几个月来我一直在使用 fail2ban,没有任何问题,但在 CentOS 升级后它停止工作了。它似乎没有创建 iptables 条目。我已经尝试重新启动 fail2ban、重新启动 VPS 以及所有基本操作。相关错误是:
在/var/log/fail2ban.log:
2020-01-12 12:15:52,994 fail2ban.actions [496]: NOTICE [postfix-reject-dynamo] Restore Ban 12.160.87.219
2020-01-12 12:15:54,684 fail2ban.utils [496]: #39-Lev. 7f4db54f9c90 -- exec: firewall-cmd --direct --add-chain ipv4 filter f2b-postfix-reject-dynamo
firewall-cmd --direct --add-rule ipv4 filter f2b-postfix-reject-dynamo 1000 -j RETURN
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-postfix-reject-dynamo
2020-01-12 12:15:54,685 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Error: 'filter'"
2020-01-12 12:15:54,685 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed"
2020-01-12 12:15:54,685 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: ''
2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Couldn't load target `f2b-postfix-reject-dynamo':No such file or directory"
2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: ''
2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: 'Error occurred at line: 2'
2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information."
2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: ''
2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- returned 13
2020-01-12 12:15:54,686 fail2ban.actions [496]: ERROR Failed to execute ban jail 'postfix-reject-dynamo' action 'firewallcmd-allports' info 'ActionInfo({'ip': '12.160.87.219', 'fid': <function <lambda> at 0x7f4db41bf578>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7f4db41bfa28>})': Error starting action Jail('postfix-reject-dynamo')/firewallcmd-allports
在/var/log/firewalld:
2020-01-12 12:15:53 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed
2020-01-12 12:15:53 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed
2020-01-12 12:15:54 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Couldn't load target `f2b-postfix-reject-dynamo':No such file or directory
iptables -L输出:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
内容/etc/systemd/system/multi-user.target.wants/fail2ban.service:
[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service ip6tables.service ipset.service
PartOf=iptables.service firewalld.service
[Service]
Type=simple
ExecStartPre=/bin/mkdir -p /var/run/fail2ban
ExecStart=/usr/bin/fail2ban-server -xf start
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/var/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255
[Install]
WantedBy=multi-user.target
/var/log/fail2ban.log发生错误之前的完整信息如下:
2020-01-12 12:15:51,018 fail2ban.server [496]: INFO Starting Fail2ban v0.10.4
2020-01-12 12:15:51,037 fail2ban.database [496]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2020-01-12 12:15:51,183 fail2ban.jail [496]: INFO Creating new jail 'sshd'
2020-01-12 12:15:51,834 fail2ban.jail [496]: INFO Jail 'sshd' uses systemd {}
2020-01-12 12:15:51,836 fail2ban.jail [496]: INFO Initiated 'systemd' backend
2020-01-12 12:15:51,837 fail2ban.filter [496]: INFO maxLines: 1
2020-01-12 12:15:51,878 fail2ban.filtersystemd [496]: INFO [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2020-01-12 12:15:51,879 fail2ban.filter [496]: INFO maxRetry: 5
2020-01-12 12:15:51,879 fail2ban.filter [496]: INFO encoding: ANSI_X3.4-1968
