Fail2ban on Freepbx 15 distro NOT WORK VS GUI ATTACK


(Peter Fox) #1

Hi, I installed from iso a freepbx 15 system. I found a bug on freepbx.conf filter of fail2ban. On a fresh installation fail2ban not ban GUI brute force attack.
I noted that on freepbx 15 the security logs are changed, there is the following string after date
[freepbx_security.NOTICE]: Authentication…”
So I changed the filter.conf as follow:

[Definition]
datepattern = ^[%%Y-%%b-%%d %%H:%%M:%%S]
failregex = [freepbx_security.NOTICE]: Authentication failure for .* from

but the issue is the same, fail2ban-regex check do not match any lines in freepbx_security.log.

Please note that the same modified freepbx.conf filter has been installed on Raspberry Pi4 with raspbian buster and fail2ban works perfetcly.

Does anyone have any ideas ?

Thanks


#2

I don’t believe ‘datepattern’ is supported by versions of f2b before 0.9


(Peter Fox) #3

Hi and thanks for your reply,

Fail2Ban version is v0.8.14 on SNG7 System Freepbx 15 ISO.

I removed Datapattern and now the freepbx.conf filter is:

[INCLUDES]
# Read common prefixes. If any customizations available – read them from
# common.local
#before = common.conf

[Definition]
#_daemon = freepbx

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w-.^_]+)
# Values: TEXT
#

failregex = \[freepbx_security\.NOTICE\]: Authentication failure for .* from

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

This is the freepbx_security.log
tail /var/log/asterisk/freepbx_security.log
[2021-Jan-21 16:18:34] [freepbx_security.NOTICE]: Authentication failure for dd from 192.168.80.65 [] []
[2021-Jan-21 16:18:34] [freepbx_security.NOTICE]: Possible proxy detected, forwarded headers fordd set to [] []
[2021-Jan-21 17:41:28] [freepbx_security.NOTICE]: Authentication failure for xxxx from 192.168.80.60 [] []
[2021-Jan-21 17:41:28] [freepbx_security.NOTICE]: Possible proxy detected, forwarded headers forxxxx set to [] []
[2021-Jan-21 17:41:33] [freepbx_security.NOTICE]: Authentication failure for xxxxxttt from 192.168.80.60 [] []
[2021-Jan-21 17:41:33] [freepbx_security.NOTICE]: Possible proxy detected, forwarded headers forxxxxxttt set to [] []
[2021-Jan-21 17:41:36] [freepbx_security.NOTICE]: Authentication failure for yyyyyy from 192.168.80.60 [] []
[2021-Jan-21 17:41:36] [freepbx_security.NOTICE]: Possible proxy detected, forwarded headers foryyyyyy set to [] []
[2021-Jan-21 17:41:39] [freepbx_security.NOTICE]: Authentication failure for zzzzzz from 192.168.80.60 [] []
[2021-Jan-21 17:41:39] [freepbx_security.NOTICE]: Possible proxy detected, forwarded headers forzzzzzz set to [] []

and this is the result of fail2ban-regex:

fail2ban-regex /var/log/asterisk/freepbx_security.log /etc/fail2ban/filter.d/freepbx.conf

Running tests

Use failregex file : /etc/fail2ban/filter.d/freepbx.conf
Use log file : /var/log/asterisk/freepbx_security.log

Results

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 12 lines, 0 ignored, 0 matched, 12 missed
|- Missed line(s):
| [2020-Sep-21 14:52:19] [freepbx_security.NOTICE]: Authentication failure for admin from 192.168.80.164 [] []
| [2020-Sep-21 14:52:19] [freepbx_security.NOTICE]: Possible proxy detected, forwarded headers foradmin set to [] []
| [2021-Jan-21 16:18:34] [freepbx_security.NOTICE]: Authentication failure for dd from 192.168.80.65 [] []
| [2021-Jan-21 16:18:34] [freepbx_security.NOTICE]: Possible proxy detected, forwarded headers fordd set to [] []
| [2021-Jan-21 17:41:28] [freepbx_security.NOTICE]: Authentication failure for xxxx from 192.168.80.60 [] []
| [2021-Jan-21 17:41:28] [freepbx_security.NOTICE]: Possible proxy detected, forwarded headers forxxxx set to [] []
| [2021-Jan-21 17:41:33] [freepbx_security.NOTICE]: Authentication failure for xxxxxttt from 192.168.80.60 [] []
| [2021-Jan-21 17:41:33] [freepbx_security.NOTICE]: Possible proxy detected, forwarded headers forxxxxxttt set to [] []
| [2021-Jan-21 17:41:36] [freepbx_security.NOTICE]: Authentication failure for yyyyyy from 192.168.80.60 [] []
| [2021-Jan-21 17:41:36] [freepbx_security.NOTICE]: Possible proxy detected, forwarded headers foryyyyyy set to [] []
| [2021-Jan-21 17:41:39] [freepbx_security.NOTICE]: Authentication failure for zzzzzz from 192.168.80.60 [] []
| [2021-Jan-21 17:41:39] [freepbx_security.NOTICE]: Possible proxy detected, forwarded headers forzzzzzz set to [] []

What do you think ?


#4

To match those lines you will need f2b ‘datepattern’ support,

Remediation is up to you Yossarian :wink:


(Peter Fox) #5

Can you explain better ?

What is “Remediation is up to you Yossarian” ?


#6

The Reference is to Catch 22, a book by Joseph Heller, where Yossarian is stuck on the horns of a dilemma, but that’s another story :slight_smile: .

The ‘Distro’ apparently locks you to their v0.8 RPM but you can’t parse their HTTP security logs with it.

You could ask Sangoma for a fix or manually install 10 or 11 from source over the top of what you have, the jails and actions should not be overwritten.


(Peter Fox) #7

OK, thanks a lot for your support.


(Peter Fox) #8

Could you help me to manually install version 10 on SGN7 ?


#9

No, I don’t use SNG7 or any RH deriviraves but the Fail2Ban web site has instructions, It puts all of fail2ban in /etc/fail2ban so actions and jails might need to be re-checked that they follow the correct log files


(Peter Fox) #10

OK Thanks


#11

The normal yum methods are blocked. I’m sure it could be forced, but there could be consequences.

I don’t know if there are known issues with sysadmin/firewall module with the new versions, or if Sangoma was just lazy and locked the version “just in case” an update might break things then never looked back.

Either way being 6+ years out of date on a core security component is hard to justify.

Maybe @lgaetz can see if there are known issues?


(Lorne Gaetz) #12

I’ve reported this and asked our QA team to confirm.


(Peter Fox) #13

Okay, I will wait for an answer or an update from Sangoma, before to try to force the update.

Thanks


(Snaggy) #14

I reported this error over a year ago, but the status still hasn’t changed and stayed in “Triage” https://issues.freepbx.org/browse/FREEPBX-20920


(Lorne Gaetz) #15

Framework v15.0.17.17 is in edge now and should resolve:

fwconsole ma upgrade framework --edge

(Peter Fox) #16

Thanks, it fix the issue.


#17

15.0.17.17 fixes the datepattern problem

https://git.freepbx.org/projects/FREEPBX/repos/framework/commits/51fba578c6c62dc6f50e2b0cda12371a6a4e3e9for also

Two outstanding 'back ports to 0.8 ’ from current Fail2ban would be the matching Regexes for the above dateFormat log line and this also

https://community.freepbx.org/t/fail2ban-not-detecting-pjsip-tls-brute-force-attempts/72616