看来我的fail2ban不能禁止一个主机:
2013-06-22 18:18:24,546 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-apache-noscript returned 100 2013-06-22 18:18:24,546 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment 2013-06-22 18:18:24,869 fail2ban.actions.action: ERROR iptables -D fail2ban-apache-noscript -s 185.13.228.98 -j DROP returned 100 当我手动使用命令,iptables抱怨:
# iptables -D fail2ban-apache-noscript -s 185.13.228.98 -j DROP iptables: Bad rule (does a matching rule exist in that chain?).
虽然看起来链条确实存在:
# iptables -L -v -n Chain INPUT (policy ACCEPT 412 packets, 36051 bytes) pkts bytes target prot opt in out source destination 93 7257 fail2ban-apache tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 0 0 fail2ban-sasl tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465 0 0 fail2ban-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465 311 27844 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 130 93 7257 fail2ban-apache-overflows tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 93 7257 fail2ban-apache-multiport tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 311 27844 fail2ban-ssh-ddos tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 130 406 35205 fail2ban-pam-generic tcp -- * * 0.0.0.0/0 0.0.0.0/0 93 7257 fail2ban-apache-noscript tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 296 packets, 105K bytes) pkts bytes target prot opt in out source destination Chain fail2ban-apache (1 references) pkts bytes target prot opt in out source destination 93 7257 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-apache-multiport (1 references) pkts bytes target prot opt in out source destination 93 7257 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-apache-noscript (1 references) pkts bytes target prot opt in out source destination 93 7257 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-apache-overflows (1 references) pkts bytes target prot opt in out source destination 93 7257 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-pam-generic (1 references) pkts bytes target prot opt in out source destination 406 35205 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-postfix (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-sasl (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (1 references) pkts bytes target prot opt in out source destination 311 27844 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh-ddos (1 references) pkts bytes target prot opt in out source destination 311 27844 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
问题是什么?!
您会注意到您尝试从中删除规则的链的configuration:
Chain fail2ban-apache-noscript (1 references) pkts bytes target prot opt in out source destination 93 7257 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
除了返回所有不匹配的规则之外,该链中没有任何规则可以删除。 所以,阻止fail2ban正在尝试删除已经消失。
最有可能的是,你可以忽略这个,因为命令的目标已经实现了。 既然你没有活跃的禁止,你可能想运行/etc/init.d/fail2ban force-reload只是为了清理它的状态。