我不知道从哪里开始寻找这个问题这是在 debian 11 上(使用 nftables)
命令似乎nft add set ...失败了
nft add set inet f2b-table addr-set-wordpress \{ type ipv4_addr\; \}
我的监狱.local
[DEFAULT]
# configure nftables
banaction = nftables
chain = input
[sshd]
enabled = true
port = 1984
banaction = nftables[type=multiport]
maxretry = 3
bantime = 600
findtime = 1200
[wordpress]
enabled = true
banaction = nftables[type=multiport]
filter = wordpress
maxretry = 2
bantime = 1h
findtime = 1d
port = http,https
logpath = /var/log/apache2/*access*.log
[modsec]
enabled = true
banaction = nftables[type=multiport]
filter = apache-modsecurity
maxretry = 2
bantime = 1h
findtime = 6h
port = http,https
logpath = /var/log/apache2/*error*.log
我的 nft 规则集的一部分
table inet f2b-table {
chain f2b-chain {
type filter hook input priority filter - 1; policy accept;
}
}
错误
2023-04-08 12:19:26,582 fail2ban.actions [73157]: NOTICE [wordpress] Restore Ban 107.180.77.81
2023-04-08 12:19:26,652 fail2ban.utils [73157]: ERROR 7f21bc2b26b0 -- exec: nft add table inet f2b-table
nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}
nft add set inet f2b-table addr-set-wordpress \{ type ipv4_addr\; \}
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip saddr @addr-set-wordpress reject
done
2023-04-08 12:19:26,652 fail2ban.utils [73157]: ERROR 7f21bc2b26b0 -- stderr: 'Error: Could not process rule: Numerical result out of range'
2023-04-08 12:19:26,652 fail2ban.utils [73157]: ERROR 7f21bc2b26b0 -- stderr: 'add set inet f2b-table addr-set-wordpress { type ipv4_addr; }'
2023-04-08 12:19:26,652 fail2ban.utils [73157]: ERROR 7f21bc2b26b0 -- stderr: '^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^'
2023-04-08 12:19:26,652 fail2ban.utils [73157]: ERROR 7f21bc2b26b0 -- stderr: 'Error: No such file or directory'
2023-04-08 12:19:26,652 fail2ban.utils [73157]: ERROR 7f21bc2b26b0 -- stderr: 'add rule inet f2b-table f2b-chain tcp dport { http,https } ip saddr @addr-set-wordpress reject'
2023-04-08 12:19:26,652 fail2ban.utils [73157]: ERROR 7f21bc2b26b0 -- stderr: ' ^^^^^^^^^^^^^^^^^^^'
2023-04-08 12:19:26,652 fail2ban.utils [73157]: ERROR 7f21bc2b26b0 -- returned 1
2023-04-08 12:19:26,652 fail2ban.actions [73157]: ERROR Failed to execute ban jail 'wordpress' action 'nftables' info 'ActionInfo({'ip': '107.180.77.81', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f21bc8f48b0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f21bc8f4f70>})': Error starting action Jail('wordpress')/nftables: 'Script error'
2```
答案1
编辑:如果 nft 表失败,您可以尝试以下方法,检查您是否拥有该包,如果不存在,则检查sudo apt-get install nftables目录是否存在,并授予其适当的权限,检查语法错误/etc/nftables/sudo mkdir /etc/nftables//etc/nftables.conf
生成的 nftables 规则有问题Fail2Ban,请修复你文件中的端口值jail.local,这样修复即可
[wordpress]
...
port = 80,443
...
[modsec]
...
port = 80,443
...
banaction然后让我们像这样修改指令
[wordpress]
...
banaction = nftables-allports
...
[modsec]
...
banaction = nftables-allports
...
然后你可以重新启动Fail2ban sudo systemctl restart fail2ban
答案2
这个问题实际上是由 nftables 对表、链和集合名称的限制引起的......最大长度为 15 个字符。
因此,如果你在 fail2ban 中有以下部分
[wordpress]
enabled = true
banaction = nftables[type=multiport]
filter = wordpress
maxretry = 2
bantime = 1h
findtime = 1d
port = http,https
logpath = /var/log/apache2/*access*.log
Fail2ban 尝试创建一个名为的集合addr-set-wordpress,该集合的长度超过 15 个字符。将部分名称更改为[wp]可解决问题,因为集合名称是addr-set-wp
如果认为 fail2ban 返回的错误消息需要修复为一些有用的内容。