I was able to set my FreePBX in the cloud. I was also able to secure the FreePBX by using firewall, VPN and intrusion detection to limit the allowed IPs that access the FreePBX.
While I was browsing this forum I read some FreePBX were hacked. Hope I won’t but I would like to set an email alert for any newly created admin, user and/or extension.
dicko mentioned in a post that the access_log has the information of who access what and when. Looking around I was able to write this script that will do the purpose of monitoring users’ access by IP. In my situation, I have limited IP that I access the FreePBX from. Hence, this script should do it for me.
#!/bin/bash
email="[email protected]"
myips=("IP1" "IP2" "IP3" "IP4")
accessip=`sudo cat /var/log/httpd/access_log | awk '{print $1}' | sort -n | uniq | sort -nr | head -20`
deniedip=`sudo cat /var/log/httpd/error_log | grep denied |cut -f 10 -d ' '| sed 's/.\{7\}$//' |sort|uniq |sort -nr|more`
failedpasswordip=`sudo cat /var/log/secure | grep "Failed password" |cut -f 11 -d ' '|sort|uniq |sort -nr`
failedauthip=`sudo cat /var/log/secure | grep "authentication failures" |cut -f 16 -d ' ' |cut -f 2 -d = |sort|uniq |sort -nr`
readarray -t uniqueaccessip < <( \
comm -23 \
<(printf '%s\n' "${accessip[@]}" | sort) \
<(printf '%s\n' "${myips[@]}" | sort) \
)
if [ ${#uniqueaccessip[@]} -gt 0 ]; then
(echo "Subject: UNKNOWN IP ACCESS"
printf "Unknow accress from ${uniqueaccessip[*]}"
) | /usr/sbin/sendmail ${email}
fi
readarray -t uniquedeniedip < <( \
comm -23 \
<(printf '%s\n' "${deniedip[@]}" | sort) \
<(printf '%s\n' "${myips[@]}" | sort) \
)
if [ ${#uniquedeniedip[@]} -gt 0 ]; then
(echo "Subject: DENIED IP ACCESS"
printf "Denied accress from ${uniquedeniedip[*]}"
) | /usr/sbin/sendmail ${email}
fi
if [ ${#failedpasswordip[@]} -gt 0 ]; then
(echo "Subject: FAILED PASSWORD"
printf "Failed password attempt from ${failedpasswordip[*]}"
) | /usr/sbin/sendmail ${email}
fi
if [ ${#failedauthip[@]} -gt 0 ]; then
(echo "Subject: FAILED AUTHENTICATION"
printf "Failed authentication attempt from ${failedauthip[*]}"
) | /usr/sbin/sendmail ${email}
fi
Look at var/log/httpd/access_log for all IPs that accessed your FreePBX and compare them to the trusted IPs if there is unknown IP then will sent email alert.
Fail2ban will send email alert if an IP is banned. To otherwise get IP of suspicious activities, will monitor /var/log/httpd/access_log and /var/log/httpd/error_log for any denied access, failed password or failed authentication
to avoid Alert fatigue. The script will send alert once for each IP.
Save the file somewhere like /usr/ipmonitor.sh
chmod +x /usr/ipmonitor.sh
Put in crontab
My question is will “/var/log/secure” access information pass to “/var/log/httpd/access_log”? i.e. do I need to work on “/var/log/secure”?
Unlikely , /var/log/secure tracks ssh attempts, just don’t use 22 for ssh to make it quiet , and use public key authentication and not password authentication, you are then pretty secure.
Thank you, dicko. I do have public key authentication. I am hoping to put these script as an extra layer of security. You never know what security issue may appear in the future.