2020-01-12 12:15:51,880 fail2ban.filter [496]: INFO findtime: 600
2020-01-12 12:15:51,880 fail2ban.actions [496]: INFO banTime: 3600
2020-01-12 12:15:51,882 fail2ban.jail [496]: INFO Creating new jail 'webmin-auth'
2020-01-12 12:15:51,882 fail2ban.jail [496]: INFO Jail 'webmin-auth' uses systemd {}
2020-01-12 12:15:51,883 fail2ban.jail [496]: INFO Initiated 'systemd' backend
2020-01-12 12:15:51,889 fail2ban.filter [496]: INFO maxRetry: 5
2020-01-12 12:15:51,889 fail2ban.filter [496]: INFO encoding: ANSI_X3.4-1968
2020-01-12 12:15:51,889 fail2ban.filter [496]: INFO findtime: 600
2020-01-12 12:15:51,890 fail2ban.actions [496]: INFO banTime: 600
2020-01-12 12:15:51,891 fail2ban.jail [496]: INFO Creating new jail 'proftpd'
2020-01-12 12:15:51,891 fail2ban.jail [496]: INFO Jail 'proftpd' uses systemd {}
2020-01-12 12:15:51,893 fail2ban.jail [496]: INFO Initiated 'systemd' backend
2020-01-12 12:15:51,898 fail2ban.filtersystemd [496]: INFO [proftpd] Added journal match for: '_SYSTEMD_UNIT=proftpd.service'
2020-01-12 12:15:51,899 fail2ban.filter [496]: INFO maxRetry: 5
2020-01-12 12:15:51,899 fail2ban.filter [496]: INFO encoding: ANSI_X3.4-1968
2020-01-12 12:15:51,899 fail2ban.filter [496]: INFO findtime: 600
2020-01-12 12:15:51,900 fail2ban.actions [496]: INFO banTime: 3600
2020-01-12 12:15:51,901 fail2ban.jail [496]: INFO Creating new jail 'postfix'
2020-01-12 12:15:51,901 fail2ban.jail [496]: INFO Jail 'postfix' uses systemd {}
2020-01-12 12:15:51,902 fail2ban.jail [496]: INFO Initiated 'systemd' backend
2020-01-12 12:15:51,913 fail2ban.filtersystemd [496]: INFO [postfix] Added journal match for: '_SYSTEMD_UNIT=postfix.service'
2020-01-12 12:15:51,914 fail2ban.filter [496]: INFO maxRetry: 5
2020-01-12 12:15:51,914 fail2ban.filter [496]: INFO encoding: ANSI_X3.4-1968
2020-01-12 12:15:51,914 fail2ban.filter [496]: INFO findtime: 600
2020-01-12 12:15:51,915 fail2ban.actions [496]: INFO banTime: 3600
2020-01-12 12:15:51,916 fail2ban.jail [496]: INFO Creating new jail 'dovecot'
2020-01-12 12:15:51,916 fail2ban.jail [496]: INFO Jail 'dovecot' uses systemd {}
2020-01-12 12:15:51,917 fail2ban.jail [496]: INFO Initiated 'systemd' backend
2020-01-12 12:15:51,926 fail2ban.filtersystemd [496]: INFO [dovecot] Added journal match for: '_SYSTEMD_UNIT=dovecot.service'
2020-01-12 12:15:51,926 fail2ban.datedetector [496]: INFO date pattern `''`: `{^LN-BEG}TAI64N`
2020-01-12 12:15:51,927 fail2ban.filter [496]: INFO maxRetry: 5
2020-01-12 12:15:51,927 fail2ban.filter [496]: INFO encoding: ANSI_X3.4-1968
2020-01-12 12:15:51,928 fail2ban.filter [496]: INFO findtime: 600
2020-01-12 12:15:51,928 fail2ban.actions [496]: INFO banTime: 3600
2020-01-12 12:15:51,929 fail2ban.jail [496]: INFO Creating new jail 'postfix-reject-dynamo'
2020-01-12 12:15:52,032 fail2ban.jail [496]: INFO Jail 'postfix-reject-dynamo' uses poller {}
2020-01-12 12:15:52,033 fail2ban.jail [496]: INFO Initiated 'polling' backend
2020-01-12 12:15:52,118 fail2ban.filter [496]: INFO Added logfile: '/var/log/maillog' (pos = 17320260, hash = 48479d10b4c7d022471955ff13511a8c)
2020-01-12 12:15:52,119 fail2ban.filter [496]: INFO maxRetry: 3
2020-01-12 12:15:52,119 fail2ban.filter [496]: INFO encoding: ANSI_X3.4-1968
