FreePBX | Register | Issues | Wiki | Portal | Support

What is the correct setup for fail2ban?


#42

Did you read the documention about that? it basically reads the fail2ban log itself, and would only ban after in your case ten times the bantime of the underlying jail causing a Ban then an Unban on any particular host .

gcc (the c++ compiler asterisk uses) will compile best effort against the processor it is running under, in a virtualized KVM environment their is no knowledge of the real hardware, just whatever QEMU or whatever you are using presents it, give it a plain old i386 and if it fails to compile, take that up with QEMU or XEN or whatever you are using, if it compiles but doesn’t run, a possibility I guess, then now you can start blaming your hardware, did you try any of that yet? I have and it works under everything I have thrown at it.


#43

Hmm, virtual servers over a TimeWarner residential service? Hardly robust I would have thought :-), what is it like at 4:20 pm when the neighborhood kids all come home?


#44

Yes, but after 50 times now still no one week ban peer the jail rule.

And running fail2ban-regex /var/log/fail2ban.log /etc/fail2ban/filter.d/asterisk.conf produces no matches.

Anyway the box I am discussing now is not a virtual machine. It’s a Pentium 4 and Asterisk 11 would not compile correctly on it. It would get that same error in the bug report I listed above.


(Andrew Nagy) #45

There lies your problem.


#46

Well maybe a Pentium 4 is exceptiinal and won’t work but most will, even the original Pentium MMX :smile:

My install script in a VERY abbreviated form, with a few fail2ban specific debug routines added, which I use after booting machines real or virtual, with :-

http://cdimage.debian.org/debian-cd/7.5.0/i386/iso-cd/debian-7.5.0-i386-netinst.iso

#!/bin/bash
cat /proc/cpuinfo;cat /proc/partitions;free
read -p "Here is what you have to work with  . . . . "
apt-get -y install multitail build-essential ncurses-dev libsqlite3-dev libssl-dev python-pyinotify
echo "check_mail:0" >> /etc/multitail.conf
cd /usr/src
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz
tar -zxsvf asterisk-11-current.tar.gz 
cd asterisk-11.10.2/
./configure --disable-xmldoc
make
make install
make samples
make config
sed -i s'/^;dateformat=%F %T/dateformat=%F %T/' /etc/asterisk/logger.conf
echo  "security = security,notice" >> /etc/asterisk/logger.conf 
service asterisk start &
read -t 10 -p  "Now for fail2ban , press any key or wait a few. . . "
cd /usr/src
wget https://codeload.github.com/fail2ban/fail2ban/tar.gz/0.9.0
tar -zsxvf 0.9.0
cd fail2ban-0.9.0/
python setup.py install
sed -i s'/\[asterisk\]/\[asterisk\]\nenabled = true/' /etc/fail2ban/jail.conf 
sed -i s'|/var/log/asterisk/messages|/var/log/asterisk/security|' /etc/fail2ban/jail.conf 
fail2ban-client start;sleep 3
fail2ban-regex /var/log/asterisk/security /etc/fail2ban/filter.d/asterisk.conf 
read -p "Fail2ban should be working now . . . ."
multitail /var/log/asterisk/security /var/log/fail2ban.log /var/log/mail.log

Dollars to donuts it will also work for @GeekBoy also . . .


#47

( http://cdimage.debian.org/debian-cd/7.5.0/multi-arch/iso-cd/debian-7.5.0-amd64-i386-netinst.iso for ubiquity :slight_smile: )


#48

So you want me to install Debian on a Ubiquity router??


#49

hehe :smile:

but linux is case sensitive and rather strict about spelling, so that probably wouldn’t work.


#50

Well I tried compiling on CentOS 6.5 in KVM.

That was an EPIC FAIL.

It does not function - as usual in KVM per the bug reported at https://issues.asterisk.org/jira/browse/ASTERISK-20128

First I get Unable to connect to remote asterisk (does /var/run/asterisk.ctl exist?)

Okay so I do a asterisk -&

Then asterisk -rvvvvv

sip show peers
No such command ‘sip show peers’ (type ‘core show help sip show’ for other possible commands)

Oh, and in case you are wondering…asterisk.conf

[directories]
astetcdir => /etc/asterisk
astmoddir => /usr/lib64/asterisk/modules
astvarlibdir => /var/lib/asterisk
astagidir => /var/lib/asterisk/agi-bin
astspooldir => /var/spool/asterisk
astrundir => /var/run/asterisk
astlogdir => /var/log/asterisk

(Andrew Nagy) #51

And yet you fail to show us what is actually IN /usr/lib64/asterisk/modules or in modules.conf


#52

well sinc eyou inssit:

