I had issues with fail2ban on my system so I installed a new one to see how the default installation behaves.
I have just installed a fresh copy of FreePBX distro 6.12.65 (64Bits) without making any further updates.
System admin shows version 6.12.65.28.
I tried banning myself while trying to login to the web UI (with https). Although I tried many times and several combinations (correct username with wrong password, correct user name with blank password, wrong username & password) the fail2ban mechanism is not banning my IP. (I am connecting from a remote machine).
I then tried SIP and it does work.
I then checked the /var/log/fail2ban.log and I saw this error:
2015-07-31 08:07:00,524 fail2ban.jail : INFO Jail ‘apache-badbots’ started
2015-07-31 08:07:00,535 fail2ban.actions.action: ERROR iptables -N fail2ban-BadBots iptables -A fail2ban-BadBots -j RETURN iptables -I INPUT -p all -m multiport --dports http,https -j fail2ban-BadBots returned 200
and this:
2015-07-31 08:07:00,538 fail2ban.jail : INFO Jail ‘pbx-gui’ started 2015-07-31 08:07:00,538 fail2ban.filter : WARNING Unable to find a corresponding IP address for ::1
Note that I am not using ipv6 (I just did not enable it during the Network Configuration while installing the ISO.
What am I doing wrong? I obviously want to ban anyone who access the web interface (with http & https) and fails to provide correct logins.
I also noticed that when the system has started… fail2ban (in the admin module) shows as running.
If I click restart it does not.
When this is happening the fail2ban.log shows this:
I think I found why fail2ban is not banning failed GUI logins…
Checking the contents of /var/log/httpd/error_log shows NO failed logins at all (using either http or https).
Isn’t this the logfile that should register the failed attempts so they can be picked up from fail2ban???
I confirm (again) that default setup of the ISO (64bit) with no changes other than going to the Sysadmin module in order to define the email address of fail2ban notifications is NOT working properly AT LEAST relating to banning the GUI failed logins.
Looking under the hood I discovered:
a) The jail.local file contains to wrong logfile to be inspected in the [apache-tcpwrapper] jail. It is reading the /var/log/httpd/error_log however this file is not recording the failed attempts. I changed that to /var/log/asterisk/freepbx_security.log and
b) Looking at /etc/fail2ban/filter.d/apache-auth.conf I saw the following as default:
failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01617: )?user .? authentication failure for "\S": Password Mismatch(, referer: \S+)?$
^%(_apache_error_client)s (AH01618: )?user .? not found(: )?\S(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .?: password mismatch: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH0179[01]: |Digest: )user .*?' in realm .+’ (not found|denied by provider): \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01631: )?user .?: authorization failure for "\S":(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got .*?' but expected .+'(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm .*?' received: \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01793: )?invalid qop .?’ received: \S(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .? received - user attempted time travel(, referer: \S+)?\s$
I therefore added:
failure for . from < HOST >*
I restarted fail2ban and then the failed GUI logins are were picked up.
Problems:
Any changes to sysadmin module will overwrite them so the module needs to be fixed asap.
My knowledge on fail2ban and regexes is close to zero. I therefore don’t know what other changes are needed because currently are (or might not be) operational. I only tested the failed logins form the GUI. What about badbots? What about SIP? Etc