看来我的 fail2ban 无法禁止主机:
2013-06-22 18:18:24,546 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-apache-noscript returned 100
2013-06-22 18:18:24,546 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2013-06-22 18:18:24,869 fail2ban.actions.action: ERROR iptables -D fail2ban-apache-noscript -s 185.13.228.98 -j DROP returned 100
当我手动使用该命令时,iptables 会抱怨:
# iptables -D fail2ban-apache-noscript -s 185.13.228.98 -j DROP
iptables: Bad rule (does a matching rule exist in that chain?).
尽管看起来该链确实存在:
# iptables -L -v -n
Chain INPUT (policy ACCEPT 412 packets, 36051 bytes)
pkts bytes target prot opt in out source destination
93 7257 fail2ban-apache tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
0 0 fail2ban-sasl tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465
0 0 fail2ban-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465
311 27844 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 130
93 7257 fail2ban-apache-overflows tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
93 7257 fail2ban-apache-multiport tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
311 27844 fail2ban-ssh-ddos tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 130
406 35205 fail2ban-pam-generic tcp -- * * 0.0.0.0/0 0.0.0.0/0
93 7257 fail2ban-apache-noscript tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 296 packets, 105K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-apache (1 references)
pkts bytes target prot opt in out source destination
93 7257 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-multiport (1 references)
pkts bytes target prot opt in out source destination
93 7257 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-noscript (1 references)
pkts bytes target prot opt in out source destination
93 7257 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-overflows (1 references)
pkts bytes target prot opt in out source destination
93 7257 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-pam-generic (1 references)
pkts bytes target prot opt in out source destination
406 35205 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-postfix (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-sasl (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
311 27844 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-ssh-ddos (1 references)
pkts bytes target prot opt in out source destination
311 27844 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
问题是什么?!
答案1
您会注意到您尝试从中删除规则的链的配置:
Chain fail2ban-apache-noscript (1 references)
pkts bytes target prot opt in out source destination
93 7257 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
除了“返回所有不匹配项”规则外,该链中根本没有要删除的规则。因此,fail2ban 试图移除的阻止已消失。
最有可能的是,您可以忽略此操作,因为命令的目标已经实现。由于您没有活动禁令,您可能只想运行/etc/init.d/fail2ban force-reload以清除其状态。