Still having issues with fail2ban logs

I previously posted here:

However, apparently the fix did not work. I’ve been sshing into the machine every week or two and deleting the fail2ban log files. I am considering just asking how to turn fail2ban off. We do have our internet firewall pbx access list restricted to only receive sip from our trunking provider.

The /var/log/asterisk/ is still filling with fail2ban logs. See below:

-rw-r–r-- 1 asterisk asterisk 137M Aug 19 01:03 fail2ban
-rw-r----- 1 asterisk asterisk 3.1G Aug 19 00:28 fail2ban.0
-rw-rw-r-- 1 asterisk asterisk 0 Aug 18 03:45 fail2ban.1
-rw-rw-r-- 1 asterisk asterisk 0 Aug 9 03:13 fail2ban.10
-rw-rw-r-- 1 asterisk asterisk 0 Aug 8 03:09 fail2ban.11
-rw-rw-r-- 1 asterisk asterisk 0 Aug 7 03:32 fail2ban.12
-rw-rw-r-- 1 asterisk asterisk 0 Aug 6 03:44 fail2ban.13
-rw-rw-r-- 1 asterisk asterisk 0 Aug 5 17:34 fail2ban.14
-rw-rw-r-- 1 asterisk asterisk 0 Aug 4 03:07 fail2ban.15
-rw-rw-r-- 1 asterisk asterisk 3.5G Aug 3 18:30 fail2ban.16
-rw-rw-r-- 1 asterisk asterisk 0 Aug 3 03:49 fail2ban.17
-rw-rw-r-- 1 asterisk asterisk 0 Aug 2 03:45 fail2ban.18
-rw-rw-r-- 1 asterisk asterisk 0 Aug 1 03:19 fail2ban.19
-rw-rw-r-- 1 asterisk asterisk 0 Aug 17 03:07 fail2ban.2
-rw-rw-r-- 1 asterisk asterisk 0 Jul 31 03:39 fail2ban.20
-rw-rw-r-- 1 asterisk asterisk 5.7G Aug 12 03:41 fail2ban-20200812
-rw-rw-r-- 1 asterisk asterisk 5.5G Aug 13 03:22 fail2ban-20200813
-rw-rw-r-- 1 asterisk asterisk 5.6G Aug 14 03:16 fail2ban-20200814
-rw-rw-r-- 1 asterisk asterisk 5.6G Aug 15 03:11 fail2ban-20200815
-rw-rw-r-- 1 asterisk asterisk 5.7G Aug 16 03:27 fail2ban-20200816
-rw-rw-r-- 1 asterisk asterisk 5.6G Aug 17 03:07 fail2ban-20200817
-rw-rw-r-- 1 asterisk asterisk 5.5G Aug 18 03:45 fail2ban-20200818
-rw-rw-r-- 1 asterisk asterisk 3.7G Jul 30 19:07 fail2ban.21
-rw-rw-r-- 1 asterisk asterisk 0 Jul 30 03:36 fail2ban.22
-rw-rw-r-- 1 asterisk asterisk 0 Jul 29 03:31 fail2ban.23
-rw-rw-r-- 1 asterisk asterisk 0 Jul 28 03:46 fail2ban.24
-rw-rw-r-- 1 asterisk asterisk 0 Jul 27 03:18 fail2ban.25
-rw-rw-r-- 1 asterisk asterisk 0 Jul 26 03:47 fail2ban.26
-rw-rw-r-- 1 asterisk asterisk 0 Jul 25 03:37 fail2ban.27
-rw-rw-r-- 1 asterisk asterisk 0 Jul 24 03:22 fail2ban.28
-rw-rw-r-- 1 asterisk asterisk 0 Jul 23 03:31 fail2ban.29
-rw-rw-r-- 1 asterisk asterisk 0 Aug 16 03:27 fail2ban.3
-rw-rw-r-- 1 asterisk asterisk 0 Jul 22 03:39 fail2ban.30
-rw-rw-r-- 1 asterisk asterisk 0 Jul 21 03:21 fail2ban.31
-rw-rw-r-- 1 asterisk asterisk 0 Jul 20 03:11 fail2ban.32
-rw-rw-r-- 1 asterisk asterisk 0 Jul 13 14:25 fail2ban.33
-rw-rw-r-- 1 asterisk asterisk 0 Aug 15 03:11 fail2ban.4
-rw-rw-r-- 1 asterisk asterisk 0 Aug 14 03:16 fail2ban.5
-rw-rw-r-- 1 asterisk asterisk 0 Aug 13 03:22 fail2ban.6
-rw-rw-r-- 1 asterisk asterisk 0 Aug 12 03:41 fail2ban.7
-rw-rw-r-- 1 asterisk asterisk 0 Aug 11 03:08 fail2ban.8
-rw-rw-r-- 1 asterisk asterisk 0 Aug 10 03:09 fail2ban.9

It would appear that another logrotate file is controlling your fail2ban.* files , the size and naming suggests something started up on august 11 with a 10 day retention with dateext set and no size limit, perhaps a few lines from the log might show an unnecessary verbosity but a busy PBX will have lots of logs, identify the logrotate file that is working and modify that to save just 2 days and perhaps add compress to save disk space.

(grep -ri dateext /etc/logrotate*)

/etc/logrotate.conf:dateext
/etc/logrotate.d/freepbx-core:dateext
/etc/logrotate.d/freepbx-core:dateext
/etc/logrotate.d/freepbx-core:dateext
/etc/logrotate.d/smartoffice:dateext
/etc/logrotate.d/freepbx-sangomacrm:dateext
/etc/logrotate.d/freepbx-ucp:dateext
/etc/logrotate.d/freepbx-ucp:dateext
/etc/logrotate.d/freepbx-zulu:dateext
/etc/logrotate.d/freepbx-restapps:dateext

Then I would look in /etc/logrotate.d/freepbx-core for the fail2ban stanza

/var/log/asterisk/freepbx_dbug {
size 500M
missingok
rotate 7
dateext
notifempty
sharedscripts
create 0640 asterisk asterisk
su asterisk asterisk
}

/var/log/asterisk/freepbx_debug
/var/log/asterisk/freepbx.log
/var/log/asterisk/freepbx_security.log{
size 100M
missingok
rotate 7
dateext
notifempty
sharedscripts
create 0640 asterisk asterisk
su asterisk asterisk
}
/var/log/asterisk/core-fastagi_*.log {
size 50M
missingok
rotate 5
notifempty
dateext
sharedscripts
create 0640 asterisk asterisk
su asterisk asterisk
postrotate
/usr/sbin/fwconsole pm2 --reload-logs -q
endscript
}

Sorry, I can’t help further, I don’t use the ‘distro’ , so I will defer to anyone who does and can help you get your logs less ‘noisy’ over time.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.