Iptables
防火牆的fail2ban錯誤(f2b-<監獄名稱>:沒有這樣的文件或目錄)
我已經使用 fail2ban 幾個月了,沒有任何問題,但在 CentOS 升級後它停止工作。似乎它沒有創建 iptables 條目。我已經嘗試過重啟fail2ban,重啟VPS,以及所有基本的東西。相關錯誤是:
在
/var/log/fail2ban.log:2020-01-12 12:15:52,994 fail2ban.actions [496]: NOTICE [postfix-reject-dynamo] Restore Ban 12.160.87.219 2020-01-12 12:15:54,684 fail2ban.utils [496]: #39-Lev. 7f4db54f9c90 -- exec: firewall-cmd --direct --add-chain ipv4 filter f2b-postfix-reject-dynamo firewall-cmd --direct --add-rule ipv4 filter f2b-postfix-reject-dynamo 1000 -j RETURN firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-postfix-reject-dynamo 2020-01-12 12:15:54,685 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Error: 'filter'" 2020-01-12 12:15:54,685 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed" 2020-01-12 12:15:54,685 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: '' 2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Couldn't load target `f2b-postfix-reject-dynamo':No such file or directory" 2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: '' 2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: 'Error occurred at line: 2' 2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information." 2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: '' 2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- returned 13 2020-01-12 12:15:54,686 fail2ban.actions [496]: ERROR Failed to execute ban jail 'postfix-reject-dynamo' action 'firewallcmd-allports' info 'ActionInfo({'ip': '12.160.87.219', 'fid': <function <lambda> at 0x7f4db41bf578>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7f4db41bfa28>})': Error starting action Jail('postfix-reject-dynamo')/firewallcmd-allports在
/var/log/firewalld:2020-01-12 12:15:53 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed 2020-01-12 12:15:53 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed 2020-01-12 12:15:54 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Couldn't load target `f2b-postfix-reject-dynamo':No such file or directory
iptables -L輸出:Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination內容
/etc/systemd/system/multi-user.target.wants/fail2ban.service:[Unit] Description=Fail2Ban Service Documentation=man:fail2ban(1) After=network.target iptables.service firewalld.service ip6tables.service ipset.service PartOf=iptables.service firewalld.service [Service] Type=simple ExecStartPre=/bin/mkdir -p /var/run/fail2ban ExecStart=/usr/bin/fail2ban-server -xf start # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local # ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start ExecStop=/usr/bin/fail2ban-client stop ExecReload=/usr/bin/fail2ban-client reload PIDFile=/var/run/fail2ban/fail2ban.pid Restart=on-failure RestartPreventExitStatus=0 255 [Install] WantedBy=multi-user.target
/var/log/fail2ban.log在錯誤發生之前,這是完整的:2020-01-12 12:15:51,018 fail2ban.server [496]: INFO Starting Fail2ban v0.10.4 2020-01-12 12:15:51,037 fail2ban.database [496]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2020-01-12 12:15:51,183 fail2ban.jail [496]: INFO Creating new jail 'sshd' 2020-01-12 12:15:51,834 fail2ban.jail [496]: INFO Jail 'sshd' uses systemd {} 2020-01-12 12:15:51,836 fail2ban.jail [496]: INFO Initiated 'systemd' backend 2020-01-12 12:15:51,837 fail2ban.filter [496]: INFO maxLines: 1 2020-01-12 12:15:51,878 fail2ban.filtersystemd [496]: INFO [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd' 2020-01-12 12:15:51,879 fail2ban.filter [496]: INFO maxRetry: 5 2020-01-12 12:15:51,879 fail2ban.filter [496]: INFO encoding: ANSI_X3.4-1968 2020-01-12 12:15:51,880 fail2ban.filter [496]: INFO findtime: 600 2020-01-12 12:15:51,880 fail2ban.actions [496]: INFO banTime: 3600 2020-01-12 12:15:51,882 fail2ban.jail [496]: INFO Creating new jail 'webmin-auth' 2020-01-12 12:15:51,882 fail2ban.jail [496]: INFO Jail 'webmin-auth' uses systemd {} 2020-01-12 12:15:51,883 fail2ban.jail [496]: INFO Initiated 'systemd' backend 2020-01-12 12:15:51,889 fail2ban.filter [496]: INFO maxRetry: 5 2020-01-12 12:15:51,889 fail2ban.filter [496]: INFO encoding: ANSI_X3.4-1968 2020-01-12 12:15:51,889 fail2ban.filter [496]: INFO findtime: 600 2020-01-12 12:15:51,890 fail2ban.actions [496]: INFO banTime: 600 2020-01-12 12:15:51,891 fail2ban.jail [496]: INFO Creating new jail 'proftpd' 2020-01-12 12:15:51,891 fail2ban.jail [496]: INFO Jail 'proftpd' uses systemd {} 2020-01-12 12:15:51,893 fail2ban.jail [496]: INFO Initiated 'systemd' backend 2020-01-12 12:15:51,898 fail2ban.filtersystemd [496]: INFO [proftpd] Added journal match for: '_SYSTEMD_UNIT=proftpd.service' 2020-01-12 12:15:51,899 fail2ban.filter [496]: INFO maxRetry: 5 2020-01-12 12:15:51,899 fail2ban.filter [496]: INFO encoding: ANSI_X3.4-1968 2020-01-12 12:15:51,899 fail2ban.filter [496]: INFO findtime: 600 2020-01-12 12:15:51,900 fail2ban.actions [496]: INFO banTime: 3600 2020-01-12 12:15:51,901 fail2ban.jail [496]: INFO Creating new jail 'postfix' 2020-01-12 12:15:51,901 fail2ban.jail [496]: INFO Jail 'postfix' uses systemd {} 2020-01-12 12:15:51,902 fail2ban.jail [496]: INFO Initiated 'systemd' backend 2020-01-12 12:15:51,913 fail2ban.filtersystemd [496]: INFO [postfix] Added journal match for: '_SYSTEMD_UNIT=postfix.service' 2020-01-12 12:15:51,914 fail2ban.filter [496]: INFO maxRetry: 5 2020-01-12 12:15:51,914 fail2ban.filter [496]: INFO encoding: ANSI_X3.4-1968 2020-01-12 12:15:51,914 fail2ban.filter [496]: INFO findtime: 600 2020-01-12 12:15:51,915 fail2ban.actions [496]: INFO banTime: 3600 2020-01-12 12:15:51,916 fail2ban.jail [496]: INFO Creating new jail 'dovecot' 2020-01-12 12:15:51,916 fail2ban.jail [496]: INFO Jail 'dovecot' uses systemd {} 2020-01-12 12:15:51,917 fail2ban.jail [496]: INFO Initiated 'systemd' backend 2020-01-12 12:15:51,926 fail2ban.filtersystemd [496]: INFO [dovecot] Added journal match for: '_SYSTEMD_UNIT=dovecot.service' 2020-01-12 12:15:51,926 fail2ban.datedetector [496]: INFO date pattern `''`: `{^LN-BEG}TAI64N` 2020-01-12 12:15:51,927 fail2ban.filter [496]: INFO maxRetry: 5 2020-01-12 12:15:51,927 fail2ban.filter [496]: INFO encoding: ANSI_X3.4-1968 2020-01-12 12:15:51,928 fail2ban.filter [496]: INFO findtime: 600 2020-01-12 12:15:51,928 fail2ban.actions [496]: INFO banTime: 3600 2020-01-12 12:15:51,929 fail2ban.jail [496]: INFO Creating new jail 'postfix-reject-dynamo' 2020-01-12 12:15:52,032 fail2ban.jail [496]: INFO Jail 'postfix-reject-dynamo' uses poller {} 2020-01-12 12:15:52,033 fail2ban.jail [496]: INFO Initiated 'polling' backend 2020-01-12 12:15:52,118 fail2ban.filter [496]: INFO Added logfile: '/var/log/maillog' (pos = 17320260, hash = 48479d10b4c7d022471955ff13511a8c) 2020-01-12 12:15:52,119 fail2ban.filter [496]: