fail2ban Fehler mit Firewalld (f2b-: Keine solche Datei oder Verzeichnis)

tag-icon tag-icon iptables centos7 fail2ban firewalld
fail2ban Fehler mit Firewalld (f2b-: Keine solche Datei oder Verzeichnis)

Ich habe fail2ban monatelang ohne Probleme verwendet, aber nach einem CentOS-Upgrade funktionierte es nicht mehr. Es scheint, dass die iptables-Einträge nicht erstellt werden. Ich habe bereits versucht, fail2ban neu zu starten, den VPS neu zu starten und alle grundlegenden Dinge. Die relevanten Fehler sind:

In /var/log/fail2ban.log:

2020-01-12 12:15:52,994 fail2ban.actions        [496]: NOTICE  [postfix-reject-dynamo] Restore Ban 12.160.87.219
2020-01-12 12:15:54,684 fail2ban.utils          [496]: #39-Lev. 7f4db54f9c90 -- exec: firewall-cmd --direct --add-chain ipv4 filter f2b-postfix-reject-dynamo
firewall-cmd --direct --add-rule ipv4 filter f2b-postfix-reject-dynamo 1000 -j RETURN
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-postfix-reject-dynamo
2020-01-12 12:15:54,685 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: "Error: 'filter'"
2020-01-12 12:15:54,685 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed"
2020-01-12 12:15:54,685 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: ''
2020-01-12 12:15:54,686 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Couldn't load target `f2b-postfix-reject-dynamo':No such file or directory"
2020-01-12 12:15:54,686 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: ''
2020-01-12 12:15:54,686 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: 'Error occurred at line: 2'
2020-01-12 12:15:54,686 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information."
2020-01-12 12:15:54,686 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: ''
2020-01-12 12:15:54,686 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- returned 13
2020-01-12 12:15:54,686 fail2ban.actions        [496]: ERROR   Failed to execute ban jail 'postfix-reject-dynamo' action 'firewallcmd-allports' info 'ActionInfo({'ip': '12.160.87.219', 'fid': <function <lambda> at 0x7f4db41bf578>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7f4db41bfa28>})': Error starting action Jail('postfix-reject-dynamo')/firewallcmd-allports

In /var/log/firewalld:

2020-01-12 12:15:53 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed

2020-01-12 12:15:53 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed

2020-01-12 12:15:54 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Couldn't load target `f2b-postfix-reject-dynamo':No such file or directory

iptables -LAusgabe:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Inhalt von /etc/systemd/system/multi-user.target.wants/fail2ban.service:

[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service ip6tables.service ipset.service
PartOf=iptables.service firewalld.service

[Service]
Type=simple
ExecStartPre=/bin/mkdir -p /var/run/fail2ban
ExecStart=/usr/bin/fail2ban-server -xf start
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/var/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255

[Install]
WantedBy=multi-user.target

Hier der vollständige Ablauf, /var/log/fail2ban.logbis der Fehler auftritt:

