可以看到相關的統計數據(fail2ban-client status ssh-iptables),
也會email通知目前有人在try帳密,但就是不會鎖IP。
而且在iptables也看不到由Fail2Ban所加入的chain。
查看fail2ban.log看到以下的錯誤訊息。
# rpm -q fail2ban
fail2ban-0.8.14-2.el6.noarch
# uname -r
2.6.32-504.23.4.el6.i686
# cat /var/log/fail2ban.log
2015-07-01 13:21:07,299 fail2ban.actions.action[32420]: ERROR iptables -n -L INPUT | grep -q 'fail2ban-SSH[ \t]' returned 100
2015-07-01 13:21:07,299 fail2ban.actions.action[32420]: CRITICAL Unable to restore environment
2015-07-01 14:53:19,471 fail2ban.server [32420]: INFO Stopping all jails
2015-07-01 14:53:20,158 fail2ban.actions.action[32420]: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH
iptables -F fail2ban-SSH
iptables -X fail2ban-SSH returned 300
2015-07-01 14:53:20,243 fail2ban.jail [32420]: INFO Jail 'ssh-iptables' stopped
2015-07-01 14:53:20,245 fail2ban.server [32420]: INFO Exiting Fail2ban
將SELinux改為Permissive 模式後 Fail2ban 就正常工作了(可以看到ssh-iptalbes的chain)
查看SElinux Alert看到以下的訊息
SELinux Is Preventing /sbin/iptables-multi-1.4.7 From Read Access On The File/rawip_socket
接下來查看iptables-multi-1.4.7的selinux context,應該為system_u:object_r:iptables_exec_t:s0。
# ls -lZ /sbin/iptables-multi-1.4.7
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /sbin/iptables-multi-1.4.7
修正selinux context
# restorecon -R -v /sbin/
restorecon reset /sbin/iptables-multi-1.4.7 context system_u:object_r:bin_t:s0
->system_u:object_r:iptables_exec_t:s0
# service fail2ban restart
成功囉!!!!
