Huge fail2ban logfile > 400MB in just a couple days

mazdarick · March 7, 2018, 2:08am

I have a fresh copy of FreePBX 14.0.1.36 installed on a VMware virtual machine for testing purposes. I haven’t done much with it in the last couple of days, but I just started receiving e-mails indicating that the HDD is getting full. After doing some research, I found my /var/log/asterisk/fail2ban was over 400MB. It appears that log rotate is working as it should since there are a few fail2ban logs with dates appended, but each of these fail2ban logs is huge. I’ve attached the contents of the log below. I don’t know what is causing it, so any help that I can get would be super appreciated. If you look at the time stamps, you can see how fast these entries are being generated.

[2018-03-06 20:57:54] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:57:54.869-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf14003ea0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36570”,UsingPassword=“0”,SessionTV=“2018-03-06T20:57:54.869-0500”
[2018-03-06 20:57:56] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:57:56.706-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf100018f0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36574”,UsingPassword=“0”,SessionTV=“2018-03-06T20:57:56.706-0500”
[2018-03-06 20:57:56] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:57:56.741-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf18001780”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36578”,UsingPassword=“0”,SessionTV=“2018-03-06T20:57:56.741-0500”
[2018-03-06 20:57:57] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:57:57.390-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x39afa60”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36582”,UsingPassword=“0”,SessionTV=“2018-03-06T20:57:57.390-0500”
[2018-03-06 20:57:58] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:57:58.685-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbef8005050”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36586”,UsingPassword=“0”,SessionTV=“2018-03-06T20:57:58.685-0500”
[2018-03-06 20:57:59] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:57:59.619-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf04001e50”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36590”,UsingPassword=“0”,SessionTV=“2018-03-06T20:57:59.619-0500”
[2018-03-06 20:58:00] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:00.605-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf00002c40”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36594”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:00.605-0500”
[2018-03-06 20:58:02] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:02.632-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf0c00c360”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36598”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:02.632-0500”
[2018-03-06 20:58:02] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:02.747-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf080022f0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36602”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:02.747-0500”
[2018-03-06 20:58:02] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:02.755-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf14003ea0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36606”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:02.755-0500”
[2018-03-06 20:58:05] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:05.567-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf100018f0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36610”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:05.567-0500”
[2018-03-06 20:58:05] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:05.575-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf18001780”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36614”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:05.575-0500”
[2018-03-06 20:58:05] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:05.584-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x39afa60”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36618”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:05.584-0500”
[2018-03-06 20:58:05] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:05.633-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbef8005050”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36622”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:05.633-0500”
[2018-03-06 20:58:05] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:05.643-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf04001e50”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36626”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:05.643-0500”
[2018-03-06 20:58:05] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:05.907-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf00002c40”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36630”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:05.907-0500”
[2018-03-06 20:58:08] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:08.792-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf0c009610”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36634”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:08.792-0500”
[2018-03-06 20:58:09] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:09.314-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf080022f0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36638”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:09.314-0500”
[2018-03-06 20:58:09] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:09.343-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf14003ea0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36642”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:09.343-0500”
[2018-03-06 20:58:11] SECURITY[2215] res_security_log.c: SecurityEvent=“SuccessfulAuth”,EventTV=“2018-03-06T20:58:11.549-0500”,Severity=“Informational”,Service=“AMI”,EventVersion=“1”,AccountID=“admin”,SessionID=“0x7fbf100018f0”,LocalAddress=“IPV4/TCP/0.0.0.0/5038”,RemoteAddress=“IPV4/TCP/127.0.0.1/36646”,UsingPassword=“0”,SessionTV=“2018-03-06T20:58:11.549-0500”

dicko · March 7, 2018, 2:46am

That shows the admin account logging in successfully every second or so, so quite legit but suspiciously too often.

one solution would be to change your logrotate.d/asterisk and replace the time thingy , perhaps “daily” with a size thingy “maxsize=200m” . More howtos and syntax are in :-

man logrotate

mazdarick · March 7, 2018, 7:39pm

I can give this a try for sure, but is there anyway to find the root of the problem and determine why admin is logging in so frequently? This seems very strange. I just installed a brand new system and didn’t even log into the web interface yet, and had the exact same symptoms. I just downloaded the ISO from the website. So, this seems to be an issue with the version directly from the site, and remains an issue even after upgrading all modules and the system. Strange???

dicko · March 7, 2018, 7:53pm

Not from me, without adding any modules then expect one every minute for the various cronjobs, but anything that uses the admin account to access AMI will look the same and only localhost can effectively use that account, so a wild guess would be something like phone apps?

After thinking, perhaps

tcpdump -i lo -A -s0 port 5038

might give you a clue about what’s being asked for.

mazdarick · March 11, 2018, 2:27pm

I’ll give that a try. Thanks for the idea.

system · March 11, 2019, 2:27pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.