INFO maxRetry: 3 2020-01-12 12:15:52,119 fail2ban.filter [496]: INFO encoding: ANSI_X3.4-1968 2020-01-12 12:15:52,120 fail2ban.filter [496]: INFO findtime: 600 2020-01-12 12:15:52,120 fail2ban.actions [496]: INFO banTime: 3600 2020-01-12 12:15:52,222 fail2ban.jail [496]: INFO Jail 'sshd' started 2020-01-12 12:15:52,260 fail2ban.filtersystemd [496]: NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons. 2020-01-12 12:15:52,269 fail2ban.jail [496]: INFO Jail 'webmin-auth' started 2020-01-12 12:15:52,401 fail2ban.jail [496]: INFO Jail 'proftpd' started 2020-01-12 12:15:52,659 fail2ban.jail [496]: INFO Jail 'postfix' started 2020-01-12 12:15:52,787 fail2ban.jail [496]: INFO Jail 'dovecot' started 2020-01-12 12:15:52,800 fail2ban.jail [496]: INFO Jail 'postfix-reject-dynamo' started 2020-01-12 12:15:52,994 fail2ban.actions [496]: NOTICE [postfix-reject-dynamo] Restore Ban 12.160.87.219 2020-01-12 12:15:54,684 fail2ban.utils [496]: #39-Lev. 7f4db54f9c90 -- exec: firewall-cmd --direct --add-chain ipv4 filter f2b-postfix-reject-dynamo firewall-cmd --direct --add-rule ipv4 filter f2b-postfix-reject-dynamo 1000 -j RETURN firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-postfix-reject-dynamo 2020-01-12 12:15:54,685 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Error: 'filter'" 2020-01-12 12:15:54,685 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed" 2020-01-12 12:15:54,685 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: '' 2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Couldn't load target `f2b-postfix-reject-dynamo':No such file or directory" 2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: '' 2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: 'Error occurred at line: 2' 2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information." 2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: '' 2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- returned 13 2020-01-12 12:15:54,686 fail2ban.actions [496]: ERROR Failed to execute ban jail 'postfix-reject-dynamo' action 'firewallcmd-allports' info 'ActionInfo({'ip': '12.160.87.219', 'fid': <function <lambda> at 0x7f4db41bf578>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7f4db41bfa28>})': Error starting action Jail('postfix-reject-dynamo')/firewallcmd-allportsCentOS Linux 版本 7.7.1908(核心)
我不知道這裡發生了什麼..
我感謝您的幫助。
防火牆的fail2ban錯誤…
那麼這不是fail2ban錯誤。
基本上,fail2ban 會嘗試執行以下命令(您可以在 shell 中以 root 身份自行嘗試):
firewall-cmd --direct --add-chain ipv4 filter f2b-postfix-reject-dynamo firewall-cmd --direct --add-rule ipv4 filter f2b-postfix-reject-dynamo 1000 -j RETURN firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-postfix-reject-dynamo出於某種原因,
firewall-cmd或者更確切地說iptables-restore,它似乎由 firewall-cmd 內部使用,失敗並顯示:Couldn't load target `f2b-postfix-reject-dynamo':No such file or directory通常此消息沒有意義,因為
firewall-cmd正在創建此鏈,並且此錯誤看起來會創建一些f2b-postfix-reject-dynamo由於某種原因仍然不存在的規則目標鏈。您應該檢查是否有一些針對此(不存在)鏈的持久規則並修復(或刪除)它。例如,如果您嘗試在沒有第一個命令的情況下執行此操作,您會看到相同的錯誤:
# ## iptables -w -N f2b-test-chain; # this creates a chain # iptables -w -I INPUT 1 -j f2b-test-chain; # insert rule to INPUT chain targeting f2b-test-chain ... iptables v1.6.0: Couldn't load target `f2b-test-chain':No such file or directory這很明顯是一個錯誤(註釋了創建鏈的第一個命令)。
所以一些試圖恢復使用的內部流防火牆
iptables-restore似乎是錯誤的(包含無效引用)。順便說一句,為什麼你不直接使用 iptables 而不是 firewalld?