What is the correct setup for fail2ban?

GeekBoy · June 20, 2014, 4:02am

I am not using the system admin module thus I am directly editing the jail.conf and jail.local files.

In the jail.conf file it has this:

   enabled  = true
    filter   = recidive
    logpath  = /var/log/fail2ban.log
    action   = iptables-allports[name=recidive, protocol=all]
               sendmail[name=recidive, [email protected], [email protected]]
    bantime  = 604800  ; 1 week
    findtime = 86400   ; 1 day
    maxretry = 10

Which of course I edit with my information in the yourpbx.com.

This section does work, but that is not the issue I have with.

It is the SIP section I am having trouble with which contains, by default, the following:

[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
           sendmail[name=SIP, [email protected], [email protected]]
logpath  = /var/log/asterisk/fail2ban
maxretry = 5
bantime = 1800

I put the information in the sendmail section,I test with a phone and nothing happens.

In the ssh-iptables it has by default:

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail[name=SSH, [email protected], [email protected]]
logpath  = /var/log/secure
maxretry = 3

Now this section semi works as is, as a ban email is sent, but no ban occurs. However if I put in port =22, it will now ban on port 22 fail attempts.

In the asterisk-iptables no email is sent, nor a ban occurs no matter, even adding port=5060 in the action section.

What are the proper settings?

dicko · June 20, 2014, 4:57am

Do have a log file

/var/log/asterisk/fail2ban

for fail2ban to follow?

GeekBoy · June 20, 2014, 5:17am

Yes /var/log/asterisk/fail2ban does exist, but I see there has been no updates to it for the past four days.

What processes this log file and to cause it to stop getting new entries?

alexeynikolaev · June 20, 2014, 5:28am

GeekBoy · June 20, 2014, 5:33am

This is what I have in jail.conf:

[asterisk-tcp]

enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
           sendmail-whois[name=Asterisk, [email protected], [email protected]]
logpath  = /var/log/asterisk/messages
maxretry = 3

[asterisk-udp]

enabled  = true
filter      = asterisk
action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
           sendmail-whois[name=Asterisk, [email protected], [email protected]]
logpath  = /var/log/asterisk/messages
maxretry = 3

And output you requested:

Fail2ban (pid 10807) is running…
Status
|- Number of jail: 8
`- Jail list: recidive, ssh-iptables, apache-badbots, asterisk-iptables, asterisk-tcp, asterisk-udp, apache-tcpwrapper, vsftpd-iptables

alexeynikolaev · June 20, 2014, 5:34am

Actually, the best idea to use fail2ban.rpm fo asterisk by schmooze http://yum.schmoozecom.net/schmooze-commercial/6/x86_64/RPMS/fail2ban/

GeekBoy · June 20, 2014, 5:35am

That is what I am using… And why I posted this in the Distro section

alexeynikolaev · June 20, 2014, 5:50am

I suggest test this rule. Change password for one peer to incorrect.

Is somethink like this in /var/log/asterisk/fail2ban?

NOTICE[4947] chan_sip.c: Registration from ‘"1680"sip:[email protected];transport=UDP’ failed for ‘10.169.20.59:41852’ - Wrong password

Why in your config [asterisk-iptables]

logpath = /var/log/asterisk/fail2ban

I have

/var/log/asterisk/messages

GeekBoy · June 20, 2014, 6:22am

I think you are using an older version of fail2ban. Those failregex no longer seem to work.

All I get are errors.

Why is logpath = /var/log/asterisk/fail2ban there? because that is what s put there by default from the Scmooze repo. Though for some reason there are no entries in it starting on the 16th of this month. Does fail2ban put entries in there?

I did try putting the following in jail.conf from the EPEL repo:

[asterisk-tcp]

enabled = true
filter = asterisk
action = iptables-multiport[name=asterisk-tcp, port=“5060,5061”, protocol=tcp]
sendmail-whois[name=Asterisk, [email protected], [email protected]]
logpath = /var/log/asterisk/messages
maxretry = 3

[asterisk-udp]

enabled = true
filter = asterisk
action = iptables-multiport[name=asterisk-udp, port=“5060,5061”, protocol=udp]
sendmail-whois[name=Asterisk, [email protected], [email protected]]
logpath = /var/log/asterisk/messages
maxretry = 3

[/quote]

Still no luck from getting fail2ban to work on port 5060. However I just did notice I have the path wrong.///so I change it to /var/log/messges

Still no bans.

alexeynikolaev · June 20, 2014, 6:38am

It work perfectly for me on asterisk 11.10.2

yum info fail2ban says

Name : fail2ban
Arch : noarch
Version : 0.8.10
Release : 1.el6

How about run a command in linux shell

amportal restart

What it says about fail2ban service?

What says

service iptables status

GeekBoy · June 20, 2014, 6:53am

It is fail2ban we are using, not asterisk. Thus the errors appear in fail2ban… The failregex stopped working some time ago. it used to work, back in 2012, then an update for fail2ban came out and it started spewing out errors.

Hence why I am here and still battling fail2ban to function. I guess they got the name right as it is failing to ban. At least on port 5060.
Here is my Yum info fail2ban

Name : fail2ban
Arch : noarch
Version : 0.8.8
Release : 106.shmz65.1.107
Size : 484 k
Repo : installed
From repo : schmooze-commercial

with just amportal restart, I get

Stopping fail2ban: [ OK ]
Starting fail2ban: [ OK ]

However using that failregex stuff…every single line spews out an error.

