Custom fail2ban jail on freepbx distro

avayax · November 6, 2015, 9:27pm

How do I add a custom jail to fail2ban in FreePBX distro?
jail.local says changes will be overwritten on startup.
I want to add another logfile (FOP2).

I would also like to change the alertemail-body when attempts against UCP or FreePBX GUI were made. It says attempts against SIP, which is confusing.

<img

PBX Firmware: 6.12.65

danielf · November 7, 2015, 9:14pm

Hi,

The Freepbx distro uses the *.local of the fail2ban. It means that first the fail2ban reads the regular *.conf files and then the local version of them. So, if you want to add your own version to the fail2ban, add it to the jail.conf file but make sure that it is not similar to the jail.local file to avoid overwritten of the jail’s configuration.

You can add your own fop2.conf filter to the the fail2ban’s filter directory and add it to your jail configuration.

To check that you have added your jail to the fail2ban, you can type in the linux console iptables -nL and to see all of the fail2ban jails you can type fail2ban-client status.

Thank you,

Daniel Friedman
Trixton LTD.

avayax · November 11, 2015, 12:16am

Just posting the working config I used for other users who want to do the same. This is for PIAF and FreePBX distro, which come with a preconfigured fail2ban setup.

Enable the audit log for FOP2 with the -a command line variable. Edit /etc/sysconfig/fop2 and change the OPTIONS variable to include it, something similar to this:

OPTIONS="-d -a /var/log/fop2_audit.log"

Create a fop2.conf file in /etc/fail2ban/filter.d/ and put the following content in there:
[INCLUDES]

Read common prefixes. If any customizations available – read them from

common.local

before = common.conf

[Definition]

_ _daemon = fop2_server

Option: failregex

Notes.: regex to match the password failures messages in the logfile. The

host must be matched by a group named “host”. The tag “” can

be used for standard IP/hostname matching and is only an alias for

(?:::f{4,6}:)?(?P[\w-.^_]+)

Values: TEXT

failregex = GENERAL|FAILED LOGIN (bad password)|:\d+
GENERAL|FAILED LOGIN (non existant user)|:\d+

Option: ignoreregex

Notes.: regex to ignore. If this regex matches, the line is ignored.

Values: TEXT

ignoreregex =

…
Then add below content to /etc/fail2ban/jail.conf:
[fop2]
enabled = true
filter = fop2
action = iptables-allports[name=FOP2, protocol=all]
sendmail[name=FOP2, dest=“your destination email”, sender=root@“hostname”]
logpath = /var/log/fop2_audit.log
bantime = 1800
findtime = 600
maxretry = 8
backend = auto

Adjust the bantime, etc. settings and change the action if you want to block custom ports and not all.
Then do service fail2ban restart. Do fail2ban-client status to see if your jail got added.

A failed login attempt in /var/log/fop2_audit.log looks like this:

1447099540|8800|GENERAL|FAILED LOGIN (bad password)|192.168.1.254:49379
1447099545|8800|GENERAL|FAILED LOGIN (bad password)|192.168.1.254:49396
1447200927|maint|GENERAL|FAILED LOGIN (non existant user)|192.168.1.254:50060
1447200938|maint|GENERAL|FAILED LOGIN (non existant user)|192.168.1.254:50103

Good luck!