@lorn10 wrote:
Hi folks
Here follows an “unsupported configuration” topic from my side.
My legacy FreePBX 11 Distro is running quite well. Unfortunately the original fail2ban 0.8.8 service has stopped working. After some testing with yum I decided to update several modules to their latest avaiable version on epel:
yum update openssl yum update openvpn yum update portaudio yum update htop yum update jack-audio-connection-kit yum update protobuf yum update lua-dbi yum update lua-expat yum update lua-sec yum update lua-socket yum update flite yum update sqlite2 yum update mosh yum update fail2ban
My optional packages were:
yum update p7zip yum update p7zip-plugins
To my big surprise fail2ban 0.9.6 was installed without any errors. Yes, the update has broken the FreePBX GUI “intrusion detection” (fail2ban) fronted but otherwise fail2ban 0.9.6 is active & running. Because no jails were active I enabled them manually. This has worked quite good. For some time it blocked several IP addresses but now the most jails seems to be again not really active.
My main problem lies in the confusion regarding the correct logpaths between the different version of Asterisk, FreePBX and fail2ban.
For example, - what is the correct location of the fail2ban logs? There seems to be two main possibilities: /var/log/asterisk/fail2ban and /var/log/fail2ban.log
(Keep in mind that I use the stock 0.9.6 fail2ban version with FreePBX 11).
Most likely I had to run some fail2ban regex commands?
My jail.local contains the following lines:
[ssh-iptables] enabled = true filter = sshd action = iptables-multiport[name=SSH, protocol=tcp, port=ssh] logpath = /var/log/secure [asterisk] enabled = true port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp"$ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp"$ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/asterisk/full maxretry = 5 [asterisk-iptables] enabled = true filter = asterisk action = iptables-allports[name=SIP, protocol=all] logpath = /var/log/asterisk/fail2ban [asterisk-challengesent] enabled = true filter = asterisk-challengesent action = iptables-allports[name=SIP, protocol=all] logpath = /var/log/asterisk/fail2ban* bantime = 14515200 maxretry = 1 [apache-tcpwrapper] enabled = true filter = apache-auth action = iptables-multiport[name=apache-auth, protocol=tcp, port=http] logpath = /var/log/httpd/error_log [vsftpd-iptables] enabled = true filter = vsftpd action = iptables-multiport[name=FTP, protocol=tcp, port=ftp] logpath = /var/log/secure [apache-badbots] enabled = true filter = apache-badbots action = iptables-multiport[name=BadBots, protocol=tcp, port="http,https"] logpath = /var/log/httpd/*access_log bantime = 172800 maxretry = 1 [recidive] enabled = true filter = recidive logpath = /var/log/fail2ban.log* action = iptables-allports[name=recidive, protocol=all] bantime = 2419200 ; 4 weeks findtime = 86400 ; 1 day maxretry = 20 [apache-badbots] enabled = true port = http,https logpath = /var/log/httpd/*access_log bantime = 172800 maxretry = 1
The [asterisk-challengesent] jails is a supplement to [asterisk-iptables]. The filter file contains only one failregex:
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[^"]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="[\da-fx]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
This code is more effective then the original one in asterisk-iptables, it blocks the “anonymous ChallengeSent attacks” more reliable. (Source: https://www.ip-phone-forum.de/threads/neue-hackversuche-fail2ban-muss-angepasst-werden.284351/)
Posts: 2
Participants: 2