2020-01-12 12:15:51,018 fail2ban.server         [496]: INFO    Starting Fail2ban v0.10.4
2020-01-12 12:15:51,037 fail2ban.database       [496]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2020-01-12 12:15:51,183 fail2ban.jail           [496]: INFO    Creating new jail 'sshd'
2020-01-12 12:15:51,834 fail2ban.jail           [496]: INFO    Jail 'sshd' uses systemd {}
2020-01-12 12:15:51,836 fail2ban.jail           [496]: INFO    Initiated 'systemd' backend
2020-01-12 12:15:51,837 fail2ban.filter         [496]: INFO      maxLines: 1
2020-01-12 12:15:51,878 fail2ban.filtersystemd  [496]: INFO    [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2020-01-12 12:15:51,879 fail2ban.filter         [496]: INFO      maxRetry: 5
2020-01-12 12:15:51,879 fail2ban.filter         [496]: INFO      encoding: ANSI_X3.4-1968
2020-01-12 12:15:51,880 fail2ban.filter         [496]: INFO      findtime: 600
2020-01-12 12:15:51,880 fail2ban.actions        [496]: INFO      banTime: 3600
2020-01-12 12:15:51,882 fail2ban.jail           [496]: INFO    Creating new jail 'webmin-auth'
2020-01-12 12:15:51,882 fail2ban.jail           [496]: INFO    Jail 'webmin-auth' uses systemd {}
2020-01-12 12:15:51,883 fail2ban.jail           [496]: INFO    Initiated 'systemd' backend
2020-01-12 12:15:51,889 fail2ban.filter         [496]: INFO      maxRetry: 5
2020-01-12 12:15:51,889 fail2ban.filter         [496]: INFO      encoding: ANSI_X3.4-1968
2020-01-12 12:15:51,889 fail2ban.filter         [496]: INFO      findtime: 600
2020-01-12 12:15:51,890 fail2ban.actions        [496]: INFO      banTime: 600
2020-01-12 12:15:51,891 fail2ban.jail           [496]: INFO    Creating new jail 'proftpd'
2020-01-12 12:15:51,891 fail2ban.jail           [496]: INFO    Jail 'proftpd' uses systemd {}
2020-01-12 12:15:51,893 fail2ban.jail           [496]: INFO    Initiated 'systemd' backend
2020-01-12 12:15:51,898 fail2ban.filtersystemd  [496]: INFO    [proftpd] Added journal match for: '_SYSTEMD_UNIT=proftpd.service'
2020-01-12 12:15:51,899 fail2ban.filter         [496]: INFO      maxRetry: 5
2020-01-12 12:15:51,899 fail2ban.filter         [496]: INFO      encoding: ANSI_X3.4-1968
2020-01-12 12:15:51,899 fail2ban.filter         [496]: INFO      findtime: 600
2020-01-12 12:15:51,900 fail2ban.actions        [496]: INFO      banTime: 3600
2020-01-12 12:15:51,901 fail2ban.jail           [496]: INFO    Creating new jail 'postfix'
2020-01-12 12:15:51,901 fail2ban.jail           [496]: INFO    Jail 'postfix' uses systemd {}
2020-01-12 12:15:51,902 fail2ban.jail           [496]: INFO    Initiated 'systemd' backend
2020-01-12 12:15:51,913 fail2ban.filtersystemd  [496]: INFO    [postfix] Added journal match for: '_SYSTEMD_UNIT=postfix.service'
2020-01-12 12:15:51,914 fail2ban.filter         [496]: INFO      maxRetry: 5
2020-01-12 12:15:51,914 fail2ban.filter         [496]: INFO      encoding: ANSI_X3.4-1968
2020-01-12 12:15:51,914 fail2ban.filter         [496]: INFO      findtime: 600
2020-01-12 12:15:51,915 fail2ban.actions        [496]: INFO      banTime: 3600
2020-01-12 12:15:51,916 fail2ban.jail           [496]: INFO    Creating new jail 'dovecot'
2020-01-12 12:15:51,916 fail2ban.jail           [496]: INFO    Jail 'dovecot' uses systemd {}
2020-01-12 12:15:51,917 fail2ban.jail           [496]: INFO    Initiated 'systemd' backend
2020-01-12 12:15:51,926 fail2ban.filtersystemd  [496]: INFO    [dovecot] Added journal match for: '_SYSTEMD_UNIT=dovecot.service'
2020-01-12 12:15:51,926 fail2ban.datedetector   [496]: INFO      date pattern `''`: `{^LN-BEG}TAI64N`
2020-01-12 12:15:51,927 fail2ban.filter         [496]: INFO      maxRetry: 5
2020-01-12 12:15:51,927 fail2ban.filter         [496]: INFO      encoding: ANSI_X3.4-1968
2020-01-12 12:15:51,928 fail2ban.filter         [496]: INFO      findtime: 600
2020-01-12 12:15:51,928 fail2ban.actions        [496]: INFO      banTime: 3600
2020-01-12 12:15:51,929 fail2ban.jail           [496]: INFO    Creating new jail 'postfix-reject-dynamo'
2020-01-12 12:15:52,032 fail2ban.jail           [496]: INFO    Jail 'postfix-reject-dynamo' uses poller {}
2020-01-12 12:15:52,033 fail2ban.jail           [496]: INFO    Initiated 'polling' backend
2020-01-12 12:15:52,118 fail2ban.filter         [496]: INFO    Added logfile: '/var/log/maillog' (pos = 17320260, hash = 48479d10b4c7d022471955ff13511a8c)
2020-01-12 12:15:52,119 fail2ban.filter         [496]: INFO      maxRetry: 3
2020-01-12 12:15:52,119 fail2ban.filter         [496]: INFO      encoding: ANSI_X3.4-1968
2020-01-12 12:15:52,120 fail2ban.filter         [496]: INFO      findtime: 600
2020-01-12 12:15:52,120 fail2ban.actions        [496]: INFO      banTime: 3600
2020-01-12 12:15:52,222 fail2ban.jail           [496]: INFO    Jail 'sshd' started
2020-01-12 12:15:52,260 fail2ban.filtersystemd  [496]: NOTICE  Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2020-01-12 12:15:52,269 fail2ban.jail           [496]: INFO    Jail 'webmin-auth' started
2020-01-12 12:15:52,401 fail2ban.jail           [496]: INFO    Jail 'proftpd' started
2020-01-12 12:15:52,659 fail2ban.jail           [496]: INFO    Jail 'postfix' started
2020-01-12 12:15:52,787 fail2ban.jail           [496]: INFO    Jail 'dovecot' started
2020-01-12 12:15:52,800 fail2ban.jail           [496]: INFO    Jail 'postfix-reject-dynamo' started
2020-01-12 12:15:52,994 fail2ban.actions        [496]: NOTICE  [postfix-reject-dynamo] Restore Ban 12.160.87.219
2020-01-12 12:15:54,684 fail2ban.utils          [496]: #39-Lev. 7f4db54f9c90 -- exec: firewall-cmd --direct --add-chain ipv4 filter f2b-postfix-reject-dynamo
firewall-cmd --direct --add-rule ipv4 filter f2b-postfix-reject-dynamo 1000 -j RETURN
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-postfix-reject-dynamo
2020-01-12 12:15:54,685 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: "Error: 'filter'"
2020-01-12 12:15:54,685 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed"
2020-01-12 12:15:54,685 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: ''
2020-01-12 12:15:54,686 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: "Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Couldn't load target `f2b-postfix-reject-dynamo':No such file or directory"
2020-01-12 12:15:54,686 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: ''
2020-01-12 12:15:54,686 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: 'Error occurred at line: 2'
2020-01-12 12:15:54,686 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: "Try `iptables-restore -h' or 'iptables-restore --help' for more information."
2020-01-12 12:15:54,686 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- stderr: ''
2020-01-12 12:15:54,686 fail2ban.utils          [496]: ERROR   7f4db54f9c90 -- returned 13
2020-01-12 12:15:54,686 fail2ban.actions        [496]: ERROR   Failed to execute ban jail 'postfix-reject-dynamo' action 'firewallcmd-allports' info 'ActionInfo({'ip': '12.160.87.219', 'fid': <function <lambda> at 0x7f4db41bf578>, 'family': 'inet4', 'raw-ticket': <function <lambda> at 0x7f4db41bfa28>})': Error starting action Jail('postfix-reject-dynamo')/firewallcmd-allports

