n" Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables -N f2b-opensips#012iptables -A f2b-opensips -j RETURN#012iptables -I INPUT -p all -j f2b-opensips -- returned 3 Feb 20 19:14:06 server-1 fail2ban.actions[21215]: ERROR Failed to start jail 'opensips' action 'iptables-allports': Error starting action
問題出在python版本中。我在頂行編輯了 /usr/bin/fail2ban-client 和 /usr/bin/fail2ban-server 的正確路徑(“whereis python”為您提供了路徑)
!/usr/bin/python2.6 -是
這是以前
!/usr/bin/python -Es(舊版本的python),
由於這個舊版本的編譯,fail2ban 無法編寫 iptables 規則。使用命令啟動fail2ban:fail2ban-client start
現在它正在執行並阻止不需要的 IP