For some reason, fail2ban config in the latest Distro download points to /var/log/asterisk/fail2ban instead of /var/log/asterisk/full
All you need to do to make fail2ban work is to edit /etc/fail2ban/jail.local, edit the logpath variable and restart fail2ban.
I did those changes (logger_logfiles_custom.conf and jail.local), restarted asterisk and fail2ban and everything works without any issues now.
Fail2ban should work much faster this way since there is really a lot less info to parse.
As an afterthought, maybe (in some future update) you should add these two lines to the /etc/fail2ban/asterisk.conf
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
NOTICE.* .*: Sending fake auth rejection for device .*@<HOST>.*
A lot of times brute force attacks result in “Sending fake auth…” so this does help with keeping those script kiddies at bay.
Anyway, great job and fast response.
Actually do not edit that file. We purposely setup a new log file for fail2ban with just notices in it so the log file is smaller for fail2ban to parse and can react quicker.
Just add this to your /etc/asterisk/logger_logfiles_custom.conf
fail2ban => notice
I fixed it just now in all version of the Distro that uses the new fail2ban RPM. Not sure how I missed setting up the log file at install time.
Hi, I have 2 questions.
I am running 1.815.210.58-1 why is the fail2ban version 0.8.4 from 2009 when the latest version is 0.8.7 from 7/2012 ?
I am getting these warnings after upgrade to 2.10
WARNING ‘action’ not defined in ‘php-url-fopen’. Using default value WARNING ‘action’ not defined in ‘lighttpd-fastcgi’. Using default value ERROR No file found for /var/log/asterisk/fail2ban ERROR No file found for /var/log/vsftpd.log
I guess the warnings are becuase PHP was updated, but fail2ban is out of date?
According to nuronce latest fail2ban is 0.8.7 or not?
Why do I have 0.8.6-9 ?
yum list fail2ban
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
fail2ban.noarch 0.8.6-9 installed