Fail2ban logs and settings

freepbx
Tags: #<Tag:0x00007f7028633bd0>

#1

So I have been noticing, because I get notices, that my log files have become insanely huge. So like a bad nerd . . . I nuked the saved files and kicked the can further down the road :slight_smile:

Now, though, after configuring logrotate to gzip and keep 3 days, I am still seeing HUGE multi gb log files. So now that I have some free time, I started to look at the logs to see wth was going on…

[2020-04-03 07:22:08] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:08.992+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="51823975",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[22080] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.024+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="3280018338",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[3621] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.055+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="2117538611",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[4106] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.088+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="4124211804",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[29206] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.120+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="3360152207",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[16312] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.153+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="2005661688",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[6632] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.188+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="3872365245",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[15609] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.222+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="785424236",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[5766] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.253+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="2087857134",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[25053] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.286+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="2507852990",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[12484] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.314+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="2495901243",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[23925] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.344+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="1363025231",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[3477] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.375+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="3623054478",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[8944] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.407+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="3221478638",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[31242] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.439+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="4261556237",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[15825] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.474+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="2542901719",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[32318] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.504+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="2713147453",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[1996] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs [2020-04-03 07:22:09] SECURITY[25658] res_security_log.c: SecurityEvent="FailedACL",EventTV="2020-04-03T07:22:09.535+0000",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="anonymous",SessionID="2022875923",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/63.250.32.95/5202",ACLName="registrar_attempt_without_configured_aors" [2020-04-03 07:22:09] WARNING[22080] res_pjsip_registrar.c: Endpoint 'anonymous' has no configured AORs

This is where I r dumb. I got the system admin commercial license. Looking at the intrusion detection, I changed some things. I took the ban time from 1800 to 180000. But left the rest set to default. From what I have read in the wiki, the max retry is the number of times before the ban kicks in. It is set to 8. However, looking at these logs, there are more than 8 attempts.

Shouldn’t that IP be banned after 8 attempts?

And is there anything to do to get out of 2-3 gig daily fail2ban and it creating huge ‘full’ logs?

Thanks!


(Dave Burgess) #2

IIRC, it’s 8 attempts within the scanning period, so if the scan goes through the log’s last ‘n’ minutes and finds more than 8 attempts, the hammer is dropped.


(system) closed #3

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.