Freepbx fail2ban Log Loads of events


#1

Hi all after checking my fail2ban logs via the web UI i have noticed i am getting constant entries like the one below i am running this instance on a Remote VPS server. is this anything to be worried about as its constant and i see its coming from the localhost. 127.0.0.1

I have removed some commercial modules recently that i didn’t need i installed using the latest ISO on my remote VPS server could it be a local module causing this ?

Here is just one of the entries of my fail2ban log…

[2021-05-20 01:23:04] SECURITY[2588] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2021-05-20T01:23:04.657+0000”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7f3cd4004250”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/40652”,UsingPassword=“0”,SessionTV=“2021-05-20T01:23:04.657+0000”


#2

That’s actually a “security” log line from Asterisk matching ‘manager’ logins .

I don’t believe your Fail2Ban has a regex to catch any bad ones though, this one is benign, it’s just the admin ‘manager’ logging in every minute or so.


#3

Thanks For the Fast Reply was just a little worried as it’s on a VPs and was afraid that Mabe someone on the sharded network was trying something thanks again for the heads-up…


#4

Well, there is a very slight vulnerability , as by default the manager is ‘bound’ to 0.0.0.0 in /etc/asterisk/manager.conf thus open to the whole internet if port 5038 is allowed through your firewall with no f2b safety belt , it would be safer to use 127.0.0.1 in almost all cases. JM2CWAE


#5

Thanks Once again,
i have changed the line to

bindaddr = 127.0.0.1


(system) closed #6

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.