2020-01-12 12:15:52,120 fail2ban.filter [496]: INFO findtime: 600
2020-01-12 12:15:52,120 fail2ban.actions [496]: INFO banTime: 3600
2020-01-12 12:15:52,222 fail2ban.jail [496]: INFO Jail 'sshd' started
2020-01-12 12:15:52,260 fail2ban.filtersystemd [496]: NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2020-01-12 12:15:52,269 fail2ban.jail [496]: INFO Jail 'webmin-auth' started
2020-01-12 12:15:52,401 fail2ban.jail [496]: INFO Jail 'proftpd' started
2020-01-12 12:15:52,659 fail2ban.jail [496]: INFO Jail 'postfix' started
2020-01-12 12:15:52,787 fail2ban.jail [496]: INFO Jail 'dovecot' started
2020-01-12 12:15:52,800 fail2ban.jail [496]: INFO Jail 'postfix-reject-dynamo' started
2020-01-12 12:15:52,994 fail2ban.actions [496]: NOTICE [postfix-reject-dynamo] Restore Ban 12.160.87.219
2020-01-12 12:15:54,684 fail2ban.utils [496]: #39-Lev. 7f4db54f9c90 -- exec: firewall-cmd --direct --add-chain ipv4 filter f2b-postfix-reject-dynamo
firewall-cmd --direct --add-rule ipv4 filter f2b-postfix-reject-dynamo 1000 -j RETURN
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-postfix-reject-dynamo
2020-01-12 12:15:54,685 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Error: 'filter'"
2020-01-12 12:15:54,685 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed"
2020-01-12 12:15:54,685 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: ''
2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Couldn't load target `f2b-postfix-reject-dynamo':No such file or directory"
2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: ''
2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: 'Error occurred at line: 2'
2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information."
2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- stderr: ''
2020-01-12 12:15:54,686 fail2ban.utils [496]: ERROR 7f4db54f9c90 -- returned 13
2020-01-12 12:15:54,686 fail2ban.actions [496]: ERROR Failed to execute ban jail 'postfix-reject-dynamo' action 'firewallcmd-allports' info 'ActionInfo({'ip': '12.160.87.219', 'fid': <function <lambda> at 0x7f4db41bf578>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7f4db41bfa28>})': Error starting action Jail('postfix-reject-dynamo')/firewallcmd-allports
CentOS Linux 版本 7.7.1908(核心)
我不知道这里发生了什么事。
我感谢您的帮助。
答案1
firewalld 出现 fail2ban 错误...
嗯,这不是 fail2ban 错误。
基本上,fail2ban 会尝试运行以下命令(您可以以 root 身份在 shell 中自行尝试):
firewall-cmd --direct --add-chain ipv4 filter f2b-postfix-reject-dynamo
firewall-cmd --direct --add-rule ipv4 filter f2b-postfix-reject-dynamo 1000 -j RETURN
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-postfix-reject-dynamo
由于某种原因firewall-cmd,或者更确切地说iptables-restore,这似乎是由firewall-cmd 内部使用的,失败:
Couldn't load target `f2b-postfix-reject-dynamo':No such file or directory
通常情况下,此消息没有意义,因为firewall-cmd正在创建此链,而此错误似乎会创建一些针对f2b-postfix-reject-dynamo由于某种原因仍不存在的链的规则。您应该检查是否有一些针对此(不存在)链的持久规则并修复(或删除)它。
例如,如果您尝试在没有第一个命令的情况下执行此操作,您将看到相同的错误:
# ## iptables -w -N f2b-test-chain; # this creates a chain
# iptables -w -I INPUT 1 -j f2b-test-chain; # insert rule to INPUT chain targeting f2b-test-chain
...
iptables v1.6.0: Couldn't load target `f2b-test-chain':No such file or directory
这显然是一个错误(创建链的第一个命令被注释)。
因此,firewalld 尝试恢复使用的某些内部流iptables-restore似乎是错误的(包含无效的引用)。
顺便问一下,为什么您不直接使用 iptables 而不是 firewalld?