在 Centos 6.3 上工作,fail2ban 版本 0.9.6,fail2ban 在启动后无法写入 iptables 规则,在 iptables -L 中看不到与 f2b 链相关的任何内容,我已经在本地 VM 上配置了它,它运行良好,但是在这台服务器上,它生成的日志让我已经抓狂了 2 天,请查看日志,在我看来好像无法在 iptables 中写入规则,不知道如何解决这个问题 :O PS Jails 已经过测试和验证。任何这方面的帮助都将不胜感激。提前致谢
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
服务 fail2ban 状态
fail2ban-server (pid 30663) is running...
Status
|- Number of jail: 2
`- Jail list: opensips, ssh-iptables
fail2ban 日志
Feb 20 19:14:05 server-1 fail2ban.server[21215]: INFO Changed logging target to SYSLOG (/dev/log) for Fail2ban v0.9.6
Feb 20 19:14:05 server-1 fail2ban.database[21215]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Creating new jail 'ssh-iptables'
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'ssh-iptables' uses pyinotify {}
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Initiated 'pyinotify' backend
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Added logfile = /var/log/secure
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set maxRetry = 2
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set jail log file encoding to UTF-8
Feb 20 19:14:05 server-1 fail2ban.actions[21215]: INFO Set banTime = 60
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set findtime = 600
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set maxlines = 10
Feb 20 19:14:05 server-1 fail2ban.server[21215]: INFO Jail ssh-iptables is not a JournalFilter instance
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Creating new jail 'opensips'
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'opensips' uses pyinotify {}
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Initiated 'pyinotify' backend
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Added logfile = /var/log/messages
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set maxRetry = 2
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set jail log file encoding to UTF-8
Feb 20 19:14:05 server-1 fail2ban.actions[21215]: INFO Set banTime = 60
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set findtime = 600
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'ssh-iptables' started
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'opensips' started
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables -N f2b-SSH#012iptables -A f2b-SSH -j RETURN#012iptables -I INPUT -p tcp -j f2b-SSH -- stdout: ''
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables -N f2b-SSH#012iptables -A f2b-SSH -j RETURN#012iptables -I INPUT -p tcp -j f2b-SSH -- stderr: "iptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\n"
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables -N f2b-SSH#012iptables -A f2b-SSH -j RETURN#012iptables -I INPUT -p tcp -j f2b-SSH -- returned 3
Feb 20 19:14:06 server-1 fail2ban.actions[21215]: ERROR Failed to start jail 'ssh-iptables' action 'iptables-allports': Error starting action
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables -N f2b-opensips#012iptables -A f2b-opensips -j RETURN#012iptables -I INPUT -p all -j f2b-opensips -- stdout: ''
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables -N f2b-opensips#012iptables -A f2b-opensips -j RETURN#012iptables -I INPUT -p all -j f2b-opensips -- stderr: "iptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\n"
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables -N f2b-opensips#012iptables -A f2b-opensips -j RETURN#012iptables -I INPUT -p all -j f2b-opensips -- returned 3
Feb 20 19:14:06 server-1 fail2ban.actions[21215]: ERROR Failed to start jail 'opensips' action 'iptables-allports': Error starting action
答案1
问题出在 python 版本中。我在第一行使用正确的路径(“whereis python”为您提供路径)编辑了 /usr/bin/fail2ban-client 和 /usr/bin/fail2ban-server
!/usr/bin/python2.6 -Es
之前
!/usr/bin/python -Es (旧版本的python)
由于编译版本较旧,fail2ban 无法写入 iptables 规则。使用命令启动 fail2ban:fail2ban-client start
现在它正在运行并阻止不需要的 IP