fail2ban

jimgb17 · October 1, 2013, 6:43pm

Hi all I have been getting emails from fail2ban like below!

The IP 192.187.114.26 has just been banned by Fail2Ban after
3 attempts against Asterisk.

Regards,

Fail2Ban

I have got around 5 today alone!

Also got a email about fail2ban stopping but I didn’t stop it
I was doing a backup at the time via my vps interface so maybe tis caused fail2ban to stop?

Anyways can I get fail2ban to ban an ip for likes 23hrs?

The ip address is a known bot I think as its listed on some voip hackers website but it keeps trying!

Also is there any other reason fail2ban service would stop?

I am running asterik/freepbx on my vps so I have no hw firewall!

So really need fail2ban to work…

dicko · October 1, 2013, 7:11pm

That would depend on your bantime in /etc/fail2ban/jail.conf, after that period of seconds the bad guys are “unbanned” only to be banned again . . .

jimgb17 · October 1, 2013, 7:31pm

Thanks have extended bantime to 85000secs that’s 23hrs

jimgb17 · October 2, 2013, 1:50pm

Hi again my fail2ban has stoped again this morning!

Why is fail2ban stoped on its own?
I have had a look at my logs but have no info on why fail2ban is stopping!

Its working fine but stopped after some hrs!

Is there a setting somewhere making it auto stop my jails?

dicko · October 2, 2013, 2:03pm

fail2ban doesn’t stop on it’s own, if it stops by command then it will report so in the /var/log/fail2ban.log, if it otherwise dies without reason, then you have other problems. Reexamine how you installed it and correct as necessary.

jimgb17 · October 2, 2013, 2:41pm

Hi
i don’t have that logfile do i have to enable it?

I have noticed then just before the reboot on main security log all something

dicko · October 2, 2013, 2:46pm

it is setup by default in fail2ban.conf.

jimgb17 · October 2, 2013, 2:52pm

Hi

Hi
i don’t have that logfile do i have to enable it?

I have noticed then just before the reboot on main security log all my devices re register! could be a server reboot after a backup…
Mabie i didn’t have the auto boot enabled i have enabled that now! i will monitor my emails and check for stopped service again!

about the var/log/fail2ban.log

I don’t have this log-file i only have a main logs in asterisk log folder

Sorry for posting twice had a problem with browser and didn’t finish last post!

dicko · October 2, 2013, 3:04pm

I’m sorry, I don’t understand any of that, How did you setup fail2ban ?

jimgb17 · October 2, 2013, 3:07pm

Thanks found that problem
The log was set to Syslog so i changed it to /var/log/fail2ban.log

I will Monitor the logs and see how things go!

I am getting LOADS of attacks! on sip/ssh and mysql

Iam on a vps so have no HW firewall/router option! with i had!

dicko · October 2, 2013, 3:18pm

Always change your ssh port from 22 (/etc/ssh/sshd_config)

Install a firewall, csf plays well with fail2ban.

jimgb17 · October 2, 2013, 9:45pm

Thanks for the info!
when i install csf i get the following error
Error: The VPS iptables rule limit (numiptent) is too low (96/105) - stopping firewall to prevent iptables blocking all connections, at line 1842

My wont wont allow any changes to numiptent…
Looks like a i out of luck with csf!

dicko · October 2, 2013, 10:17pm

It looks like you are out of luck with your VPS

/etc/csf/csftest.pl

will check for you.

dicko · October 2, 2013, 10:19pm

and probably with fail2ban also if your iptables works enough to ban that many hosts.

jimgb17 · October 2, 2013, 10:56pm

yea looks like it i am using my cps panel firwall rules and managed to block all traffic from other ip’s but me! so should keep things secure

jimgb17 · October 3, 2013, 2:06am

[url=http://postimg.org/image/pfvc8fu3h/][img=http://s14.postimg.org/pfvc8fu3h/New_Bitmap_Image.jpg][/url]

Working great think this may be a better way then ftb as if anyone scannig for port 5060 it will show closed!

Just hope my trunks ip dont chnage as it will mess things up... working great for a cheapo vps...

Thanks all for the help i am new to linux and freepbs and this is my thirst vps Hope i haven't been to mutch of a Pain..

jimgb17 · October 3, 2013, 2:09am

http://s14.postimg.org/lw9eimrds/New_Bitmap_Image.jpg

dicko · October 3, 2013, 2:22am

Your link is broken, but in any way, if it works for you then you did good.

In the same way that most will suggest that running ssh on port 22 is “not a good idea”, I argue similarly that SIP running on the standard TCP/UDP ports is also “not a good idea”, if you can agree to negotiate with your VSP to use “another port”, and similarly have your external extensions also use that arbitrary port, then you will have significantly less to worry about.

and no you are not a pain, but actually a refreshingly resourceful newbie

dicko · October 3, 2013, 2:27am

For reasons long and obtuse , using ports below 1024 (privileged) can be a problem for ssh over some “clever” firewalls.