For service iptables status

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    fail2ban-PBX-GUI  tcp  --  0.0.0.0/0            0.0.0.0/0           
2    fail2ban-SIP  all  --  0.0.0.0/0            0.0.0.0/0           
3    fail2ban-asterisk-udp  udp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 5060,5061 
4    fail2ban-FTP  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
5    fail2ban-asterisk-tcp  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 5060,5061 
6    fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2222 
7    fail2ban-BadBots  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 80,443 
8    fail2ban-recidive  all  --  0.0.0.0/0            0.0.0.0/0           
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10000 
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20000 
11   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5060 
12   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           STRING match "REGISTER sip:" ALGO name bm TO 65 limit: up to 4/min burst 1 mode srcip-dstport 
13   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:10000:20000 
14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2222 
15   fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2222 
16   fail2ban-recidive  all  --  0.0.0.0/0            0.0.0.0/0           
17   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20000 
18   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5060 
19   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           STRING match "REGISTER sip:" ALGO name bm TO 65 limit: up to 4/min burst 1 mode srcip-dstport 
20   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:10000:20000 
21   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2222 
22   fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2222 
23   fail2ban-recidive  all  --  0.0.0.0/0            0.0.0.0/0           
24   fail2ban-SIP  all  --  0.0.0.0/0            0.0.0.0/0           
25   fail2ban-PBX-GUI  tcp  --  0.0.0.0/0            0.0.0.0/0           
26   fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2222 
27   fail2ban-recidive  all  --  0.0.0.0/0            0.0.0.0/0           
28   fail2ban-SIP  all  --  0.0.0.0/0            0.0.0.0/0           
29   fail2ban-PBX-GUI  tcp  --  0.0.0.0/0            0.0.0.0/0           
30   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
31   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
32   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:10000:20000 
33   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5060 
34   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           STRING match "REGISTER sip:" ALGO name bm TO 65 limit: up to 4/min burst 1 mode srcip-dstport 
35   DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5060 STRING match "friendly-scanner" ALGO name bm TO 65535 
36   DROP       all  --  85.25.43.224         0.0.0.0/0           
37   DROP       all  --  50.97.94.55          0.0.0.0/0           
38   DROP       all  --  50.97.94.55          0.0.0.0/0           
39   DROP       all  --  50.97.0.0/16         0.0.0.0/0           
40   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:10000:20000 
41   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5060 
42   DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:5060 STRING match "friendly-scanner" ALGO name bm TO 65535 
43   DROP       all  --  109.201.154.201      0.0.0.0/0           
44   DROP       all  --  50.97.94.53          0.0.0.0/0           
45   DROP       all  --  50.97.94.52          0.0.0.0/0           
46   DROP       all  --  94.23.216.191        0.0.0.0/0           
47   DROP       all  --  50.97.94.58          0.0.0.0/0           
48   DROP       all  --  216.227.128.146      0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain fail2ban-BadBots (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-FTP (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-PBX-GUI (3 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-SIP (3 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-SSH (4 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-asterisk-tcp (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-asterisk-udp (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-recidive (4 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0

alexeynikolaev · June 20, 2014, 7:17am

May be this can help http://issues.freepbx.org/browse/FPBXDISTRO-120
It says Fixed in 5.211.65-13 and 6.12.65-11

GeekBoy · June 20, 2014, 1:54pm

I don’t think that is my issue as the /var/log/asterisk/fail2ban log is not getting populated with failed attempts anymore

In addition, I go this off the fail2ban web site, put it in and it took it without error, but still no ban:

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny)
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*: <HOST> failed to authenticate as '.*'
            NOTICE.* .*: <HOST> tried  to authenticate with nonexistent user '.*'
            VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer

Oddly…that same failregex is located in /etc/fail2ban/filter.d/asterisk.conf

dicko · June 20, 2014, 3:03pm

It is not directlty a problem with fail2ban, you need to have NOTICE messages logged to /var/log/asterisk/fail2ban defined somewhere in /etc/asterisk/logger*.conf or through the GUI.

You still have an outdated version of fail2ban for Asterii above 1.8 then using SECURITY and an updated set of regexes will actually catch many more attempts, please re visit

http://www.fail2ban.org/

and google “fail2ban asterisk” for a working set of regexes appropriate to your version of asterisk.

dicko · June 20, 2014, 3:05pm

two useful diagnostics are /var/log/fail2ban to see what state faiul2ban is in and fail2ban-regex to see if your regexes work

GeekBoy · June 20, 2014, 9:15pm

Okay folks…I think I got it now.

The log /var/log/asterisk/fail2ban was not defined in the logger.conf through FPBX.

Thanks a bunch!

GeekBoy · June 20, 2014, 10:07pm

I take that back. In the GUI I noticed a typo and corrected it. The fails are still appearing in /var/log/asterisk/fail2ban, but no more bans are occurring.

Edit:

Turns out it was NOT a typo. FPBX is deliberately cutting off the last letter in /var/log/asterisk/fail2ban

Though /var/log/var/log/asterisk/fail2ba and /var/log/asterisk/fail2ban are both being filled with results

Still lost

dicko · June 20, 2014, 10:22pm

then check with fail2ban-regex, I suspect your regexes are not catching your logs entries, they need to match the version of asterisk you are using

GeekBoy · June 20, 2014, 10:26pm

Clearly not:

fail2ban-regex regex /var/log/asterisk/fail2ban

Running tests

Use regex file : /var/log/asterisk/fail2ban
No [Definition] section in /var/log/asterisk/fail2ban

I am using Asterisk version 1.8.x

Edit:

Oddly I just got emailed 3 bans including the one I was just testing

dicko · June 20, 2014, 10:32pm

You gotta use it correctly

Usage: /usr/local/bin/fail2ban-regex [OPTIONS] [IGNOREREGEX]

FIRST the (regex or logfile) THEN the filter (/etc/fail2ban/filter.d/asterisk.conf for example)