FreePBX | Register | Issues | Wiki | Portal | Support

What is the correct setup for fail2ban?


#22

I notice we are in the Distro list here, how did you install fail2ban, they have an rpm for that.


#23

running: fail2ban-regex /var/log/asterisk/fail2ban /etc/fail2ban/filter.d/asterisk-security.conf I get

Running tests

Use regex file : /etc/fail2ban/filter.d/asterisk-security.conf
Use log file : /var/log/asterisk/fail2ban

Results

Failregex: 0 total

Ignoreregex: 0 total

Summary

Sorry, no match

Look at the above section ‘Running tests’ which could contain important
information.

I installed fail2ban using “yum -y fail2ban”

Running: fail2ban-regex /var/log/asterisk/fail2ban /etc/fail2ban/filter.d/asterisk.conf I get

Failregex: 18 total
|- #) [# of hits] regular expression
|  1) [6] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
|  3) [12] NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
`-

Ignoreregex: 0 total

Summary
=======

Addresses found:
[1]
    192.168.5.103 (Fri Jun 20 17:23:42 2014)
    192.168.5.103 (Fri Jun 20 17:23:51 2014)
    192.168.5.103 (Fri Jun 20 17:23:59 2014)
    192.168.5.103 (Fri Jun 20 17:24:14 2014)
    192.168.5.103 (Fri Jun 20 17:24:38 2014)
    192.168.5.103 (Fri Jun 20 17:24:52 2014)
[3]
    50.97.94.23 (Fri Jun 20 17:20:44 2014)
    50.97.94.23 (Fri Jun 20 17:20:44 2014)
    198.15.96.194 (Fri Jun 20 17:20:53 2014)
    198.15.96.194 (Fri Jun 20 17:20:53 2014)
    113.11.254.211 (Fri Jun 20 17:22:00 2014)
    113.11.254.211 (Fri Jun 20 17:22:00 2014)
    50.97.94.23 (Fri Jun 20 17:31:43 2014)
    50.97.94.23 (Fri Jun 20 17:31:43 2014)
    50.97.232.161 (Fri Jun 20 17:36:55 2014)
    50.97.232.161 (Fri Jun 20 17:36:55 2014)
    50.97.94.23 (Fri Jun 20 17:41:44 2014)
    50.97.94.23 (Fri Jun 20 17:41:44 2014)

Date template hits:
4000 hit(s): Year-Month-Day Hour:Minute:Second

Success, the total number of match is 18

However, look at the above section 'Running tests' which could contain important
information.

#24

It appears to be working. and when maxretry is hit within findtime in whatever jail, then /var/log/fail2ban.log should inform you as much, now add SECURITY to your logfile for more hits.


#25

I am unsure about adding this “security” to the log file. Please advise.


#26

your logfile needs defining with at least

fail2ban => SECURITY,NOTICE

you can add WARNING for good measure, but the other two will probably catch everything, does the rpm install not do that for you already?


#27

Oh, you are using asterisk 1.8, I think you are SOL there then, you really need to upgrade that


#28

Well, problem is anything higher is not running too well on virtual machines.

https://issues.asterisk.org/jira/browse/ASTERISK-20128

But I do really appreciate the replies.

Thank you very much helping me understand this.


#29

I would have to disagree with that, all my bigger instances of FreePBX run asterisk 11.10.2 on 64 bit vt-x hardware under KVM, but I guess it would depend on your Virtualization technology,


#30

The PBX at my house runs perfectly fine with asterisk 11 under virt-manager on a $400 intel NUC which also has another VM running mythtv and another for Windoze7 (don’t ask :slight_smile: while still being my primary desktop.


#31

It may work in many cases, but not all of them. Anything past 1.8.12 has serious issues on OpenVZ, and 11 and 12, may or may not compile on KVM. From what I understand it can depend on the CPU the host has.


#32

OK, just believe otherwise or just pragmatically spin up another VM and try it. As a caveat, I only use Debian and I can assure you that on hardware with CPU visualization support, it has never failed me, nor has installing PIAF or Schmooze or AsteriskNOW from their redhat based iso’s but while you stay with 1.8 you are seriously exposed to Chines machines on Cloud hosters, and Fail2ban just can’t help you there as asterisk 1.8 just doesn’t expose the attack vectors.

Any way good luck.


#33

(You would only need one 386 core with 512 memory and 10G hdd for maybe 20 hard using extensions, don’t complicate matters :wink: )


#34

Well then they really need to fix that bug,. Seriously I cannot get anything past 1.8.12 to compile on OpenVZ. After all it is a popular virtualization choice,.

While I consider upgrading to 11, what is the security logging?


#35

OpenVZ uses the underlying hardware kernel and badly shares kernel resources and there are “so many slips twixt the cpu and the lip there”, I think you are you are chasing a dead horse there, just make a real VM.


#36

(who are “they”? and what bug?)


#37

I did post a link to the bug open bug report above regarding Asterisk


#38

Surely that doesn’t pertain to OpenVZ, just a few with KVM , did you try making a KVM yet? (30 minutes max), if it doesn’t work for you than add yourself appropriately to the bug list, if it does then that would be a good thing :slight_smile:


#39

Actually it does pertain to openVZ. I am getting the same results with it, if not worse.

I have made numerous asterisk builds on KVM…not all of them have been successful.

Even with Asterisk 11 and 12 there have been compile failures on some older CPU.


#40

With repect, using virtualization on “older CPUs” is surely self limiting, why would you do that? One of many options from ebay

http://www.ebay.com/itm/Dell-PowerEdge-R900-4x-E7450-2-4ghz-6-core-CPUs-64gb-RAM-4x146gb-HDDs-Perc-6i-/171356199514?pt=COMP_EN_Servers&hash=item27e5a01a5a

I can guarantee you would support all you need many times over, Boot it with a usb stick

http://www.proxmox.com/downloads/item/proxmox-ve-3-2-iso-installer

But I think this thread is done, you now have your “best effort” fail2ban working and that is what you wanted, your VM problems really don’t belong in this FreePBX forum. I apologize to the community for taking the bait. Many here do use and will continue to use Virtualization for the Asterii of now and those to come.


#41

I did not refer to virtualization on older CPUs, but compiling directly on the hardware.

In addition, not all is well with fail2ban. recidive jail does not seem to be banned after 10 tries

[recidive]
enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive, protocol=all]
           sendmail[name=recidive, dest=GeekBoy@address.com, sender=pbx@domain.com, hostname=pbx.netservisity.com]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 10