Still having issues with fail2ban logs

ryderstanley · August 19, 2020, 1:13am

I previously posted here:

However, apparently the fix did not work. I’ve been sshing into the machine every week or two and deleting the fail2ban log files. I am considering just asking how to turn fail2ban off. We do have our internet firewall pbx access list restricted to only receive sip from our trunking provider.

The /var/log/asterisk/ is still filling with fail2ban logs. See below:

-rw-r–r-- 1 asterisk asterisk 137M Aug 19 01:03 fail2ban
-rw-r----- 1 asterisk asterisk 3.1G Aug 19 00:28 fail2ban.0
-rw-rw-r-- 1 asterisk asterisk 0 Aug 18 03:45 fail2ban.1
-rw-rw-r-- 1 asterisk asterisk 0 Aug 9 03:13 fail2ban.10
-rw-rw-r-- 1 asterisk asterisk 0 Aug 8 03:09 fail2ban.11
-rw-rw-r-- 1 asterisk asterisk 0 Aug 7 03:32 fail2ban.12
-rw-rw-r-- 1 asterisk asterisk 0 Aug 6 03:44 fail2ban.13
-rw-rw-r-- 1 asterisk asterisk 0 Aug 5 17:34 fail2ban.14
-rw-rw-r-- 1 asterisk asterisk 0 Aug 4 03:07 fail2ban.15
-rw-rw-r-- 1 asterisk asterisk 3.5G Aug 3 18:30 fail2ban.16
-rw-rw-r-- 1 asterisk asterisk 0 Aug 3 03:49 fail2ban.17
-rw-rw-r-- 1 asterisk asterisk 0 Aug 2 03:45 fail2ban.18
-rw-rw-r-- 1 asterisk asterisk 0 Aug 1 03:19 fail2ban.19
-rw-rw-r-- 1 asterisk asterisk 0 Aug 17 03:07 fail2ban.2
-rw-rw-r-- 1 asterisk asterisk 0 Jul 31 03:39 fail2ban.20
-rw-rw-r-- 1 asterisk asterisk 5.7G Aug 12 03:41 fail2ban-20200812
-rw-rw-r-- 1 asterisk asterisk 5.5G Aug 13 03:22 fail2ban-20200813
-rw-rw-r-- 1 asterisk asterisk 5.6G Aug 14 03:16 fail2ban-20200814
-rw-rw-r-- 1 asterisk asterisk 5.6G Aug 15 03:11 fail2ban-20200815
-rw-rw-r-- 1 asterisk asterisk 5.7G Aug 16 03:27 fail2ban-20200816
-rw-rw-r-- 1 asterisk asterisk 5.6G Aug 17 03:07 fail2ban-20200817
-rw-rw-r-- 1 asterisk asterisk 5.5G Aug 18 03:45 fail2ban-20200818
-rw-rw-r-- 1 asterisk asterisk 3.7G Jul 30 19:07 fail2ban.21
-rw-rw-r-- 1 asterisk asterisk 0 Jul 30 03:36 fail2ban.22
-rw-rw-r-- 1 asterisk asterisk 0 Jul 29 03:31 fail2ban.23
-rw-rw-r-- 1 asterisk asterisk 0 Jul 28 03:46 fail2ban.24
-rw-rw-r-- 1 asterisk asterisk 0 Jul 27 03:18 fail2ban.25
-rw-rw-r-- 1 asterisk asterisk 0 Jul 26 03:47 fail2ban.26
-rw-rw-r-- 1 asterisk asterisk 0 Jul 25 03:37 fail2ban.27
-rw-rw-r-- 1 asterisk asterisk 0 Jul 24 03:22 fail2ban.28
-rw-rw-r-- 1 asterisk asterisk 0 Jul 23 03:31 fail2ban.29
-rw-rw-r-- 1 asterisk asterisk 0 Aug 16 03:27 fail2ban.3
-rw-rw-r-- 1 asterisk asterisk 0 Jul 22 03:39 fail2ban.30
-rw-rw-r-- 1 asterisk asterisk 0 Jul 21 03:21 fail2ban.31
-rw-rw-r-- 1 asterisk asterisk 0 Jul 20 03:11 fail2ban.32
-rw-rw-r-- 1 asterisk asterisk 0 Jul 13 14:25 fail2ban.33
-rw-rw-r-- 1 asterisk asterisk 0 Aug 15 03:11 fail2ban.4
-rw-rw-r-- 1 asterisk asterisk 0 Aug 14 03:16 fail2ban.5
-rw-rw-r-- 1 asterisk asterisk 0 Aug 13 03:22 fail2ban.6
-rw-rw-r-- 1 asterisk asterisk 0 Aug 12 03:41 fail2ban.7
-rw-rw-r-- 1 asterisk asterisk 0 Aug 11 03:08 fail2ban.8
-rw-rw-r-- 1 asterisk asterisk 0 Aug 10 03:09 fail2ban.9

dicko · August 19, 2020, 3:34am

It would appear that another logrotate file is controlling your fail2ban.* files , the size and naming suggests something started up on august 11 with a 10 day retention with dateext set and no size limit, perhaps a few lines from the log might show an unnecessary verbosity but a busy PBX will have lots of logs, identify the logrotate file that is working and modify that to save just 2 days and perhaps add compress to save disk space.

(grep -ri dateext /etc/logrotate*)

ryderstanley · August 19, 2020, 5:35pm

/etc/logrotate.conf:dateext
/etc/logrotate.d/freepbx-core:dateext
/etc/logrotate.d/freepbx-core:dateext
/etc/logrotate.d/freepbx-core:dateext
/etc/logrotate.d/smartoffice:dateext
/etc/logrotate.d/freepbx-sangomacrm:dateext
/etc/logrotate.d/freepbx-ucp:dateext
/etc/logrotate.d/freepbx-ucp:dateext
/etc/logrotate.d/freepbx-zulu:dateext
/etc/logrotate.d/freepbx-restapps:dateext

dicko · August 19, 2020, 5:38pm

Then I would look in /etc/logrotate.d/freepbx-core for the fail2ban stanza

ryderstanley · August 20, 2020, 7:54pm

/var/log/asterisk/freepbx_dbug {
size 500M
missingok
rotate 7
dateext
notifempty
sharedscripts
create 0640 asterisk asterisk
su asterisk asterisk
}

/var/log/asterisk/freepbx_debug
/var/log/asterisk/freepbx.log
/var/log/asterisk/freepbx_security.log{
size 100M
missingok
rotate 7
dateext
notifempty
sharedscripts
create 0640 asterisk asterisk
su asterisk asterisk
}
/var/log/asterisk/core-fastagi_*.log {
size 50M
missingok
rotate 5
notifempty
dateext
sharedscripts
create 0640 asterisk asterisk
su asterisk asterisk
postrotate
/usr/sbin/fwconsole pm2 --reload-logs -q
endscript
}

dicko · August 20, 2020, 7:58pm

Sorry, I can’t help further, I don’t use the ‘distro’ , so I will defer to anyone who does and can help you get your logs less ‘noisy’ over time.

system · September 20, 2020, 7:58pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.