/usr/lib64/asterisk/modules

app_adsiprog.so         app_minivm.so           app_verbose.so              chan_multicast_rtp.so  format_sln.so             func_math.so           res_clialiases.so
app_alarmreceiver.so    app_mixmonitor.so       app_voicemail.so            chan_oss.so            format_vox.so             func_md5.so            res_clioriginate.so
app_amd.so              app_morsecode.so        app_waitforring.so          chan_phone.so          format_wav_gsm.so         func_module.so         res_config_odbc.so
app_authenticate.so     app_mp3.so              app_waitforsilence.so       chan_sip.so            format_wav.so             func_odbc.so           res_config_sqlite3.so
app_cdr.so              app_mysql.so            app_waituntil.so            chan_skinny.so         func_aes.so               func_pitchshift.so     res_convert.so
app_celgenuserevent.so  app_nbscat.so           app_while.so                chan_unistim.so        func_audiohookinherit.so  func_presencestate.so  res_crypto.so
app_chanisavail.so      app_originate.so        app_zapateller.so           codec_adpcm.so         func_base64.so            func_rand.so           res_fax.so
app_channelredirect.so  app_page.so             bridge_builtin_features.so  codec_alaw.so          func_blacklist.so         func_realtime.so       res_format_attr_celt.so
app_chanspy.so          app_parkandannounce.so  bridge_multiplexed.so       codec_a_mu.so          func_callcompletion.so    func_sha1.so           res_format_attr_h263.so
app_confbridge.so       app_playback.so         bridge_simple.so            codec_g722.so          func_callerid.so          func_shell.so          res_format_attr_h264.so
app_controlplayback.so  app_playtones.so        bridge_softmix.so           codec_g726.so          func_cdr.so               func_sprintf.so        res_format_attr_silk.so
app_db.so               app_privacy.so          cdr_adaptive_odbc.so        codec_gsm.so           func_channel.so           func_srv.so            res_http_websocket.so
app_dial.so             app_queue.so            cdr_csv.so                  codec_ilbc.so          func_config.so            func_strings.so        res_limit.so
app_dictate.so          app_readexten.so        cdr_custom.so               codec_lpc10.so         func_cut.so               func_sysinfo.so        res_monitor.so
app_directed_pickup.so  app_read.so             cdr_manager.so              codec_resample.so      func_db.so                func_timeout.so        res_musiconhold.so
app_directory.so        app_record.so           cdr_mysql.so                codec_ulaw.so          func_devstate.so          func_uri.so            res_mutestream.so
app_disa.so             app_sayunixtime.so      cdr_odbc.so                 format_g719.so         func_dialgroup.so         func_version.so        res_odbc.so
app_dumpchan.so         app_senddtmf.so         cdr_sqlite3_custom.so       format_g723.so         func_dialplan.so          func_vmcount.so        res_phoneprov.so
app_echo.so             app_sendtext.so         cdr_syslog.so               format_g726.so         func_enum.so              func_volume.so         res_realtime.so
app_exec.so             app_sms.so              cel_custom.so               format_g729.so         func_env.so               pbx_ael.so             res_rtp_asterisk.so
app_externalivr.so      app_softhangup.so       cel_manager.so              format_gsm.so          func_extstate.so          pbx_config.so          res_rtp_multicast.so
app_festival.so         app_speech_utils.so     cel_odbc.so                 format_h263.so         func_frame_trace.so       pbx_dundi.so           res_security_log.so
app_followme.so         app_stack.so            cel_sqlite3_custom.so       format_h264.so         func_global.so            pbx_loopback.so        res_smdi.so
app_forkcdr.so          app_system.so           chan_agent.so               format_ilbc.so         func_groupcount.so        pbx_realtime.so        res_speech.so
app_getcpeid.so         app_talkdetect.so       chan_bridge.so              format_jpeg.so         func_hangupcause.so       pbx_spool.so           res_stun_monitor.so
app_ices.so             app_test.so             chan_iax2.so                format_mp3.so          func_iconv.so             res_adsi.so            res_timing_pthread.so
app_image.so            app_transfer.so         chan_local.so               format_pcm.so          func_jitterbuffer.so      res_ael_share.so       res_timing_timerfd.so
app_macro.so            app_url.so              chan_mgcp.so                format_siren14.so      func_lock.so              res_agi.so             res_xmpp.so
app_milliwatt.so        app_userevent.so        chan_motif.so               format_siren7.so       func_logic.so             res_calendar.so

;

 Asterisk Module Loader configuration file
;
;

