Fail2 ban log errors

duncanidaho · December 2, 2023, 3:21pm

I am getting this message in my fail2ban log file every 5 seconds or so

[2023-12-02 10:16:54] SECURITY[2672] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2023-12-02T10:16:54.315-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f9010000a40”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/40414”,UsingPassword=“0”,SessionTV=“2023-12-02T10:16:54.315-0500”

Here is my version
PBX Version: 16.0.40.7

PBX Distro: 12.7.8-2306-1.sng7

Asterisk Version: 19.8.0

Any help is appreciated.

dicko · December 2, 2023, 6:42pm

nothing wrong here, but this ami client would be better written to make just make one connection and keep it open.

duncanidaho · December 4, 2023, 3:49pm

Not sure what that means, is it a freepbx thing or some code I need to have written?

dicko · December 4, 2023, 4:24pm

Depends on what process is opening those connections, unfortunately too many use the admin account so you would have to resort to examining traffic on port 5038 on /dev/ something like wireshark or

tcpdump -v -i lo -s0 port 5938

duncanidaho · December 4, 2023, 6:09pm

what will that command do if I run it? I am a novice

dicko · December 5, 2023, 12:26am

it will dump to the console any traffic on the ‘local’ (127.0.0.1) interface on port 5038 (AMI) you will see textual strings mixed in with hex control that should identify the ‘requests’ being made, these should help identify the actual client making those connections

system · January 4, 2024, 12:27am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.