Update:
I confirm (again) that default setup of the ISO (64bit) with no changes other than going to the Sysadmin module in order to define the email address of fail2ban notifications is NOT working properly AT LEAST relating to banning the GUI failed logins.
Looking under the hood I discovered:
a) The jail.local file contains to wrong logfile to be inspected in the [apache-tcpwrapper] jail. It is reading the /var/log/httpd/error_log however this file is not recording the failed attempts. I changed that to /var/log/asterisk/freepbx_security.log and
b) Looking at /etc/fail2ban/filter.d/apache-auth.conf I saw the following as default:
failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01617: )?user .? authentication failure for "\S": Password Mismatch(, referer: \S+)?$
^%(_apache_error_client)s (AH01618: )?user .? not found(: )?\S(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .?: password mismatch: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH0179[01]: |Digest: )user .*?' in realm .+’ (not found|denied by provider): \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01631: )?user .?: authorization failure for "\S":(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got .*?' but expected .+'(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm .*?' received: \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01793: )?invalid qop .?’ received: \S(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .? received - user attempted time travel(, referer: \S+)?\s$
I therefore added:
failure for . from < HOST >*
I restarted fail2ban and then the failed GUI logins are were picked up.
Problems:
- Any changes to sysadmin module will overwrite them so the module needs to be fixed asap.
- My knowledge on fail2ban and regexes is close to zero. I therefore don’t know what other changes are needed because currently are (or might not be) operational. I only tested the failed logins form the GUI. What about badbots? What about SIP? Etc
Comments?