[modules]
autoload=yes
;
; Any modules that need to be loaded before the Asterisk core has been
; initialized (just after the logger has been initialized) can be loaded
; using 'preload'. This will frequently be needed if you wish to map all
; module configuration files into Realtime storage, since the Realtime
; driver will need to be loaded before the modules using those configuration
; files are initialized.
;
; An example of loading ODBC support would be:
;preload => res_odbc.so
;preload => res_config_odbc.so
;
; As FreePBX is using Local as the channel for queue members we need to make sure
; that pbx_config.so and chan_local.so are preloaded. If not, queue members
; will be marked as invalid until app_queue is reloaded.
preload => pbx_config.so
preload => chan_local.so
;
; Uncomment the following if you wish to use the Speech Recognition API
;preload => res_speech.so
;
; If you want, load the GTK console right away.
; KDE console is obsolete and was removed from Asterisk 2008-01-10
;
noload => pbx_gtkconsole.so
;load => pbx_gtkconsole.so
noload => pbx_kdeconsole.so
;
; Intercom application is obsoleted by
; chan_oss.  Don't load it.
;
noload => app_intercom.so
;
; DON'T load the chan_modem.so, as they are obsolete in * 1.2

noload => chan_modem.so
noload => chan_modem_aopen.so
noload => chan_modem_bestdata.so
noload => chan_modem_i4l.so

; Trunkisavail is a broken module supplied by Trixbox
noload => app_trunkisavail.so

; Ensure that format_* modules are loaded before res_musiconhold
;load => format_ogg_vorbis.so
load => format_wav.so
load => format_pcm.so

; format_au.so is removed from Asterisk 1.4 and later, remove ; to enable
;load => format_au.so

; This isn't part of 'Asterisk' iteslf, it's part of asterisk-addons. If this isn't
; installed, asterisk will fail to start. But it does need to go here for native MOH
; to work using mp3's.
;       Note that on a system with a high number of calls, using a compressed audio format for
;       musiconhold takes CPU resources. Converting these files to ulaw/alaw makes the job
;       much easier for your CPU.
load => format_mp3.so
load => res_musiconhold.so
;
; Load either OSS or ALSA, not both
; By default, load no console driver
;
noload => chan_alsa.so
noload => chan_oss.so
noload => app_directory_odbcstorage.so
noload => app_voicemail_odbcstorage.so

(Andrew Nagy) #53

and what happens when you try to load chan_sip.so manually?


#54

As I indicated in a previous post,You will need libssl-dev or the redhat equivalent as a prerequisite for a bare minimum install to compile chan_sip


#55

It does work if I manually local it. First time I have seen this. SIP is the core module of Asterisk and having to manually load it? I still need to test it I guess.

Thanks


#56

Fail2ban is , well, failing again. It just started to failing after working so well.
I wonder if it is iptables related issue or what.

I am seeing this in the fail2ban.log:

2014-07-07 05:48:21,235 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -j fail2ban-PBX-GUI iptables -F fail2ban-PBX-GUI iptables -X fail2ban-PBX-GUI returned 100
2014-07-07 05:48:21,240 fail2ban.jail : INFO Jail 'apache-tcpwrapper’
stopped
2014-07-07 05:48:22,186 fail2ban.actions.action: ERROR iptables -D INPUT -p all -j fail2ban-recidive iptables -F fail2ban-recidive iptables -X fail2ban-recidive returned 100
2014-07-07 05:48:22,190 fail2ban.jail : INFO Jail ‘recidive’ stopped
2014-07-07 05:48:23,195 fail2ban.actions.action: ERROR iptables -D INPUT -p all -j fail2ban-PBX-GUI iptables -F fail2ban-PBX-GUI iptables -X fail2ban-PBX-GUI returned 100
2014-07-07 05:48:23,202 fail2ban.jail : INFO Jail ‘pbx-gui’ stopped
2014-07-07 05:48:24,164 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-BadBots iptables -F fail2ban-BadBots iptables -X fail2ban-BadBots returned 100
2014-07-07 05:48:24,168 fail2ban.jail : INFO Jail 'apache-badbots’
stopped
2014-07-07 05:48:24,224 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH iptables -F fail2ban-SSH iptables -X fail2ban-SSH returned 100
2014-07-07 05:48:24,301 fail2ban.jail : INFO Jail ‘ssh-iptables’ stopped
2014-07-07 05:48:25,300 fail2ban.actions.action: ERROR iptables -D INPUT -p all -j fail2ban-SIP iptables -F fail2ban-SIP iptables -X fail2ban-SIP returned 100
2014-07-07 05:48:25,304 fail2ban.jail : INFO Jail 'asterisk-iptables’
stopped
2014-07-07 05:48:25,363 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ftp -j fail2ban-FTP iptables -F fail2ban-FTP iptables -X fail2ban-FTP returned 100
2014-07-07 05:48:26,285 fail2ban.jail : INFO Jail 'vsftpd-iptables’
stopped
2014-07-07 05:48:26,286 fail2ban.server : INFO Exiting Fail2ban


#58

Did anybody came to the idea to check for a jail.local file?
I had a simular problem and it turned out the freepbx distribution comes with an /etc/jail2ban/jail.local file that overrides everything defined in jail.conf.
Putting the right configuration in the jail.local file solved my problem.


#59

#1 You did not read the entire thread. The problem was running an old Asterisk 1.8.x with an updated fail2ban client. It needed the “security” log option to read it properly, which was not available in Asterisk 1.8.x.

#2 Thread is a bit necro and moot at this point


(Andrew Nagy) #60