CentOS Linux Version 7.7.1908 (Core)

Ich habe keine Ahnung, was hier passiert.

Ich schätze Ihre Hilfe.

Antwort1

Fail2ban-Fehler mit Firewalld …

Nun, dies ist kein Fail2Ban-Fehler.

Grundsätzlich versucht fail2ban, die folgenden Befehle auszuführen (Sie können dies selbst in der Shell als Root versuchen):

firewall-cmd --direct --add-chain ipv4 filter f2b-postfix-reject-dynamo
firewall-cmd --direct --add-rule ipv4 filter f2b-postfix-reject-dynamo 1000 -j RETURN
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-postfix-reject-dynamo

Aus irgendeinem Grund firewall-cmdoder eher iptables-restore, das intern von Firewall-CMD verwendet zu werden scheint, schlägt mit folgendem fehl:

Couldn't load target `f2b-postfix-reject-dynamo':No such file or directory

Normalerweise ergibt diese Meldung keinen Sinn, da firewall-cmddiese Kette erstellt wird und dieser Fehler so aussieht, als würde er eine Regelzielkette erstellen f2b-postfix-reject-dynamo, die aus irgendeinem Grund noch nicht existiert. Sie sollten prüfen, ob es persistente Regeln gibt, die auf diese (nicht vorhandene) Kette abzielen, und diese reparieren (oder entfernen).

Beispielsweise würden Sie den gleichen Fehler erhalten, wenn Sie versuchen würden, dies ohne den ersten Befehl auszuführen:

# ## iptables -w -N f2b-test-chain; # this creates a chain
# iptables -w -I INPUT 1 -j f2b-test-chain; # insert rule to INPUT chain targeting f2b-test-chain
...
iptables v1.6.0: Couldn't load target `f2b-test-chain':No such file or directory

was ziemlich eindeutig ein Fehler ist (der erste Befehl zum Erstellen einer Kette ist kommentiert).

Daher scheint ein Teil des internen Streams, den Firewalld wiederherzustellen versucht, iptables-restorefalsch zu sein (enthält ungültige Referenzen).

Übrigens, warum verwenden Sie nicht direkt iptables anstelle von Firewalld?

verwandte Informationen