hi all ,
i need help with fail2ban
i configured it with sip guessing and ssh and it was perfect
but i also need it for freepbx login page
i need to ban the attacker trials there @ web .
i googled alot but no luck
anyhelp ?
It is not recommended to expose the FreePBX GUI (or any phone system for that matter) directly to the Internet. The better way to do this is to use a VPN or use SHH tunneling to build a secure path to your server.
Since you already have SSH you can easily make a tunnel.
On a side note here is some great info on securing your system.
http://wiki.freepbx.org/display/HTGS/5.+Securing+your+PBX
You might also find this useful.
http://wiki.freepbx.org/display/L1/Accessing+the+Linux+Command+Line
hi ,
thanks very much for expalnation.
i belive that vpn is the most secure method
but agian ,
my situation dont permit to use vpn
cant i deploy freepbx login page fail2ban ?
i see alot of logs @ /var/log/asterisk/full when i have wrong login from freepbs page
regards
fail2ban has apache jails and filters filters predefined for several servers . just enable what suits and make sure you hava a regex to catch what you want t9. its all documented on the fail2ban site.
(it always seems strange that some recommend not allowing their clients access to their own user portal, I would recommend a strongly restrictive firewall policy instead and let the chosen ones get to their faxes vmails and settings as originally intended.)
Dicko, I made the assumption that the OP was only wanting admin access to the system. Since I don’t know the requirement and needs of the OP’s system I may have spoken out of turn. I did not quite understand “sip guessing” to mean he has remote phones.
dr.x, please tell us a little more about your system and requirements. What version of FreePBX? Distro or hand built? Do you just need admin access or do you need access to the user portal?
Not you particularly, Alan, just in general opinion, yes there have been some horrible holes in some dietros and versions, but is unreasonable every user to be expected to configure a vpn. Adding .htaccess at the root of the site upwards and one simple fail2ban regex is a very good start imho.