Fail2ban logs filling up

ashcortech · January 24, 2022, 11:04pm

FreePBX Distro 15

Getting gigabyte sized fail2ban logs filling up with this entry every second…

[2022-01-24 18:00:32] SECURITY[12085] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2022-01-24T18:00:32.279-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f67080ae2f0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/52870”,UsingPassword=“0”,SessionTV=“2022-01-24T18:00:32.279-0500”

not only is it eating up drive space but eventually it causes Fail2Ban to eat most of the cpu resources.

dicko · January 25, 2022, 12:17am

Legitimate AMI connections from admin to localhost/5028, FreePBX will do that every minute, they are updateing the ‘dashboard’ and if you are interacting with the GUI, more often, any more than that, then dig out wireshark . . .

ashcortech · January 25, 2022, 2:00am

something fubar with the freepbx firewall I think…

This system is on a vultr vm and have a VPN set up between it and my firewall. if i run the freepbx firewall I can’t ping to my network and my deskphone drops off and comes back online randomly (couple times an hour).

Kill the fire wall and watch the system, pings go continuosly back and forth no problem and the phone stays online… The Fail2Ban log still gets those entries but only about every minute or so as opposed to every second before.

dicko · January 25, 2022, 2:03am

Did you “dig out wireshark” yet? (tcpdump is a rough and ready ‘quick look’)

ashcortech · January 25, 2022, 2:04am

not yet… don’t have the energy for that tonight…

system · February 25, 2022, 2:04am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.