Trying to master the great log file!


(Civilpolisen) #1

My setup is Ubuntu 20.04.
The log is huge despite no users or other activities. Where does this long comes from? What’s the deal with Mr Glue? What’s the issue…? How do solve it or turn it off?

5016453[2021-09-22 11:58:14] NOTICE[37180] manager.c: 51.15.145.81 tried to authenticate with nonexistent user 'glue'
5016454[2021-09-22 11:58:14] NOTICE[37180] manager.c: 51.15.145.81 failed to authenticate as 'glue'
5016455[2021-09-22 11:58:15] NOTICE[37186] manager.c: 51.15.145.81 tried to authenticate with nonexistent user 'glue'
5016456[2021-09-22 11:58:15] NOTICE[37186] manager.c: 51.15.145.81 failed to authenticate as 'glue'
5016457[2021-09-22 11:58:16] NOTICE[37189] manager.c: 51.15.145.81 tried to authenticate with nonexistent user 'glue'
5016458[2021-09-22 11:58:16] NOTICE[37189] manager.c: 51.15.145.81 failed to authenticate as 'glue'
5016459[2021-09-22 11:58:17] NOTICE[37205] manager.c: 51.15.145.81 tried to authenticate with nonexistent user 'glue'
5016460[2021-09-22 11:58:17] NOTICE[37205] manager.c: 51.15.145.81 failed to authenticate as 'glue'
5016461[2021-09-22 11:58:18] NOTICE[37211] manager.c: 51.15.145.81 tried to authenticate with nonexistent user 'glue'
5016462[2021-09-22 11:58:18] NOTICE[37211] manager.c: 51.15.145.81 failed to authenticate as 'glue'
5016463[2021-09-22 11:58:19] NOTICE[37212] manager.c: 51.15.145.81 tried to authenticate with nonexistent user 'glue'
5016464[2021-09-22 11:58:19] NOTICE[37212] manager.c: 51.15.145.81 failed to authenticate as 'glue'
5016465[2021-09-22 11:58:20] NOTICE[37235] manager.c: 51.15.145.81 tried to authenticate with nonexistent user 'glue'
5016466[2021-09-22 11:58:20] NOTICE[37235] manager.c: 51.15.145.81 failed to authenticate as 'glue'
5016467[2021-09-22 11:58:21] NOTICE[37236] manager.c: 51.15.145.81 tried to authenticate with nonexistent user 'glue'
5016468[2021-09-22 11:58:21] NOTICE[37236] manager.c: 51.15.145.81 failed to authenticate as 'glue'
5016469[2021-09-22 11:58:22] NOTICE[37242] manager.c: 51.15.145.81 tried to authenticate with nonexistent user 'glue'
5016470[2021-09-22 11:58:22] NOTICE[37242] manager.c: 51.15.145.81 failed to authenticate as 'glue'
5016471[2021-09-22 11:58:24] NOTICE[37245] manager.c: 51.15.145.81 tried to authenticate with nonexistent user 'glue'
5016472[2021-09-22 11:58:24] NOTICE[37245] manager.c: 51.15.145.81 failed to authenticate as 'glue'
5016473[2021-09-22 11:58:25] NOTICE[37246] manager.c: 51.15.145.81 tried to authenticate with nonexistent user 'glue'
5016474[2021-09-22 11:58:25] NOTICE[37246] manager.c: 51.15.145.81 failed to authenticate as 'glue'

(Lorne Gaetz) #2

You have the Asterisk AMI port (default 5038) exposed to untrusted traffic.


#3

AMI should never listen on 0.0.0.0 , change that in /etc/asterisk/manager.conf

bindaddr = 127.0.0.1


(Sholinaty) #4

as the others have said - someone (or more likely an automated system) is trying to access your server, because you have the AMI Port exposed to the internet.


#5

Sure, at one of the ‘permissive’ hosting providers in France.

https://whois.domaintools.com/51.15.145.81


(Civilpolisen) #6

Thank you for the reply! Soon after posting this a very skilled person arrived to our office and was asked to brighten up the light…! He found out that Macro was not marked in the list of Applications when compiling, so he marked it, compiled it and made a new install.

“Applications” is the second image listed in my home made documentation: http://freepbx.tilda.ws/asterisk

My home made users guide also include how to master sudo fwconsole reload.
http://freepbx.tilda.ws/fwconsole_reload


(Itzik) #7

Macro not loaded has NOTHING to do with the fact that someone tried to authenticate to AMI…


(Civilpolisen) #8

No, that’s true. Excuse me. That solved another issue that I did not write about. My iPhone and laptop could connect successfully but no calls were getting through. “Number is not available.” It was because PBX was expecting macro to take place but the application macro was not compiled and installed.

There are so many errors of different kinds and so much was solved yesterday and it’s difficult for me to keep it all apart! My fault!

xxxxxxxxxxxxxxxxxxxxx

Here are my Fail2Ban settings based on your suggestions:
Markering_999(330)


(Civilpolisen) #9
sudo service fail2ban start
[12639]: ERROR   Failed during configuration: Have not found any log file for asterisk jail
[12639]: ERROR   Async configuration of server failed

How do I point Fail2ban in the right direction!?


(Sholinaty) #10

fail2ban doesnt use jail.d does it?

i thought it used jail.local?

on my server, jail.d is a Directory, not a flat file as well.


#11

Fail2ban will process any ‘jails’ in the ‘drop directory’ jail.d/ if any exist, also any in jail.local and jail.conf , It is suggested not to use suggest you don’t use jail.conf but copy and rename it to jail.local or create individual jails (named for their facility by convention like sshd.local or asterisk.local), at your preference.

To the OP, maybe you should start off with the ‘distro’ 'cos it does the heavy lifting for, you, Fail2ban is well documented in it’s source

But any jail you construct needs to have at least a log file that exists to follow, yours, ‘not so much’

Recipes for installing FreePBX on many ‘standard’ Lini including Ubuntu/Debian are documented in the Wiki at the top of this page.


(Sholinaty) #12

i misread the screenshot and Dicko is absolutely correct.
I thought OP was editing “jail.d” as a file and not a directory that contained the asterisk file


(Civilpolisen) #13

Excuse me for confusing documentation! I hope this one is more clear…


(Sholinaty) #14

getting back to the important part / meat of the matter…
Why is your AMI port completely open to the internet?


#15

That would work for a system that was logging to /var/log/asterisk/messages (which is probably not what it is doing)

Fail2ban’ asterisk ‘filter’ will define what gets caught in the monitored file, depending on your filter that would mostly be SIP over UDP/TCP/WSS/WS , so 80 and 443 would likely not be useful, 5038 is better managed by only listening it on your loopback interface (127.0.0.1). You need to match the ports watched to the way you have configured your channel drivers.