Назад | Перейти на главную страницу

Fail2ban не может писать правила iptables

Работая на Centos 6.3, fail2ban версии 0.9.6, fail2ban не может записывать правила iptables после запуска и ничего, связанного с цепочкой f2b, не видно в iptables -L, я настроил его на локальной виртуальной машине, и он работает как шарм, однако на этом сервер, он генерирует журналы, которые сводят меня с ума уже 2 дня. Пожалуйста, посмотрите журналы, мне кажется, что он не может писать правила в iptables, интересно, как это исправить: O PS Jails были протестированы и проверены. Любая помощь в этом отношении будет очень благодарна. заранее спасибо

iptables -L 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

статус службы fail2ban

fail2ban-server (pid  30663) is running...
Status
|- Number of jail:      2
`- Jail list:   opensips, ssh-iptables

fail2ban журналы

Feb 20 19:14:05 server-1 fail2ban.server[21215]: INFO Changed logging target to SYSLOG (/dev/log) for Fail2ban v0.9.6
Feb 20 19:14:05 server-1 fail2ban.database[21215]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Creating new jail 'ssh-iptables'
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'ssh-iptables' uses pyinotify {}
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Initiated 'pyinotify' backend
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Added logfile = /var/log/secure
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set maxRetry = 2
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set jail log file encoding to UTF-8
Feb 20 19:14:05 server-1 fail2ban.actions[21215]: INFO Set banTime = 60
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set findtime = 600
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set maxlines = 10
Feb 20 19:14:05 server-1 fail2ban.server[21215]: INFO Jail ssh-iptables is not a JournalFilter instance
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Creating new jail 'opensips'
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'opensips' uses pyinotify {}
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Initiated 'pyinotify' backend
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Added logfile = /var/log/messages
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set maxRetry = 2
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set jail log file encoding to UTF-8
Feb 20 19:14:05 server-1 fail2ban.actions[21215]: INFO Set banTime = 60
Feb 20 19:14:05 server-1 fail2ban.filter[21215]: INFO Set findtime = 600
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'ssh-iptables' started
Feb 20 19:14:05 server-1 fail2ban.jail[21215]: INFO Jail 'opensips' started
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables  -N f2b-SSH#012iptables  -A f2b-SSH -j RETURN#012iptables  -I INPUT -p tcp -j f2b-SSH -- stdout: ''
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables  -N f2b-SSH#012iptables  -A f2b-SSH -j RETURN#012iptables  -I INPUT -p tcp -j f2b-SSH -- stderr: "iptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\n"
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables  -N f2b-SSH#012iptables  -A f2b-SSH -j RETURN#012iptables  -I INPUT -p tcp -j f2b-SSH -- returned 3
Feb 20 19:14:06 server-1 fail2ban.actions[21215]: ERROR Failed to start jail 'ssh-iptables' action 'iptables-allports': Error starting action
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables  -N f2b-opensips#012iptables  -A f2b-opensips -j RETURN#012iptables  -I INPUT -p all -j f2b-opensips -- stdout: ''
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables  -N f2b-opensips#012iptables  -A f2b-opensips -j RETURN#012iptables  -I INPUT -p all -j f2b-opensips -- stderr: "iptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.7: can't initialize iptables table `filter': Permission denied\nPerhaps iptables or your kernel needs to be upgraded.\n"
Feb 20 19:14:06 server-1 fail2ban.action[21215]: ERROR iptables  -N f2b-opensips#012iptables  -A f2b-opensips -j RETURN#012iptables  -I INPUT -p all -j f2b-opensips -- returned 3
Feb 20 19:14:06 server-1 fail2ban.actions[21215]: ERROR Failed to start jail 'opensips' action 'iptables-allports': Error starting action

Проблема была в версии для Python. Я отредактировал / usr / bin / fail2ban-client и / usr / bin / fail2ban-server, указав правильный путь ("whereis python" дает вам пути) в верхней строке как

! /usr/bin/python2.6 -Es

который ранее был

! / usr / bin / python -Es (более старая версия python),

Из-за компиляции этой старой версии fail2ban не мог писать правила iptables. Запуск fail2ban с помощью команды: fail2ban-client start

Теперь он работает и блокирует нежелательные IP-адреса.